Virtual Appliance: Step 3: Configure Datastore Space

Document created by RSA Information Design and Development on Jul 30, 2016Last modified by RSA Information Design and Development on Jul 30, 2016
Version 2Show Document
  • View in full screen mode
 

This topic provides configuration options for configuring datastore space for the different appliances. Refer to the specific section for information on the virtual appliance you are trying to configure.

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log appliances. Additional partitioning and sizing examples for both packet capture and log ingest environments are provided at the end of this topic.

                                  
Decoder
Persistent 
Datastores
Cache Datastores
PacketDBSessionDBMetaDBIndex
100% as calculated by Sizing Calculator6 GB per 100Mb/s of traffic sustained provides 4 hours cache60 GB per 100Mb/s of traffic sustained provides 4 hours cache3 GB per 100Mb/s of traffic sustained provides 4 hours cache
Concentrator
Persistent 
Datastores
Cache Datastores
MetaDBSessionDB

Index
Index
Calculated as 10% of the PacketDB 
required for a 1:1 retention ratio
30 GB per 1TB of PacketDB for standard multi protocol network deployments as seen at typical internet gateways5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access
                              
Log Decoder
Persistent 
Datastores
Cache Datastores
PacketDBSessionDBMetaDBIndex
100% as calculated by Sizing Calculator1 GB per 1000 EPS of traffic sustained provides 8 hours cache20 GB per 1000 EPS of traffic sustained provides 8 hours cache0.5 GB per 1000 EPS of traffic sustained provides 4 hours cache
Log Concentrator
Persistent 
Datastores
Cache Datastores
MetaDBSessionDB

Index
Index
Calculated as 100% of the PacketDB 
required for a 1:1 retention ratio
3 GB per 1000 EPS of sustained traffic per day of retention5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

Expand Drive Space for Packet and Log Decoders

The following instructions provide configuration options to expand drive space on a Virtual Packet/Log Decoder appliance.

Configure Virtual Datastores

  1. Ensure that the newly connected Virtual Datastores are presented as a generic SCSI device to the operating system.
  2. Configure the following required datastores for a Decoder within the VM:
    • PacketDB (Raw Capacity) – This virtual database represents the largest virtual database. This datastore will ultimately house the raw packet or log data.
    • MetaDB – This virtual datastore represents the meta database cache and is only needed for temporary storage of the meta database on the Decoder. Recommended sizing for this datastore is to allow for a 4-hour cache. Sizing for this datastore is dependent on the sustained capture rate or the sustained EPS rate. The datastore size can also be increased to accommodate a longer cache window.
    • SessionDB – This virtual datastore houses the session database of the Decoder. The sizing for this datastore is directly related to the size of the MetaDB cache.
    • IndexDB – Represents the index database cache on the Decoder.  The sizing for this datastore is directly related to the size of the MetaDB  cache.
  3. Ensure that the configured datastores are presented to the virtual Decoder as a SCSI device.

Configure the Linux Volumes

  1. Log on to the virtual machine as root.
    The virtual datastores show up as a SCSI device. (for example, /dev/sdb, /dev/sdc, and /dev/sdd)    
  2. Using fdisk, create a GPT partition for each virtual datastore you created. It is useful to name the partitions after the datastores to which they are attached.
  3. Format the volume using mkfs_xfs.
  4. To add the scsi devices to /etc/fstab, use the following examples as a guide:
    /dev/sdb1/var/netwitness/decoder/packetdb        xfs            noatime       12
    /dev/sdc1 /var/netwitness/decoder/metadb          xfs            noatime        12
    /dev/sdd1 /var/netwitness/decoder/sessiondb     xfs           noatime        12
    /dev/sde /var/netwitness/decoder/index                xfs           noatime        

Expand Drive Space for a Concentrator

The following instructions provide configuration options to expand drive space on a Virtual Concentrator appliance.

Configure the Virtual Datastores

The estimates below are intended to provide guidance for configuring the partitioning for the Log Decoder databases. The capacity requirements have an additional 5% overhead designated to account for overhead when ultimately configured within Security Analytics.

To configure the virtual datastores:

  1. Configure the following required datastores for a Concentrator:
    • Metadb – This virtual datastore houses the permanent database and should be largest datastore on the attached storage.
    • Sessiondb – This virtual datastore houses the session database for the concentrator. RSA recommends that you configure SSDs for this datastore.
    • Index – This virtual datastore houses the index for the Concentrator. RSA recommends that you configure SSDs for this datastore.
  2. Ensure that the configured datastores are presented to the virtual Concentrator as a SCSI device.

Configure the Linux Volumes

  1. Log on to the virtual machine as root.
    The virtual datastores show up as a SCSI device. (for example, /dev/sdb/dev/sdc, and /dev/sdd)    
  2. Using fdisk, create a GPT partition for the each virtual datastore you created. It is useful to name the partitions after the datastores to which they are attached.
  3. Format the volume using mkfs_xfs.
  4. To add the scsi devices to /etc/fstab, use the following examples as a guide:
    /dev/sdc1 /var/netwitness/concentrator/metadb           xfs        noatime   12
    /dev/sdd1 /var/netwitness/concentrator/sessiondb        xfs        noatime   12
    /dev/sde /var/netwitness/concentrator/index             xfs        noatime   12

Add the New Partitions to the Security Analytics Configuration

  1. Log on to Security Analytics
  2. Select Administration > Services.
  3. In the Services view select the service, and at the end of the row, click 104Actions.png > View > Explore.
    AppSrvExpl.png
  4. Select Database > Config
  5. Select the directory that you want to expand (for example, meta dirsession dir, and so on.).
  6. Append the value by using a semicolon (;) followed by the mount point that you defined in Step 4 of Configure the Linux Volumes.

Note: Verify that the databases are configured to roll over at approximately 95% of their full capacity.
If you mounted the additional partition to /var/netwitness/decoder/packetdb, and the partition is 10TB, you can have the following entry under packet.dir:
/var/netwitness/decoder/packetdb=xxx TB;/var/netwitness/decoder/packetdb=9.5TB
The first entry before (;) denotes the original location for packet.dir.

  1. After adding the new 10TB partition to the configuration, you must run the reconfig file so that the correct size is added.
    1. Right-click Database and click Properties.
    2. In the drop-down list, select reconfig and enter update=1 in the Parameters field.
    3. Click Send. The partition sizes will be adjusted to 95% of the partition's available space.
  2. Restart the appliance service for the changes to take effect.
You are here: Install Security Analytics Virtual Appliance in Virtual Environment > Step 3: Configure Datastore Space for the Appliance

Attachments

    Outcomes