Virtual Host Setup: Task 2. Review Optimal Datastore Space Configuration

Document created by RSA Information Design and Development Employee on Apr 10, 2019Last modified by RSA Information Design and Development Employee on Jun 8, 2020
Version 14Show Document
  • View in full screen mode
 

Following commands are commonly used for the file extension.

  • /dev/sdc for extending nw-home or /var/netwitness.
  • /dev/sdd for creating /var/netwitness/xxxxxx.
  • /dev/<> for creating /var/netwitness/xxxxxx/metadb.
  • /dev/<> for creating /var/netwitness/xxxxx/sessiondb.
  • /dev/sde for creating /var/netwitness/xxxxx/index.

Note: The number of /dev/<> varies based on the retention days or the number of disks attached.

AdminServer

RSA recommended partition for AdminServer (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                     
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 2TBSSD

Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.

Follow these steps:

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.
  3. pvcreate <pv_name> suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
    or
    lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

ESAPrimary/ESASecondary/Malware

RSA recommended partition for ESAPrimary/ESASecondary/Malware (Can be changed based on the retention days).

                     
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 6TBHDD

Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
  3. pvcreate <pv_name> suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

LogCollector

RSA recommends the following partition for the LogCollector (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                     
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 500GBHDD

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, for example if you attach one 500GB disk
  3. pvcreate <pv_name> suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 488G /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

LogDecoder

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

                                
Log Decoder
Persistent 
Datastores
Cache Datastores
PacketDB SessionDB MetaDB Index
100% as calculated by Sizing & Scoping Calculator 1 GB per 1000 EPS of traffic sustained provides 8 hours cache20 GB per 1000 EPS of traffic sustained provides 8 hours cache0.5 GB per 1000 EPS of traffic sustained provides 4 hours cache

Extending File Systems

Follow the below instructions to extend the file systems.

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
  3. pvcreate <pv_name> suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
    or
    lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Other partitions are also required. Create the following partitions on the logdecodersmall volume group.

                                 
FolderLVMVolume Group
/var/netwitness/logdecoder decoroot logdecodersmall
/var/netwitness/logdecoder/index index logdecodersmall

/var/netwitness/logdecoder/metadb

metadb

logdecodersmall

/var/netwitness/logdecoder/sessiondb sessiondb logdecodersmall

Follow these steps to create the partitions mentioned in the table above:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sdd
  3. vgcreate –s 32 logdecodersmall /dev/sdd
  4. lvcreate –L <disk_size> -n <lvm_name> logdecodersmall
  5. mkfs.xfs /dev/logdecodersmall/<lvm_name>
  6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on volume group LogDecoder

                  
FolderLVMVolume Group
/var/netwitness/logdecoder/packetdb packetdb logdecoder

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 logdecoder /dev/sde
  4. lvcreate –L <disk_size> -n packetdb logdecoder
  5. mkfs.xfs /dev/logdecoder/packetdb

RSA recommends below sizing partition for LogDecoder (Can be changed based on the retention days). Minimum recommended space for var/netwitness is 500 GB.

                                                   
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 1TB

HDD

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder 10GBHDD

/dev/logdecodersmall/index

/var/netwitness/logdecoder/index

30GB

HDD

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb 3TBHDD

/dev/logdecodersmall/sessiondb

/var/netwitness/logdecoder/sessiondb

370GB

HDD

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb 18TBHDD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2

/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2

/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

Concentrator

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

                             
Concentrator
Persistent 
Datastores
Cache Datastores
MetaDB SessionDB
Index
Index
Calculated as 10% of the PacketDB 
required for a 1:1 retention ratio
30 GB per 1TB of PacketDB for standard multi protocol network deployments as seen at typical internet gateways5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

 

                            
Log Concentrator
Persistent 
Datastores
Cache Datastores
MetaDB SessionDB
Index
Index
Calculated as 100% of the PacketDB 
required for a 1:1 retention ratio
3 GB per 1000 EPS of sustained traffic per day of retention5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

Extending File Systems

Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.

For extending /var/netwitness partition follow below steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/.

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk
  3. pvcreate /dev/sdc suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
    or
    lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

The following partitions are also required on volume group concentrator.

                            
FolderLVMVolume Group
/var/netwitness/concentrator rootconcentrator
/var/netwitness/concentrator/sessiondb sessiondbconcentrator

/var/netwitness/concentrator/metadb

metadb

concentrator

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sdd
  3. vgcreate –s 32 concentrator /dev/sdd
  4. lvcreate –L <disk_size> -n <lvm_name> concentrator
  5. mkfs.xfs /dev/concentrator/<lvm_name>
  6. Repeat steps 4 and 5 for all the LVM’s mentioned

Below partition should be on volume group index

                  
FolderLVMVolume Group
/var/netwitness/concentrator/index index index

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 index /dev/sde
  4. lvcreate –L <disk_size> -n index index
  5. mkfs.xfs /dev/index/index

RSA recommends below sizing partition for Concentrator (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                                             
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 1TB

HDD

/dev/concentrator/root /var/netwitness/concentrator 10GBHDD
/dev/concentrator/metadb /var/netwitness/concentrator/metadb

3TB

HDD

/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb 370GBHDD
/dev/index/index /var/netwitness/concentrator/index

2TB

SSD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order

/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2

/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2

/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2

/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2

Archiver

The following partition is required for the Archiver volume group.

                  
FolderLVMVolume Group
/var/netwitness/archiver archiver archiver

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 archiver /dev/sde
  4. lvcreate –L <disk_size> -n archiver archiver
  5. mkfs.xfs /dev/archiver/archiver

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for Archiver database partition.

For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness.

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
  3. pvcreate /dev/sdc suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
    or
    lvextend -l +100%FREE /dev/netwitness_vg00/nwhome

RSA recommends the following sizing partition for the Archiver (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                           
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 1TB

HDD

/dev/archiver/archiver /var/netwitness/archiver 4TBHDD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

After that add the below entries in /etc/fstab in the same order

/dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2

Decoder

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

                                 
Decoder
Persistent 
Datastores
Cache Datastore
PacketDB SessionDB MetaDB Index
100% as calculated by Sizing & Scoping Calculator 6 GB per 100Mb/s of traffic sustained provides 4 hours cache60 GB per 100Mb/s of traffic sustained provides 4 hours cache3 GB per 100Mb/s of traffic sustained provides 4 hours cache

Extending File Systems

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for decoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on /var/netwitness/.

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
  3. pvcreate /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
    or
    lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

The following four partitions should be on the decodersmall volume group.

                                 
FolderLVMVolume Group
/var/netwitness/decoder decoroot decodersmall
/var/netwitness/decoder/index index decodersmall

/var/netwitness/decoder/metadb

metadb

decodersmall

/var/netwitness/decoder/sessiondb sessiondb decodersmall

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sdd
  3. vgcreate –s 32 decodersmall /dev/sdd
  4. lvcreate –L <disk_size> -n <lvm_name> decodersmall
  5. mkfs.xfs /dev/decodersmall/<lvm_name>
  6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on the decoder volume group.

                  
FolderLVMVolume Group
/var/netwitness/decoder/packetdb packetdbdecoder
  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 decoder /dev/sde
  4. lvcreate –L <disk_size> -n packetdb decoder
  5. mkfs.xfs /dev/decoder/packetdb

RSA recommends the following sizing partition for the Decoder (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                                                   
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness 1TB

HDD

/dev/decodersmall/decoroot /var/netwitness/decoder 10GBHDD

/dev/decodersmall/index

/var/netwitness/decoder/index

30GB

HDD

/dev/decodersmall/metadb /var/netwitness/decoder/metadb 3TBHDD

/dev/decodersmall/sessiondb

/var/netwitness/decoder/sessiondb

370GB

HDD

/dev/decoder/packetdb /var/netwitness/decoder/packetdb 18TBHDD

Create each directory and mount the LVM on it in serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/decoder and mount on /dev/decodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/decodersmall/decoroot /var/netwitness/decoder xfs noatime,nosuid 1 2

/dev/decodersmall/index /var/netwitness/decoder/index xfs noatime,nosuid 1 2

/dev/decodersmall/metadb /var/netwitness/decoder/metadb xfs noatime,nosuid 1 2

/dev/decodersmall/sessiondb /var/netwitness/decoder/sessiondb xfs noatime,nosuid 1 2

/dev/decoder/packetdb /var/netwitness/decoder/packetdb xfs noatime,nosuid 1 2

Endpoint Log Hybrid

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

                                              
 Endpoint Log Hybrid
 MetaDB PacketDB SessionDB Index

Total

Log Decoder

120 GB26 GB6 GB

NA

152 GB
Concentrator206 GBNA6 GB 4 GB

216 GB

MongoDBNANANANA

13 GB (12 GB tracking data, 1 GB scan data)

Note: The above Endpoint Log Hybrid sizing guidelines are for 20 K agents and 20 K events per day per agent with an event size of 1500 bytes.
The same sizing guidelines are applicable for scan data with 20 K sessions per day per agent except MongoDB as mentioned above.

Extending File Systems

For Endpoint Server, attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
  3. pvcreate <pv_name> suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for Endpoint Server (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                     
LVMFolderSizeDisk Type
/dev/netwitness_vg00/nwhome /var/netwitness/ 6TBHDD

For Mongo DB, attach external disk for extension of /var/netwitness/mongo partition, create an external disk with suffix as nwhome.

Follow these steps:

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

  2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
  3. pvcreate <pv_name> suppose the PV name is /dev/sdc1
  4. vgextend hybrid /dev/sdc1
  5. lvextend –L 5.9T /dev/hybrid-vlmng
  6. xfs_growfs /dev/mapper/hybrid-vlmng

RSA recommended partition for Mongo DB (Can be changed based on the retention days). Minimum recommended size for var/netwitness is 500 GB.

                     
LVMFolderSizeDisk Type
/dev/hybrid-vlmng /var/netwitness/mongo 6TBHDD

For Log Decoder, Log Collector, and Concentrator see LogDecoder, LogCollector, and Concentrator.

UEBA

The following procedure attaches an external disk and extends the /var/netwitness/ partition. You must use nwhome as the eternal disk suffix. This procedure illustrates how to add a 2TB disk.

Note: /var/netwitness is the only partition that can reside on this volume.

  1. List the physical volume name.
    lsblk (for example, dev/mapper/sdc)
  2. Extend the /var/netwitness/ partition.
    pvcreate <pv_name>where pv_name is dev/mapper/sdc
    vgextend netwitness_vg00 /dev/mapper/sdc
    lvextend –L 1.9T /dev/mapper/netwitness_vg00/nwhome
    xfs_growfs /dev/mapper/netwitness_vg00-nwhome

This partition is the RSA recommended partition for UEBA. You can change it based on retention days. Minimum recommended size for var/netwitness is 500 GB.

Previous Topic:Task 1. Add New Disk
You are here
Table of Contents > Install NW Virtual Host in Virtual Environment > Step 3. Configure Datastore Space > Task 2. Add New Volume and Extend Existing File Systems

Attachments

    Outcomes