Azure Install: Partition Recommendations

This topic contains the recommended Azure partition.

Admin Server or Broker

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome. If there are multiple disk, create a RAID 0 array.

Run lsblk to get the physical volume name.

If you attach one 2 TB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is /dev/sdc)

2. vgextend netwitness_vg00 /dev/sdc

3. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

If you attach two 1 TB disk, run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf

2. pvcreate /dev/md0

3. vgextend netwitness_vg00 /dev/md0

4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

5. xfs_growfs /dev/netwitness_vg00/nwhome

6. mdadm --detail --scan > /etc/mdadm.conf

RSA recommends the following partition. However, you can change these values based on the retention days.

ESA Primary or ESA Secondary

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome. If there are multiple disk, create a RAID 0 array.

Run lsblk to get the physical volume name.

If you attach one 6 TB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is dev/sdc)
2. vgextend netwitness_vg00 /dev/sdc
3. lvextend –L 5.9T /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

If you attach two 3 TB disk, run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf
2. pvcreate /dev/md0
3. vgextend netwitness_vg00 /dev/md0

4. lvextend –L 5.9T /dev/netwitness_vg00/nwhome

5. xfs_growfs /dev/netwitness_vg00/nwhome
6. mdadm --detail --scan > /etc/mdadm.conf

RSA recommends the following partition. However, you can change these values based on the retention days.

Log Collector

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome.

Run lsblk to get the physical volume name.

If you attach one 500 GB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is dev/sdc)
2. vgextend netwitness_vg00 /dev/sdc
3. lvextend –L 600G /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

RSA recommends the following partition. However, you can change these values based on the retention days.

Log Decoder

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome, and make sure that no other partition resides on this Log Decoder. Attach additional disks for the Log Decoder database partition with the name suffix external. If there are multiple disks, create a RAID 0 array.

Run lsblk to get the physical volume name.

If you attach one 2 TB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is dev/sdc)
2. vgextend netwitness_vg00 /dev/sdc
3. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

If you attach two 1 TB disk, run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf
2. pvcreate /dev/md0
3. vgextend netwitness_vg00 /dev/md0
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/netwitness_vg00/nwhome
6. mdadm --detail --scan > /etc/mdadm.conf

Other Partition Required

The following partitions must on the volume group logdecodersmall and must be in a single RAID 0 array.

Note: The following disks should have a suffix external.

Run lsblk to get the physical volume name and run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf (depending on the number of disk attached)
2. pvcreate /dev/md0
3. vgcreate –s 32 logdecodersmall /dev/md0
4. lvcreate –L <disk_size> -n <lvm_name> logdecodersmall
5. mkfs.xfs /dev/logdecodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVMs mentioned.
7. mdadm --detail --scan > /etc/mdadm.conf

The following partitions must be on the volume group logdecoder and must be in a single RAID 0 array:

Run lsblk to get the physical volume name and run the following commands:

1. mdadm --create /dev/md1 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf (depending on the number of disk attached)
2. pvcreate /dev/md1
3. vgcreate –s 32 logdecoder /dev/md1
4. lvcreate –L <disk_size> -n packetdb logdecoder
5. mkfs.xfs /dev/logdecoder/packetdb
6. mdadm --detail --scan > /etc/mdadm.conf

RSA recommends the following partition. However, you can change these values based on the retention days.

Note: Create the /var/netwitness/logdecoder partition, mount it, and then create the remaining partition.

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness, which is already created.

After mounting the directory, add the following entries in /etc/fstab in the same order:

1. /dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2
2. /dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2
3. /dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2
4. /dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2
5. /dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

Concentrator

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome, and make sure that no other partition resides on this Concentrator. Attach additional disks for the Concentrator database partition with the name suffix external. If there are multiple disk, create a RAID 0 array.

Run lsblk to get the physical volume name.

If you attach one 2 TB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is dev/sdc)
2. vgextend netwitness_vg00 /dev/sdc
3. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

If you attach two 1 TB disk, run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf
2. pvcreate /dev/md0
3. vgextend netwitness_vg00 /dev/md0
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

5. xfs_growfs /dev/netwitness_vg00/nwhome

6. mdadm --detail --scan > /etc/mdadm.conf

Other Partition Required

The following partitions must be on the volume group concentrator and must be in a single RAID 0 array.

Note: The following disks should have a suffix external.

