Back to All Scenarios
PASSEDnetwork / netflow_collector_disk_full
NetFlow Collector Disk Full — Flow Data Loss
The NetFlow collector server runs out of disk space, causing it to stop ingesting flow data from all network devices. Network visibility is lost, and security analytics based on flow data become non-functional.
Pattern
DISK_FULL
Severity
CRITICAL
Confidence
92%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | DISK_FULL | DISK_FULL | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 21 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
NetFlow collector (SolarWinds NTA) on dedicated server. 2TB disk filled by unexpected flow volume from multicast flood. NetFlow ingestion stopped. 40 network devices sending flows to deaf collector. Security team loses network visibility.
Injected Error Messages (2)
NetFlow collector disk full — /var/netflow filesystem at 100% (2TB), disk space critical on NetFlow collector, no space left for new flow data ingestion, NetFlow receiver process dropping all incoming UDP 2055 packets, 40 network devices sending flows but collector discarding all data, network flow analytics: non-functional, disk filled by 10x normal flow volume from multicast event
SolarWinds NTA flow analysis unavailable — NetFlow data ingestion halted 3 hours ago due to disk full on collector server, SolarWinds NTA showing stale data (3 hours old), no new traffic analysis, bandwidth utilization, or top-talker reports available, security team lost flow-based threat detection capability, network forensics data gap: 3 hours and growing, compliance: network monitoring SLA violated
Neural Engine Root Cause Analysis
The NetFlow collector server has experienced a disk space exhaustion on the /var/netflow filesystem (100% of 2TB used), caused by an abnormal multicast event that generated 10x normal flow volume. This has caused the NetFlow receiver process to drop all incoming UDP packets on port 2055, resulting in complete loss of network flow analytics from 40 network devices. The 11 correlated incidents suggest this disk full condition is cascading to other monitoring systems or network visibility tools.
Remediation Plan
1. Immediately free disk space by removing oldest NetFlow data files or archiving to alternate storage. 2. Restart the NetFlow collector service to resume packet processing. 3. Implement emergency disk space monitoring with alerts at 80% capacity. 4. Investigate and mitigate the multicast event causing excessive flow generation. 5. Consider increasing disk capacity or implementing automated log rotation/archival. 6. Verify flow data ingestion resumes from all 40 network devices.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnckbfv7087tobqeux65104k