Virtual Host Setup: Task 3. Add New Volume and Extend Existing File Systems

 

After reviewing your initial datastore configuration, you may determine that you need to add a new volume. This topic uses a Virtual Packet/Log Decoder host as an example.

Complete these tasks in the following order.

1. Add New Disk
2. Create New Volumes on the New Disk
3. Create LVM volume on New Partition
4. Extend Volume Group with Physical Volume
5. Expand the File System
6. Start the Services
7. Make Sure the Services Are Running
8. Reconfigure LogDecoder Parameters

Add New Disk

Add New Disk in VMware ESXi

Add New Disk in Hyper-V

Add New Disk in VMware ESXi

This procedure shows you how to add a new 100 GB disk on the same datastore.

Note: The procedure to add a disk on different datastore is similar to the procedure shown here.

1. Shut down the machine, edit Virtual Machine Properties, click Hardware tab, and click Add.

   

2. Select Hard Disk as the device type.

   

3. Select Create a new virtual disk.

   

4. Choose the size of the new disk and where you want to create it (on the same datastore or a different datastore).

   Note: Choose data provisioning based on your requirements

   

5. Approve the proposed Virtual Device Node.

   

   Note: The Virtual Device Node can vary, but it is pertinent to /dev/sdX mappings.

6. Confirm the settings.

   

Add New Disk in Hyper-V

1. Shut down the VM and click Settings and IDE Controller, select the Hard Drive and click Add.

   

2. Select the New Virtual Hard disk.

   

3. Select VHDX as a disk format.

   

4. Select Dynamically expanding as a disk type.

   
   

5. Specify the Name and Location of the virtual hard disk file.

   

6. Select create a new blank virtual hard disk and specify the size.

   
   

7. In the Summary, review the settings and click Finish.

   
   

Extending File Systems

Follow the below instructions to extend the file systems for the various components.

AdminServer

Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.

Follow these steps:

1. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for AdminServer (Can be changed based on the retention days).

                     

ESAPrimary/ESASecondary/Malware

Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

1. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for ESAPrimary/ESASecondary/Malware (Can be changed based on the retention days).

                     

LogCollector

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

1. Execute lsblk and get the physical volume name, for example if you attach one 500GB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 488G /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for LogCollector (Can be changed based on the retention days).

                     

LogDecoder

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/

1. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Other partitions are also required. Create the following four partitions on volume group logdecodersmall

                                 

Follow these steps to create the partitions mentioned in the table above:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 logdecodersmall /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> logdecodersmall
5. mkfs.xfs /dev/logdecodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on volume group LogDecoder

                  

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 logdecoder /dev/sde
4. lvcreate –L <disk_size> -n packetdb logdecoder
5. mkfs.xfs /dev/logdecoder/packetdb

RSA recommends below sizing partition for LogDecoder (Can be changed based on the retention days)

                                                   

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2

/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2

/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

Concentrator

Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.

For extending /var/netwitness partition follow below steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/

1. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk
2. pvcreate /dev/sdc suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Below partitions are also required on volume group concentrator.

                            

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 concentrator /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> concentrator
5. mkfs.xfs /dev/concentrator/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned

Below partition should be on volume group index

                  

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 index /dev/md1
4. lvcreate –L <disk_size> -n index index
5. mkfs.xfs /dev/index/index

RSA recommends below sizing partition for Concentrator (Can be changed based on the retention days)

                                             

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order

/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2

/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2

/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2

/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2

Archiver

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for Archiver database partition.

For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness

1. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
2. pvcreate /dev/sdc suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

Below partition is required for volume group archiver

                  

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 archiver /dev/sde
4. lvcreate –L <disk_size> -n archiver archiver
5. mkfs.xfs /dev/archiver/archiver

RSA recommends below sizing partition for archiver (Can be changed based on the retention days)

                           

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

After that add the below entries in /etc/fstab in the same order

/dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2

Decoder

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for decoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on /var/netwitness/

1. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
2. pvcreate /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Below four partition should be on volume group decodersmall

                                 

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 decodersmall /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> decodersmall
5. mkfs.xfs /dev/decodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned

Below partition should be on volume group decoder

                  

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 decoder /dev/sde
4. lvcreate –L <disk_size> -n packetdb decoder
5. mkfs.xfs /dev/decoder/packetdb

RSA recommends below sizing partition for Decoder (Can be changed based on the retention days)

                                                   

Create each directory and mount the LVM on it in serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/decoder and mount on /dev/decodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/decodersmall/decoroot /var/netwitness/decoder xfs noatime,nosuid 1 2

/dev/decodersmall/index /var/netwitness/decoder/index xfs noatime,nosuid 1 2

/dev/decodersmall/metadb /var/netwitness/decoder/metadb xfs noatime,nosuid 1 2

/dev/decodersmall/sessiondb /var/netwitness/decoder/sessiondb xfs noatime,nosuid 1 2

/dev/decoder/packetdb /var/netwitness/decoder/packetdb xfs noatime,nosuid 1 2