Storage Requirements

This section contains all the storage requirements needed to successfully attach storage to your NetWitness Platform deployment host systems. It contains the required drive types, appropriate volumes, and performance IOPS that are needed.

Drive Specifications

General specifications for core NetWitness Platform Hosts are:

  • IO size 490/Dec
  • Response/Latency < 20ms
  • Decoder 10/90 read/write (low random I/O)
  • Concentrator 50/50 read/write (high random I/O)
RAID Group Suitable Volumes
NL-SAS or 10K SAS

All Packet Decoder volumes

All Log Decoder volumes

All Archiver volumes

Concentrator meta volume

SSD Concentrator index volume

Required NetWitness Platform Storage Volumes

Service Volume Names

Service

Volume Name File Systems Created
Network Decoder decoder packetdb
Network Decoder decodersmall decoder root, index, sessiondb, metadb
Log Decoder logdecoder packetdb
Log Decoder logdecodersmall logdecoder root, index, sessiondb, metadb
Concentrator concentrator

concentrator root, metadb, sessiondb

Concentrator index index

Archiver

archiver

database

Volume Sizing

The volume sizes below are automatically created when using the NetWitness Platform storage tool, described in Configure Storage Using the REST API.

Volume

Filesystem Mount Point Size
decodersmall decoroot /var/netwitness/decoder 10 GB
decodersmall index /var/netwitness/decoder/index 30 GB
decodersmall sessiondb /var/netwitness/decoder/sessiondb 600 GB
decodersmall metadb /var/netwitness/decoder/metadb 100% of free space on
decodersmall volume
decoder packetdb /var/netwitness/decoder/packetdb 100% of free space on
decoder volume
logdecodersmall decoroot /var/netwitness/logdecoder 10 GB
logdecodersmall index /var/netwitness/logdecoder/index 30 GB
logdecodersmall sessiondb /var/netwitness/logdecoder/sessiond 600 GB
logdecodersmall metadb /var/netwitness/logdecoder/metadb 100% of free space on logdecodersmall volume
logdecoder packetdb /var/netwitness/logdecoder/packetdb 100% of free space on
logdecoder volume
concentrator root /var/netwitness/concentrator 30 GB
concentrator sessiondb /var/netwitness/concentrator/sessiondb 10% of free space on concentrator volume
concentrator metadb /var/netwitness/concentrator/metadb 100% of free space on concentrator volume
index index /var/netwitness/concentrator/index 100% of free space on
index volume
archiver database /var/netwitness/archiver/database 100% of free space on archiver volume

Performance Recommendations

RSA recommends that Packet and Log Decoders receive two LUNs or Block Devices, one for Packet data, the other for all other databases. This allows you to segregate the high-bandwidth Packet Database from the other databases so they do not compete for I/O bandwidth with other activity.

Concentrators require a separate SSD-based index volume for best performance. You must house this index volume on a different RAID group than the Concentrator Meta database volume, which you can stored on NL-SAS. Archivers can use a single large NL-SAS storage volume per appliance.

Input/Output Operations Per Second

The following table lists the IOPS requirements for the Decoder and Concentrator hosts.

Logs Log Decoder Concentrator
10K EPS 400 8,000
20K EPS 550 10,300

25K EPS

1,200

10,800

Packets Network Decoder Concentrator
1Gbps 600 6,050
2 Gbps 950 8,300

4 Gbps

1,650

12,800

6 Gbps 2,400 17,300

8 Gbps

3,200

21,800

General Description of How NetWitness Platform Hosts Store Data

For information about how NetWitness Platform hosts store data, see Appendix A. How NetWitness Platform Hosts Store Data.