This topic provides instructions for Administrators on how to configure total hot, warm, and cold storage on an Archiver.
An Archiver host has hot storage preconfigured to the defaults. Administrators can configure total hot, warm, and cold storage to meet their specific business requirements. An Archiver must have total hot storage configured, but warm and cold storage configurations are optional. Security Analytics does not manage cold storage.
Ensure that you have:
- Installed the Security Analytics Archiver host in your network environment.
- Installed and configured Log Decoder in your network environment.
- Added Archiver as a Core service to your Security Analytics deployment.
- Added Log Decoder services as a data source for Archiver.
- Installed and configured a DAC or other physical storage in your network environment.
- Determined your log retention and storage requirements.
Configure Total Hot Storage for an Archiver
- In the Security Analytics menu, select Administration > Services.
- Select the Archiver service and > View > Config.
The Services Config view of Archiver is displayed.
- On the Data Retention tab, in the Total Hot Storage section, click to configure total hot storage.
- In the Hot Storage Mount Points dialog, add the mount points attached to the Archiver host that you want to include in Total Hot Storage.
These are the paths to high performance storage, such as DAC storage and SAN. Do not add collections or subdirectories to the mount points.
To add a mount point, click and type the path to the mount point.
- Verify that your mount point paths are correct and click Save.
Security Analytics will automatically create metadb, packetdb, sessiondb, and index directories for each collection defined on the Archiver:
For example, if your mount point is /var/netwitness/archiver, then the following directories will be created for each of your collections:
After the Archiver service is restarted, data will start being saved to your defined collections. Ensure that your log retention collections are correct before restarting the Archiver service.
Caution: After data has been saved to a mount point, it cannot be removed from the user interface.
Configure Total Warm Storage for an Archiver
(Optional) The procedure to configure Total Warm Storage for an Archiver is the same as for Total Hot Storage, except that you click in the Total Warm Storage section and add the mount points that you want to use for warm storage, which are the physical paths to warm storage, such as Network Attached Storage (NAS).
Configure Total Cold Storage for an Archiver
(Optional) The procedure to configure Total Cold Storage for an Archiver is the same as for Total Hot Storage, except that you click in the Total Cold Storage section and you add only one mount point for cold storage. Security Analytics does not manage cold storage.
You must include the collection name format specifier %n somewhere in the cold storage mount point path name to avoid filename collisions between collections.
The following format specifiers are allowed in the path:
|%n||collection name (required)|
|%y||year the data moved to cold storage|
|%##r||block of hours for the current day. For example, if you want three 8 hour blocks, you can set it to %8r. The first 8 hours of the day returns 0, the second 8 hours returns 1, and last 8 hours of the day returns 2.|
Changes take effect immediately.
For example, if you have a collection named compliance and you create the following cold storage path:
Security Analytics creates a directory each day with the following format:
Configure log storage collections.