FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
LennartElbers
Article Id 339301
Description

 

This article describes how to manage the large fsmopt.tar.gz file that appears in the root directory after a FortiSIEM migration. It explains how to relocate the file to avoid potential disk space issues.

 

Scope

 

FortiSIEM.

 

Solution

 

During FortiSIEM migration, the fsmopt.tar.gz file is generated as a backup in the root directory. This file can grow significantly, leading to potential disk space issues. Deleting this file is not recommended as it contains critical backup data from the migration. 

Before proceeding, it is advisable to take a snapshot of the system as a precautionary measure to safeguard data integrity.

 

  • To assess available disk space and determine if space is a concern, run the following command:


[root@fortisiem ~]# df -h

 

  • The output provides details of the file system usage, including available space:


Filesystem Size Used Avail Use% Mounted on
devtmpfs 16G 0 16G 0% /dev
tmpfs 16G 432K 16G 1% /dev/shm
tmpfs 16G 25M 16G 1% /run
tmpfs 16G 0 16G 0% /sys/fs/cgroup
/dev/mapper/cl-root 22G 18G 4.0G 82% /
/dev/sdf2 69G 12G 58G 17% /opt
/dev/sdd1 976M 736M 173M 81% /boot
/dev/sdb1 59G 7.3G 49G 13% /cmdb
/dev/sdc1 59G 53M 56G 1% /svn
1.1.1.1:/FortiSIEM 16T 5.7T 11T 36% /data
tmpfs 3.2G 0 3.2G 0% /run/user/500
tmpfs 3.2G 0 3.2G 0% /run/user/0

 

  • To determine if the fsmopt.tar.gz file is present and contributing to disk space usage, navigate to the root directory and list its contents:


[root@fortisiem /]# ls -al
[output omitted]
-rw-r--r-- 1 root root 2090509546 Sep 5 2024 fsmopt.tar.gz
[output omitted]

 

To prevent disk space issues, it is recommended to move the fsmopt.tar.gz file to a location with more available space, such as an offline backup or another directory. Below are the steps to safely relocate the file without losing access:

  1. Move fsmopt.tar.gz to a new directory with ample space, such as /data/cache/. Execute the following commands:


# cd /
# mv fsmopt.tar.gz /data/cache/

  1. (Optional) After moving the file, create a symbolic link in the original location which maintains access to the file without occupying root directory space:


# ln -s /data/cache/fsmopt.tar.gz fsmopt.tar.gz

 

By following these steps, it should be possible to resolve large file issues after a FortiSIEM migration.