After reviewing your initial datastore configuration, you may determine that you need to add a new volume. This topic uses a Virtual Packet/Log Decoder host as an example.
Complete these tasks in the following order.
- Add New Disk
- Create New Volumes on the New Disk
- Create LVM volume on New Partition
- Extend Volume Group with Physical Volume
- Expand the File System
- Start the Services
- Make Sure the Services Are Running
- Reconfigure LogDecoder Parameters
Add New Disk
Add New Disk in VMware ESXi
This procedure shows you how to add a new 100 GB disk on the same datastore.
Note: The procedure to add a disk on different datastore is similar to the procedure shown here.
Shut down the machine, edit Virtual Machine Properties, click Hardware tab, and click Add.
Select Hard Disk as the device type.
Select Create a new virtual disk.
Choose the size of the new disk and where you want to create it (on the same datastore or a different datastore).
Note: Choose data provisioning based on your requirements
Approve the proposed Virtual Device Node.
Note: The Virtual Device Node can vary, but it is pertinent to
/dev/sdXmappings.Confirm the settings.
Add New Disk in Hyper-V
Shut down the VM and click Settings and IDE Controller, select the Hard Drive and click Add.
Select the New Virtual Hard disk.
Select VHDX as a disk format.
Select Dynamically expanding as a disk type.
Specify the Name and Location of the virtual hard disk file.
Select create a new blank virtual hard disk and specify the size.
In the Summary, review the settings and click Finish.
Extending File Systems
Follow the below instructions to extend the file systems for the various components.
AdminServer
Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.
Follow these steps:
- Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.
- pvcreate <pv_name> suppose the PV name is /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 1.9T /dev/netwitness_vg00/nwhome
- xfs_growfs /dev/mapper/netwitness_vg00-nwhome
RSA recommended partition for AdminServer (Can be changed based on the retention days).
ESAPrimary/ESASecondary/Malware
Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.
Follow these steps:
- Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
- pvcreate <pv_name> suppose the PV name is /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 5.9T /dev/netwitness_vg00/nwhome
- xfs_growfs /dev/mapper/netwitness_vg00-nwhome
RSA recommended partition for ESAPrimary/ESASecondary/Malware (Can be changed based on the retention days).
LogCollector
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.
- Execute lsblk and get the physical volume name, for example if you attach one 500GB disk
- pvcreate <pv_name> suppose the PV name is /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 488G /dev/netwitness_vg00/nwhome
- xfs_growfs /dev/mapper/netwitness_vg00-nwhome
RSA recommended partition for LogCollector (Can be changed based on the retention days).
LogDecoder
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:
Note: No other partition should reside on this volume, only to be used for /var/netwitness/
- Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
- pvcreate <pv_name> suppose the PV name is /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 1.9T /dev/netwitness_vg00/nwhome
- xfs_growfs /dev/mapper/netwitness_vg00-nwhome
Other partitions are also required. Create the following four partitions on volume group logdecodersmall
Follow these steps to create the partitions mentioned in the table above:
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sdd
- vgcreate –s 32 logdecodersmall /dev/sdd
- lvcreate –L <disk_size> -n <lvm_name> logdecodersmall
- mkfs.xfs /dev/logdecodersmall/<lvm_name>
- Repeat steps 4 and 5 for all the LVM’s mentioned
The following partition should be on volume group LogDecoder
Follow these steps:
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sde
- vgcreate –s 32 logdecoder /dev/sde
- lvcreate –L <disk_size> -n packetdb logdecoder
- mkfs.xfs /dev/logdecoder/packetdb
RSA recommends below sizing partition for LogDecoder (Can be changed based on the retention days)
Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.
Note: Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.
After that add the below entries in /etc/fstab in the same order and mount them using mount –a.
/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2
/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2
/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2
/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2
/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2
Concentrator
Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.
For extending /var/netwitness partition follow below steps:
Note: No other partition should reside on this volume, only to be used for /var/netwitness/
- Execute lsblk and get the physical volume name, for example if you attach one 2TB disk
- pvcreate /dev/sdc suppose the PV name is /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 1.9T /dev/netwitness_vg00/nwhome
- xfs_growfs /dev/mapper/netwitness_vg00-nwhome
Below partitions are also required on volume group concentrator.
