Skip to content
  • There are no suggestions because the search field is empty.

Prepare Virtual or Cloud Storage

Prepare Virtual or Cloud Storage

This section describes how to set up virtual or cloud storage for the following types of component hosts:

Decoder, Log Decoder, Concentrator, ArchiverDecoder, Log Decoder, Concentrator, Archiver

Virtual or Cloud NetWitness hosts for Decoders, Log Decoders, Concentrators, and Archivers need block storage attached. Make sure that the allocated storage meets all of the storage requirements. Specifically, make sure that the required storage volumes are created (see "Required NetWitness Platform Storage Volumes" in Storage Requirements), and:

  • At least two Block Devices are created for Decoders (meta /session and packet volumes)
  • At least two block devices are created for Concentrators (index and meta volumes)
  • Ensure that block devices can meet the minimum IOPS for expected ingestion rates

Attach the allocated storage to the NetWitness host by following the hosting platforms native procedure.

  • VmWare – Vsphere Console (add disk to VM)
  • Hyper-V – Manager Console (add disk to VM)
  • Azure – Add Managed Disks to virtual instance
  • AWS – Add EBS Storage to virtual instance

  • Google Cloud Platform (GCP) - Add storage to virtual instance

After the storage is attached to the virtual host, proceed to "Task 3 - Allocate Block Devices to Partitions, