Virtual Host Setup: Task 3. Add New Volume and Extend Existing File Systems

 

After reviewing your initial datastore configuration, you may determine that you need to add a new volume. This topic uses a Virtual Packet/Log Decoder host as an example.

Complete these tasks in the following order.

1. Add New Disk
2. Create New Volumes on the New Disk
3. Create LVM volume on New Partition
4. Extend Volume Group with Physical Volume
5. Expand the File System
6. Start the Services
7. Make Sure the Services Are Running
8. Reconfigure LogDecoder Parameters

Add New Disk

Add New Disk in VMware ESXi

Add New Disk in Hyper-V

Add New Disk in VMware ESXi

This procedure shows you how to add a new 100 GB disk on the same datastore.

Note: The procedure to add a disk on different datastore is similar to the procedure shown here.

1. Shut down the machine, edit Virtual Machine Properties, click Hardware tab, and click Add.

   

2. Select Hard Disk as the device type.

   

3. Select Create a new virtual disk.

   

4. Choose the size of the new disk and where you want to create it (on the same datastore or a different datastore).

   Note: Choose data provisioning based on your requirements

   

5. Approve the proposed Virtual Device Node.

   

   Note: The Virtual Device Node can vary, but it is pertinent to /dev/sdX mappings.

6. Confirm the settings.

   

Add New Disk in Hyper-V

1. Shut down the VM and click Settings and IDE Controller, select the Hard Drive and click Add.

   

2. Select the New Virtual Hard disk.

   

3. Select VHDX as a disk format.

   

4. Select Dynamically expanding as a disk type.

   
   

5. Specify the Name and Location of the virtual hard disk file.

   

6. Select create a new blank virtual hard disk and specify the size.

   
   

7. In the Summary, review the settings and click Finish.

   
   

Extending File Systems

Follow the below instructions to extend the file systems for the various components.

Note: Following commands are commonly used for the file extension.
- dev/sdc for extending nw-home or /var/netwitness.
- /dev/sdd for creating /var/netwitness/xxxxxx.
- /dev/<> for creating /var/netwitenss/xxxxxx/metadb.
- /dev/<> for creating /var/netwitness/xxxxx/sessiondb.
- /dev/sde for creating /var/netwitness/xxxxx/index.
The # of /dev/<> varies based on the retention days or the # of disks attached.

AdminServer

Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.

Follow these steps:

1. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for AdminServer (Can be changed based on the retention days).

                     

ESAPrimary/ESASecondary/Malware

Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

1. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for ESAPrimary/ESASecondary/Malware (Can be changed based on the retention days).

                     

LogCollector

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

1. Execute lsblk and get the physical volume name, for example if you attach one 500GB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 488G /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommends the following partition for the LogCollector (Can be changed based on the retention days).

                     

LogDecoder

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/

1. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Other partitions are also required. Create the following partitions on the logdecodersmall volume group.

                                 

Follow these steps to create the partitions mentioned in the table above:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 logdecodersmall /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> logdecodersmall
5. mkfs.xfs /dev/logdecodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on volume group LogDecoder

                  

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 logdecoder /dev/sde
4. lvcreate –L <disk_size> -n packetdb logdecoder
5. mkfs.xfs /dev/logdecoder/packetdb

RSA recommends below sizing partition for LogDecoder (Can be changed based on the retention days)

                                                   

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2

/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2

/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

Concentrator

Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.

For extending /var/netwitness partition follow below steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/.

1. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk
2. pvcreate /dev/sdc suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

The following partitions are also required on volume group concentrator.

                            

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 concentrator /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> concentrator
5. mkfs.xfs /dev/concentrator/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned

Below partition should be on volume group index

                  

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 index /dev/sde
4. lvcreate –L <disk_size> -n index index
5. mkfs.xfs /dev/index/index

RSA recommends below sizing partition for Concentrator (Can be changed based on the retention days)

                                             

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order

/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2

/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2

/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2

/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2

Archiver

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for Archiver database partition.

For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness.

1. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
2. pvcreate /dev/sdc suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

The following partition is required for the Archiver volume group.

                  

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 archiver /dev/sde
4. lvcreate –L <disk_size> -n archiver archiver
5. mkfs.xfs /dev/archiver/archiver

RSA recommends the following sizing partition for the Archiver (Can be changed based on the retention days).

                           

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

After that add the below entries in /etc/fstab in the same order

/dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2

Decoder

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for decoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on /var/netwitness/.

1. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
2. pvcreate /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

The following four partitions should be on the decodersmall volume group.

                                 

Follow these steps:

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 decodersmall /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> decodersmall
5. mkfs.xfs /dev/decodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on the decoder volume group.

                  

1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 decoder /dev/sde
4. lvcreate –L <disk_size> -n packetdb decoder
5. mkfs.xfs /dev/decoder/packetdb

RSA recommends the following sizing partition for the Decoder (Can be changed based on the retention days).

                                                   

Create each directory and mount the LVM on it in serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/decoder and mount on /dev/decodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/decodersmall/decoroot /var/netwitness/decoder xfs noatime,nosuid 1 2

/dev/decodersmall/index /var/netwitness/decoder/index xfs noatime,nosuid 1 2

/dev/decodersmall/metadb /var/netwitness/decoder/metadb xfs noatime,nosuid 1 2

/dev/decodersmall/sessiondb /var/netwitness/decoder/sessiondb xfs noatime,nosuid 1 2

/dev/decoder/packetdb /var/netwitness/decoder/packetdb xfs noatime,nosuid 1 2

Endpoint Log Hybrid

For Endpoint Server, attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

1. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc
3. vgextend netwitness_vg00 /dev/sdc
4. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

RSA recommended partition for Endpoint Server (Can be changed based on the retention days).

                     

For Mongo DB, attach external disk for extension of /var/netwitness/mongo partition, create an external disk with suffix as nwhome.

Follow these steps:

1. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
2. pvcreate <pv_name> suppose the PV name is /dev/sdc1
3. vgextend hybrid /dev/sdc1
4. lvextend –L 5.9T /dev/hybrid-vlmng
5. xfs_growfs /dev/mapper/hybrid-vlmng

RSA recommended partition for Mongo DB (Can be changed based on the retention days).

                     

For Log Decoder, Log Collector, and Concentrator see LogDecoder, LogCollector, and Concentrator.

UEBA

The following procedure attaches an external disk and extends the /var/netwitness/ partition. You must use nwhome as the eternal disk suffix. This procedure illustrates how to add a 2TB disk.

Note: /var/netwitness is the only partition that can reside on this volume.

1. List the physical volume name.
   lsblk (for example, dev/mapper/sdc)
   
2. Extend the /var/netwitness/ partition.
   pvcreate <pv_name>where pv_name is dev/mapper/sdc
   vgextend netwitness_vg00 /dev/mapper/sdc
   lvextend –L 1.9T /dev/mapper/netwitness_vg00/nwhome
   xfs_growfs /dev/mapper/netwitness_vg00-nwhome
   

This partition is the RSA recommended partition for UEBA. You can change it based on retention days.