Prepare Physical Storage

IMPORTANT: RSA recommends you to create a block device for RSA NetWitness Storage.

This section provides two options to configure block device:

Note: Block device is also referred to as Virtual Drive or Drive Group

Configure Block devices for Drive pack

You can add additional drives to the Series 6 or 6E appliances to accommodate various use cases. These drives provide the capability for the decoder meta or concentrator index volumes to reside on the appliance. A minimum of 2 drives and a maximum of 6 drives are possible. The number of drives will depend on how much meta cache or index is needed.

netwitness_powvalen2.png

Benefits of Series 6/6E Drive Pack

  • Maximize PowerVault Storage Capacity - Traditionally, PowerVault storage allocates a volume for the Decoder metadata. This reduces the usable storage on the PowerVault. Drive Packs reduce this issue by providing 20TB of extra usable PV storage.

  • Reduces Cost for Meta Only Use Case - For metadata-only deployments, drive pack fits for a customer who want to purchase hardware from RSA. This provides more cost-effective solution, because a drive pack can substitute a PowerVault.

  • Enable existing deployments to utilize compression options.

  • Provides capability for expanding meta keys and associated indexing.

Decoder Meta Use Cases

  • Meta-Only

  • Maximize Power Vault Storage

Two or more 2.4TB 10K SAS SED drives can be added to a Decoder for the decodersmall or logdecodersmall volumes. These volumes are used to store the meta cache on the Decoders.

Both the Log Decoders and Network Decoders parse out meta data from the raw captured traffic. The meta data is then aggregated to a Concentrator for indexing.

The host requires storage to store a cache for the meta extracted during the data capture for Concentrator aggregation. The meta cache on a Decoder is generally fixed in size, but you can expand it to support additional cache to avoid possible connectivity loss between the Decoder and the corresponding Concentrator.

Typically, the decodersmall or logdecodersmall volumes are stored on the first three drives of the first and second (10G config only) PowerVault enclosures. By utilizing the drive pack option, these three drives can instead be used for the packetdb (maximizing Power Vault storage).

netwitness_powvalen.png

For meta-only scenarios, the decodersmall volume would be stored on the drive pack, therefore eliminating the need for a Power Vault.

Concentrator Index Use Cases

  • Support Additional Meta-Key Indexing

  • Capability to Enable compression for Existing Deployments

Two or more 3.84 TB SSD SED drives can be added to a Concentrator to increase the index volume. The index storage needs are scaled based on the NetWitness Platform deployment retention requirements. If additional meta keys are enabled and indexed, it may impact index retention.

For existing deployments, an SSD index drive pack is required if you need to enable compression. When compressing the packetdb and metadb, additional index is needed to support compression of those databases.

Configure Block Device for Decoder / Log Decoder

The Drive Pack block device is recommended to be configured in either a RAID 5, RAID 6 or RAID 1.
The Drive Pack SED Drives are added in slots 4 through 9. The virtual drive configuration requires identifying the controller ID and Enclosure ID (EID). For Example, in the Series 6 R640 appliance, the controller ID and Enclosure IDs are 0 and 64.
To identify the values, preform the following:

  1. Identify the controller ID (Ctl) for PERC H740P Mini. In the below figure the controller ID is 0. The drive count is displayed under PDs.
    /opt/MegaRAID/perccli/perccli64 show
    netwitness_statcode1.png

  2. Identify the Enclosure ID (EID) for controller ‘0’. In this case the EID is ‘64’.
    /opt/MegaRAID/perccli/perccli64 /c0 /eall show
    netwitness_stasuc2.png

  3. Identify the SED capable disks slot numbers (Slots 4 through 9) on the controller PERC H740P Mini. These drives do not belong to any Drive Group (DG). The DG column for these drives displays ‘-‘ state as ‘UGood’ and the SED value as ‘Y’.
    netwitness_sallshow3.png

  4. Identify the existing block devices on the host. The block device name is identified under NAME column. The block devices names shown below are sda and sdb. Use ‘lsblk’ to list the block devices.
    lsblk
    netwitness_moupoin4.png

  5. Create the Virtual Drive or Drive Group (DG) on PERCH740P using disks in slot 4 through 9 using the below command.

Note: There are two existing virtual drives (0 and 1) on the controller displayed under DG column. These drives host the NetWitness Software and are created during imaging of the appliance. DO NOT delete or overwrite these virtual drives. Refer to RSA EMC PowerEdge RAID Controller CLI Reference Guide at RSA.com for details on percli64 usage.

/opt/MegaRAID/perccli/perccli64 /c0 add vd type=raid6 drives=64:4-9 strip=128
netwitness_vdgroup5.png

  1. The new virtual drive shows up as ‘2/2’ under DG/VG column.
    /opt/MegaRAID/perccli/perccli64 /c0 /vall show
    netwitness_vallshowsta6.png

  2. Identify the new block device on the host. The block device name is identified under NAME column. The new block device is 'sdc'. This block device name is required when configuring storage. Use ‘lsblk’ to list the block devices.
    lsblk
    netwitness_typmoupoin7.png
  3. Now, you must Configure Storage for Decoder / LogDecoder in the Configure Storage section to complete the configuration.