Follow these steps:
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sdd
- vgcreate –s 32 concentrator /dev/sdd
- lvcreate –L <disk_size> -n <lvm_name> concentrator
- mkfs.xfs /dev/concentrator/<lvm_name>
- Repeat steps 4 and 5 for all the LVM’s mentioned
Below partition should be on volume group index
Follow these steps:
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sde
- vgcreate –s 32 index /dev/md1
- lvcreate –L <disk_size> -n index index
- mkfs.xfs /dev/index/index
RSA recommends below sizing partition for Concentrator (Can be changed based on the retention days)
Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.
Note: Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.
After that add the below entries in /etc/fstab in the same order
/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2
/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2
/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2
/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2
Archiver
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for Archiver database partition.
For extending /var/netwitness partition follow these steps:
Note: No other partition should reside on this volume, only to be used for /var/netwitness
- Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
- pvcreate /dev/sdc suppose the PV name is /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 1.9T /dev/netwitness_vg00/nwhome
Below partition is required for volume group archiver
Follow these steps:
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sde
- vgcreate –s 32 archiver /dev/sde
- lvcreate –L <disk_size> -n archiver archiver
- mkfs.xfs /dev/archiver/archiver
RSA recommends below sizing partition for archiver (Can be changed based on the retention days)
Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.
After that add the below entries in /etc/fstab in the same order
/dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2
Decoder
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for decoder database partition. For extending /var/netwitness partition follow these steps:
Note: No other partition should reside on /var/netwitness/
- Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
- pvcreate /dev/sdc
- vgextend netwitness_vg00 /dev/sdc
- lvextend –L 1.9T /dev/netwitness_vg00/nwhome
- xfs_growfs /dev/mapper/netwitness_vg00-nwhome
Below four partition should be on volume group decodersmall
Follow these steps:
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sdd
- vgcreate –s 32 decodersmall /dev/sdd
- lvcreate –L <disk_size> -n <lvm_name> decodersmall
- mkfs.xfs /dev/decodersmall/<lvm_name>
- Repeat steps 4 and 5 for all the LVM’s mentioned
Below partition should be on volume group decoder
- Execute lsblk and get the physical volume names from the output
- pvcreate /dev/sde
- vgcreate –s 32 decoder /dev/sde
- lvcreate –L <disk_size> -n packetdb decoder
- mkfs.xfs /dev/decoder/packetdb
RSA recommends below sizing partition for Decoder (Can be changed based on the retention days)
Create each directory and mount the LVM on it in serial manner, except /var/netwitness which will be already created.
Note: Create the folder /var/netwitness/decoder and mount on /dev/decodersmall/decoroot then create the other folders and mount them.
After that add the below entries in /etc/fstab in the same order and mount them using mount –a.
/dev/decodersmall/decoroot /var/netwitness/decoder xfs noatime,nosuid 1 2
/dev/decodersmall/index /var/netwitness/decoder/index xfs noatime,nosuid 1 2
/dev/decodersmall/metadb /var/netwitness/decoder/metadb xfs noatime,nosuid 1 2
/dev/decodersmall/sessiondb /var/netwitness/decoder/sessiondb xfs noatime,nosuid 1 2
/dev/decoder/packetdb /var/netwitness/decoder/packetdb xfs noatime,nosuid 1 2
UEBA
The following procedure attaches an external disk and extends the /var/netwitness/ partition. You must use nwhome as the eternal disk suffix. This procedure illustrates how to add a 2TB disk.
Note: /var/netwitness is the only partition that can reside on this volume.
- List the physical volume name.
lsblk (for example, dev/mapper/sdc) - Extend the /var/netwitness/ partition.
pvcreate <pv_name> where pv_name is dev/mapper/sdc
vgextend netwitness_vg00 /dev/mapper/sdc
lvextend –L 1.9T /dev/mapper/netwitness_vg00/nwhome
xfs_growfs /dev/mapper/netwitness_vg00-nwhome
This partition is the RSA recommended partition for UEBA. You can change it based on retention days.
Table of Contents > Install SA Virtual Host in Virtual Environment > Step 3. Configure Datastore Space > Task 3. Add New Volume and Extend Existing File Systems