Archiver: Configure Hot, Warm, and Cold Storage

Document created by RSA Information Design and Development on Apr 18, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic provides instructions for Administrators on how to configure total hot, warm, and cold storage on an Archiver.

An Archiver host has hot storage preconfigured to the defaults. Administrators can configure total hot, warm, and cold storage to meet their specific business requirements. An Archiver must have total hot storage configured, but warm and cold storage configurations are optional. Security Analytics does not manage cold storage.

Prerequisites

Ensure that you have:

  1. Installed the Security Analytics Archiver host in your network environment.
  2. Installed and configured Log Decoder in your network environment.
  3. Added Archiver as a Core service to your Security Analytics deployment.
  4. Added Log Decoder services as a data source for Archiver.
  5. Installed and configured a DAC or other physical storage in your network environment.
  6. Determined your log retention and storage requirements.

Procedures

Configure Total Hot Storage for an Archiver

  1. In the Security Analytics menu, select Administration > Services.
  2. Select the Archiver service and ic-actns.png > View > Config.
    The Services Config view of Archiver is displayed.
  3. On the Data Retention tab, in the Total Hot Storage section, click ic-settings.pngto configure total hot storage.
    ArcDrTb.png
  4. In the Hot Storage Mount Points dialog, add the mount points attached to the Archiver host that you want to include in Total Hot Storage.
    These are the paths to high performance storage, such as DAC storage and SAN. Do not add collections or subdirectories to the mount points.
    To add a mount point, click ic-add.pngand type the path to the mount point.
    AddHotMP.png
  5. Verify that your mount point paths are correct and click Save.
    Security Analytics will automatically create metadb, packetdb, sessiondb, and index directories for each collection defined on the Archiver:
    <storageLocation>/<CollectionName>/metadb
    <storageLocation>/<CollectionName>/packetdb
    <storageLocation>/<CollectionName>/sessiondb
    <storageLocation>/<CollectionName>/index

    For example, if your mount point is /var/netwitness/archiver, then the following directories will be created for each of your collections:
    /var/netwitness/archiver/<CollectionName>/metadb
    /var/netwitness/archiver/<CollectionName>/packetdb
    /var/netwitness/archiver/<CollectionName>/sessiondb
    /var/netwitness/archiver/<CollectionName>/index

    After the Archiver service is restarted, data will start being saved to your defined collections. Ensure that your log retention collections are correct before restarting the Archiver service.

Caution: After data has been saved to a mount point, it cannot be removed from the user interface.

Configure Total Warm Storage for an Archiver

(Optional) The procedure to configure Total Warm Storage for an Archiver is the same as for Total Hot Storage, except that you click ic-settings.png in the Total Warm Storage section and add the mount points that you want to use for warm storage, which are the physical paths to warm storage, such as Network Attached Storage (NAS).

AddWarmMP.png

Configure Total Cold Storage for an Archiver

(Optional) The procedure to configure Total Cold Storage for an Archiver is the same as for Total Hot Storage, except that you click ic-settings.png in the Total Cold Storage section and you add only one mount point for cold storage. Security Analytics does not manage cold storage.

You must include the collection name format specifier %n somewhere in the cold storage mount point path name to avoid filename collisions between collections.

AddColdMP.png

The following format specifiers are allowed in the path:

                                   
Format SpecifierDescription
%ncollection name (required)
%yyear the data moved to cold storage
%mmonth
%dday
%hhour
%##rblock of hours for the current day. For example, if you want three 8 hour blocks, you can set it to %8r. The first 8 hours of the day returns 0, the second 8 hours returns 1, and last 8 hours of the day returns 2.

Changes take effect immediately.

For example, if you have a collection named compliance and you create the following cold storage path:

/sa-cold-storage/%n/%y-%m-%d/

Security Analytics creates a directory each day with the following format:

/sa-cold-storage/compliance/2015-11-20/

Next Step

Configure log storage collections. 

You are here: Configure Archiver > Step 3. Configure Archiver Storage and Log Retention > Configure Hot, Warm, and Cold Storage

Attachments

    Outcomes