Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IDS 4235 disk out off space

Hello

Recently, I found that my IDS-4235 disk space is

100% usage (use show version command )

Why ?

I does not use the logging command

how do I erase unused file ?

13 REPLIES
New Member

Re: IDS 4235 disk out off space

Can you provide output of the "show version" command?

What is the current software level of this sensor? Can you give us a brief history of it (updates, up-time, etc.)?

New Member

Re: IDS 4235 disk out off space

HERE IS THE show ver command output

Application Partition:

Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47

OS Version 2.4.18-5smpbigphys

Platform: IDS-4235

Sensor up-time is 15:57.

Using 611442688 out of 921522176 bytes of available memory (66% usage)

Using 16G out of 15G bytes of available disk space (100% usage)

MainApp 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

AnalysisEngine 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

Authentication 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

Logger 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

NetworkAccess 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

TransactionSource 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

WebServer 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

unning

CLI 2003_Jun_20_06.00 (Release) 2003-06-20T05:53:31-0500

Upgrade History:

* IDS-K9-min-4.1-1-S47 10:55:41 UTC Thu Aug 07 2003

IDS-sig-4.1-1-S50.rpm.pkg 15:35:23 UTC Thu Aug 21 2003

New Member

Re: IDS 4235 disk out off space

I would like to see the output of a "show tech-support" command, but I'm afraid it won't get generated correctly since you have no free disk space.

Let's try this. If you don't have a "service" account, go ahead and create one. Login to the service account, and run the following command: /usr/cids/idsRoot/bin/cidDump /tmp/cidDump.html

This will create a debug log in the /tmp directory that we can look at to see where all your space is going. "/tmp" resides in a different partition than what shows up in the "show version" command, so hopefully there is plenty of room there to generate the debug file. Please send the cidDump output directly to me at: rwassom@cisco.com

Have you been doing anything on this system that might utilize additional disk space? Have any changes been made to the system using the "service" or "root" user accounts?

-Rusty

Cisco Employee

Re: IDS 4235 disk out off space

Have you been having any problems with your sensor other than the diskveing full? It is possible that you have accumulated a large number of core files. Can you check in your /usr/cids/idsRoot/core subdirectories and see if you have any files there. You can scp them off the box and then delete them if there are any there. If there are files let us know as we would like to look at them to see what is going on on your sensor.

New Member

Re: IDS 4235 disk out off space

Here is my sensor's /usr/cids/idsRoot/core directory

it appears a lot of files and directory

Can I delete them ??

bash-2.05a$ ls

-cidcli cidwebserver logApp nac sensorApp

authentication ctlTransSource mainApp sendCtlTrans

bash-2.05a$

Cisco Employee

Re: IDS 4235 disk out off space

Do not delete the directories (-cidcli, cidwebserver, logApp, nac, sensorApp, authentication, ctlTransSource, mainApp sendCtlTrans). If there are core files in any of these directories then copy them off of the sensor and send them to cisco and then delete the core files to make room on the sensor's disk.

After, this you should be able to run the dump utility.

New Member

Re: IDS 4235 disk out off space

Sorry ,there is no enough space

Can I just delete the files and directory in

/usr/cids/idsRoot/core ?

bash-2.05a$ ./cidDump /tmp/cidDump.html

./cidDump: /tmp/top.log: Permission denied

./cidDump: /tmp/mpstat.log: Permission denied

./cidDump: /tmp/vmstat.log: Permission denied

Generating report .......................................................

