If SFTP sessions auditing is enabled and users transfer large files in a short period of time the disk can fill before Archive/Disk Cleanup processes can run.
The SFTP session audit files can be confirmed to be the culprit by running the following command from the boot shell:
du -h --threshold=1G --exclude=/proc --exclude=/sys / >/root/du.txt
This command will save a text file containing a list of folders larger than 1 GB, like below:
Line 1: 66G /mnt/drbd/private/data/audit/16152245315f59304e41234/8e
Line 2: 65G /mnt/drbd/private/data/audit/16152245315f59304e41234/13
Line 3: 48G /mnt/drbd/private/data/audit/16152245315f59304e41234/6f
Line 4: 86G /mnt/drbd/private/data/audit/16152245315f59304e41234/69
The above folders will contain .zat audit trail files that contain the large SFTP transferred files.
This can be confirmed by navigating to one of those folders which will contain a file named like below:
audit-scb_ssh-1234733520-1.zat
The above filename can be used within the sessions Search interface to find the exact session it belongs to.
Disable 'Record audit trail' for the Session SFTP channel policy being used, which can be found in the web interface | SSH Control | Channel Policies.
The above action will cause SPS to no longer save a copy of every file, but by following the below actions the file operations can be recorded to the Search page or system log.
To make the list of file operations available in the File operations column of the Search page, navigate to the Channel Policies page of the protocol, and enable the 'Log file transfers to database' option.
To send the file operations into the system log, enable the 'Log file transfers to syslog option'.
To remove the file and clear up space the setting 'Delete data from SPS after:' on the applicable Archive/Cleanup policy can be changed to a lower number such as 1 day and committed.
Then selecting the 'Archive/Cleanup' button found on the connection policy will start the process manually.
Please note if the files are very large it may take some time for it to complete and clear space.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款 隐私 Cookie Preference Center