Archive Juniper STRM (IBM Qradar) Logs to remote server

Our Juniper STRM is running out of space after receiving more and more logs from Check Point management server and Juniper NSM. Since my STRM 500 only has about 400G storage capability and there is no other way to get budget to upgrade it to other expensive model, I decided to manually archive some older data out of this box. The steps are quite straightforward, just need to find out log folders and tar them , move them to remote ssh server.

1. Current Situation:

88% disk has been used and it is going to stop receiving the logs and flows from sources. Also reports will not be able to generated once the disk is reached certain level, about 92%.

[root@strm ~]# df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda2             20323232  14568560   4705628  76% /
/dev/sda3             10169544   1970636   7673988  21% /var/log
/dev/sda1               108865     30790     72454  30% /boot
tmpfs                  4091188         0   4091188   0% /dev/shm
/dev/sda8            424837936 362963724  31193700  92% /store
/dev/sda5             17263128    177164  16194896   2% /store/tmp

2. All log data are stored at /store/ariel/events folder:

Under /store/ariel/events folder, there are two sub directories payloads and records which stores all log data. The payloads is the raw data which is being sent to the STRM and the records are the normalized data which are stored onto the STRM after the parsing of the raw data.

[root@strm events]# ls -l
total 16
drwxr-xr-x 4 root   root   4096 Jan  1 00:01 md
drwxr-xr-x 4 root   root   4096 Jan  1 00:00 payloads
drwxr-xr-x 4 root   root   4096 Jan  1 00:00 records
drwxr-xr-x 4 nobody nobody 4096 Jan  2 01:04 uncompressedCache

In both of payloads and records folders, the logs are stored by years and months.
This is the folder size for each month of 2014 under payloads folder:

This is the folder size for each month of 2014 under records folder:

3.  Tar the folder which you want to archive and move to remote ssh storage server:

cd /store/ariel/events/payload/2014 
tar -zcvf /store/tmp/2014.1.payload.tar.gz 1 
cd /store/ariel/events/records/2014 
tar -zcvf /store/tmp/2014.1.records.tar.gz 1
du -hs 2014.1.*.tar.gz
watch du -hs 2014.1.*.tar.gz

4. SCP tar files to remote site

scp /store/tmp/2014.1.*.tar.gz [email protected]:/data/backup/juniper

5. Delete files and folders

rm -rf /store/tmp/2014.1.*.tar.gz
rm -rf /store/ariel/events/payloads/2014/1
rm -rf /store/ariel/events/records/2014/1

6.  Verify

[root@strm tmp]# df -k 
Filesystem           1K-blocks      Used Available Use% Mounted on 
/dev/sda2             20323232  14562300   4711888  76% / 
/dev/sda3             10169544   1999120   7645504  21% /var/log 
/dev/sda1               108865     30790     72454  30% /boot 
tmpfs                  4091188         0   4091188   0% /dev/shm 
/dev/sda8            424837936 329588056  73669368  82% /store 
/dev/sda5             17263128    658040  15714020   5% /store/tmp