Run lsblk to get the physical volume name and run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf (depending on the number of disk attached)
2. pvcreate /dev/md0
3. vgcreate –s 32 concentrator /dev/md0
4. lvcreate –L <disk_size> -n <lvm_name> concentrator
5. mkfs.xfs /dev/concentrator /<lvm_name>
6. Repeat steps 4 and 5 for all the LVMs mentioned
7. mdadm --detail --scan > /etc/mdadm.conf

The following partitions must be on the volume group index and must be in single RAID 0 array:

Run lsblk to get the physical volume name and run the following commands:

1. mdadm --create /dev/md1 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf (depending on the number of disk attached)
2. pvcreate /dev/md1
3. vgcreate –s 32 index /dev/md1
4. lvcreate –L <disk_size> -n index index
5. mkfs.xfs /dev/index/index
6. mdadm --detail --scan > /etc/mdadm.conf

RSA recommends the following partition. However, you can change these values based on the retention days.

Note: Create the /var/netwitness/concentrator partition, mount it, and then create the remaining partition.

Create each directory and mount the LVM on it, except /var/netwitness, which is already created.

After mounting the directory, add the following entries in /etc/fstab in the same order:

1. /dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2
2. /dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2
3. /dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2
4. /dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2

Archiver

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome, and make sure that no other partition resides on this Archiver. Attach other addititional disks for the Archiver database partition with the name suffix external. If there are multiple disk, create a RAID 0 array.

Run lsblk to get the physical volume name.

If you attach one 2 TB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is dev/sdc)
2. vgextend netwitness_vg00 /dev/sdc
3. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

If you attach two 1 TB disk, run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf
2. pvcreate /dev/md0
3. vgextend netwitness_vg00 /dev/md0
4. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
5. xfs_growfs /dev/netwitness_vg00/nwhome

6. mdadm --detail --scan > /etc/mdadm.conf

Other Partition Required

The following partitions must be available in the volume group archiver and must be in a single RAID 0 array.

Note: The following disks should have a suffix external.

Run lsblk to get the physical volume name and run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf (depending on the number of disk attached)
2. pvcreate /dev/md0
3. vgcreate –s 32 archiver /dev/md0
4. lvcreate –L <disk_size> -n archiver archiver
5. mkfs.xfs /dev/archiver/archiver
6. mdadm --detail --scan > /etc/mdadm.conf

RSA recommends the following partition. However, you can change these values based on the retention days.

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness, which is already created.

After mounting the directory, add the following entries in /etc/fstab in the same order:

1. /dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2

Endpoint Hybrid or Endpoint Log Hybrid

For an extension of /var/netwitness/ partition, attach an addititional disk with name suffix nwhome, and make sure that no other partition resides on this Endpoint Hybrid or Endpoint Log Hybrid. Attach other addititional disks for the endpoint database partition with the name suffix external. If there are multiple disk, create a RAID 0 array.

Run lsblk to get the physical volume name.

If you attach one 1 TB disk, run the following commands:

1. pvcreate <pv_name> (for example, pv_name is dev/sdc)
2. vgextend netwitness_vg00 /dev/sdc

3. lvextend –L 1T /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

Other Partition Required

The following partition must be on the volume group endpoint and must be in a single RAID 0 array.

Note: The following disks should have a suffix nwhome.

Run lsblk to get the physical volume name and run the following commands:

1. mdadm --create /dev/md0 --assume-clean --level 0 --raid-devices=2 /dev/sde /dev/sdf (depending on the number of disk attached)
2. pvcreate /dev/md0
3. vgcreate –s 32 endpoint /dev/md0
4. lvcreate –L <disk_size> -n <lvm_name> endpoint
5. mkfs.xfs /dev/ endpoint /<lvm_name>

6. Repeat steps 4 and 5 for all the LVMs mentioned.

7. mdadm --detail --scan > /etc/mdadm.conf

RSA recommends the following partition. However, you can change these values based on the retention days.

Enabling Swap Partition in Azure Deployments

After completing the Azure deployment, you must enable the swap in your deployment.

To do this, perform the following steps:

1. Modify the default parameters at /etc/waagent.conf to

ResourceDisk.Format=y

ResourceDisk.Filesystem=ext4

ResourceDisk.MountPoint=/mnt/resource

ResourceDisk.EnableSwap=y

ResourceDisk.SwapSizeMB=2048

The following screenshot displays the default parameters.

The following screenshot displays the modified parameters.

Note: You can set the ResourceDisk.SwapSizeMB parameter based on your requirement.

1.  Restart the waagent.service using the command: systemctl restart waagent.service

Note: To check the status of the swap use the command swapon --show.