...........find: /lost+found: Permission denied

find: /proc/1/fd: Permission denied

find: /proc/2/fd: Permission denied

find: /proc/3/fd: Permission denied

find: /proc/4/fd: Permission denied

find: /proc/5/fd: Permission denied

find: /proc/6/fd: Permission denied

find: /proc/7/fd: Permission denied

find: /proc/8/fd: Permission denied

find: /proc/14/fd: Permission denied

find: /proc/15/fd: Permission denied

find: /proc/18/fd: Permission denied

find: /proc/130/fd: Permission denied

find: /proc/131/fd: Permission denied

find: /proc/432/fd: Permission denied

find: /proc/437/fd: Permission denied

find: /proc/1047/fd: Permission denied

find: /proc/1050/fd: Permission denied

find: /proc/1051/fd: Permission denied

find: /proc/1066/fd: Permission denied

find: /proc/1115/fd: Permission denied

find: /proc/1116/fd: Permission denied

find: /proc/1117/fd: Permission denied

find: /proc/1118/fd: Permission denied

find: /proc/1119/fd: Permission denied

find: /proc/1120/fd: Permission denied

find: /proc/1121/fd: Permission denied

find: /proc/1122/fd: Permission denied

find: /proc/1123/fd: Permission denied

find: /proc/1124/fd: Permission denied

find: /proc/1125/fd: Permission denied

find: /proc/1126/fd: Permission denied

find: /proc/1127/fd: Permission denied

find: /proc/1128/fd: Permission denied

find: /proc/1129/fd: Permission denied

find: /proc/1130/fd: Permission denied

find: /proc/1131/fd: Permission denied

find: /proc/1132/fd: Permission denied

find: /proc/1133/fd: Permission denied

find: /proc/1134/fd: Permission denied

find: /proc/1135/fd: Permission denied

find: /proc/1136/fd: Permission denied

find: /proc/1166/fd: Permission denied

find: /proc/1170/fd: Permission denied

find: /proc/1171/fd: Permission denied

find: /proc/1172/fd: Permission denied

find: /proc/1173/fd: Permission denied

find: /proc/1174/fd: Permission denied

find: /proc/1175/fd: Permission denied

find: /proc/1176/fd: Permission denied

find: /proc/1177/fd: Permission denied

find: /proc/1178/fd: Permission denied

find: /proc/1179/fd: Permission denied

find: /proc/1180/fd: Permission denied

find: /proc/1181/fd: Permission denied

find: /proc/1182/fd: Permission denied

find: /proc/1183/fd: Permission denied

find: /proc/1184/fd: Permission denied

find: /proc/1185/fd: Permission denied

find: /proc/1203/fd: Permission denied

find: /proc/1288/fd: Permission denied

find: /proc/1289/fd: Permission denied

find: /proc/1292/fd: Permission denied

find: /proc/13316/fd: Permission denied

find: /proc/13317/fd: Permission denied

find: /proc/14716/fd: Permission denied

find: /proc/14717/fd: Permission denied

find: /usr/cids/idsRoot/shared/lost+found: Permission denied

find: /usr/cids/idsRoot/var/lost+found: Permission denied

find: /usr/cids/.gnupg: Permission denied

find: /usr/cids/.ssh: Permission denied

find: /usr/share/ssl/CA: Permission denied

find: /var/spool/cron: Permission denied

find: /var/empty/sshd: Permission denied

find: /etc/default: Permission denied

find: /root: Permission denied

find: /home/cisco: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/kernel/abi: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/kernel/arch: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/kernel/drivers: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/kernel/fs: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/kernel/lib: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/kernel/net: Permission denied

find: /lib/modules/2.4.18-5smpbigphys/pcmcia: Permission denied

...cat: write error: No space left on device

cat: write error: No space left on device

Done

Cisco Employee

Re: IDS 4235 disk out off space

Find the most recent core of each type. Delete all the others and then copy the newest cores off the box to a location where we can scp or ftp them back to our engineers. If this is not possible then let us know. By removing the bulk of the files you will free up enough disk space that you should be back on-line. We really need those cores though to find out what is wrong with your system.

New Member

Re: IDS 4235 disk out off space

It seems nothing in the directory

bash-2.05a$ du -a

4 ./mainApp

4 ./logApp

4 ./ctlTransSource

4 ./nac

4 ./authentication

4 ./cidwebserver

4 ./sensorApp

4 ./-cidcli

4 ./sendCtlTrans

40 .

I will try the recovery command to the sensor

New Member

Re: IDS 4235 disk out off space

We would like to understand what happened on your appliance before you re-image if it's not too late. Would it be possible for us to get access to this appliance for troubleshooting purposes?

We understand if you need to get this system back up and running immediately and need to re-image. However, if you can give us access to the box for an hour or two, we may be able to determine the cause of your problem so it won't happen again.

You can contact us directly at:

rwassom@cisco.com -or- klwiley@cisco.com

-Rusty

Cisco Employee

Re: IDS 4235 disk out off space

Can you send us the output from:

cd /usr/cids/idsRoot/var

du -cks *

df -k

Thanks

New Member

Re: IDS 4235 disk out off space

HI,

I am having the same problem with disk usage. I just realized that one of our sensors wasn't sending any alarms, i found out the disk usage was 100% for the /usr/cids/idsRoot/var partition. Is there a set of files that need to be pruned of deleted as maintenance to keep this from happening?

Thanks,

Joel

Net. Security Analyst

New Member

Re: IDS 4235 disk out off space

Can you send us the output from a "du -a" on the "/usr/cids/idsRoot/var" directory? This will help us isolate where the disk usage is and determine a possible cause.

Based on previous feedback on this thread, I doubt we'll be able to get any output from a cidDump.

-Rusty

138
Views
0
Helpful
13
Replies
CreatePlease to create content