Configure Block Device for Concentrator

Supporting additional meta-key indexing and enabling compression for existing Deployments requires configuring a block device on SSD SED drives in the Drive Pack. The Drive Pack block device for index volume can be created using steps similar to Configure Block Device for Decoder / Log Decoder. Use percli64 utility to configure the block devices. After configuring the block devices, follow Configure Storage for Concentrator to complete the storage configuration.

Configure Block Devices for PowerVaults

The Physical, Virtual, or Cloud NetWitness hosts for Decoders, Log Decoders, Concentrators, and Archivers need block storage attached. Make sure that the allocated storage meets all of the storage requirements. Specifically, make sure that the required storage volumes are created (for more information, see Required NetWitness Platform Storage Volumes in Storage Requirements), and:

  • At least two block devices are created for Decoders (Meta, Session and Packet volumes)

Note: The larger block devices hold the packet volume, and the smaller block devices hold the meta and session.

  • At least two block devices are created for Concentrators (Index and Meta volumes).

  • Ensure that the block device meets the minimum IOPS for expected ingestion rates.

Configure Block Device for Decoder / Log Decoder

While creating the block device RAID configuration, the best practice is to configure a RAID 6 for the larger NL-SAS drives and RAID 5 or 1 for any 10k SAS or SSD type drives.

  1. Identify the controller ID (Ctl) for ‘PERC H840P Adaptor’.
    /opt/MegaRAID/perccli/perccli64 show
    In the below figure the controller ID is ‘1’ corresponds to ‘PERCH840PAdaptor’.
    netwitness_pershow1.png
  2. Identify the Enclosure ID (EID) for controller ‘1’. In this case the EID is ‘247’.
    /opt/MegaRAID/perccli/perccli64 /c1 /eall show
    netwitness_eallshow2.png
  3. Identify the existing block devices on the host. The block device name is identified under NAME column. The block devices names shown below are sda,sdb and sdc. Use ‘lsblk’ to list the block devices.
    netwitness_dec_ld3.png
  4. Create the Virtual Drive or Drive Group (DG) on PERCH840PAdaptor using disks in slot 0 through 9 (for example, all the drives) using below command.

    Warning: Every decoder needs a logdecodersmall or decodersmall volume for meta. This example assumes the meta volume already exists on another PowerVault or Drive Pack. If this enclosure will account for the meta volume, the first two or 3 drives would need to be allocated for the meta volume block device. Another block device would need to be created with the remaining drives for the packetdb volume.

    /opt/MegaRAID/perccli/perccli64 /c1 add vd type=raid6 drives=247:0-11 strip=128 force
    netwitness_forcont4.png

  5. To view the Virtual Drive created in the above step:
    /opt/MegaRAID/perccli/perccli64 /c1 /vall show
    netwitness_vallshow5.png

  6. Identify the new block device on the host. The block device name is identified under NAME column. The new block device corresponding to the above virtual drive is sdd. This block device name is required when configuring storage. Use ‘lsblk’ to list the block devices.
    lsblk
    netwitness_ssd_lsblk.png

  7. You must Configure Storage for Decoder / LogDecoder and Concentrator Configure Storage to complete the configuration.

Configure Block Device for Concentrator

Block Devcies must be configured on PowerVaults before configuring the PowerVaults as storage to Concentrator. The Block Devices can be configured using the steps similar to Configure Block Device for Decoder / Log Decoder using percli64 utility. Use the SSD drives for index and the remaining drives for the Meta or Session DB.

Configure Storage

Configure Storage for Decoder / LogDecoder

Use REST API tool to configure the above block devices or virtual drives as Storage for Decoder / Log Decoder or Concentrator. For more information, see Storage Configuration Tasks (Task 3 and Task 4) for Decoder or Log Decoder and Task 1 to Task 5 for Concentrator in Configure Storage Using the REST API topic.

Service Controller Volume Block Device
Decoder / Log Decoder PERC H740 Mini Adaptor decodersmall Refer to step 7 in Configure Block Device for Decoder / Log Decoder (Decoder / Log Decoder) in this example the block device is ‘sdc’.
Decoder / Log Decoder PERC H840 Adaptor decoder Refer to Step 6 in Configure Block Device for Decoder / Log Decoder in this example the block device is ‘sdd’.

Configure Storage for Concentrator

Use REST API tool to configure the block devices created on Drive Pack and/or Power Vaults. The block devices created on SSD is allocated to Index database and the one created on HDD to Meta/Session Database. See Storage Configuration Tasks (Task 3 and Task 4) for Concentrator in Configure Storage Using the REST API topic.

Enable Security on SED Capable Drives

To enable Security on the SED Capable Drive Group on PERC H740 Mini and PERC H840 Adaptors, see Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py) .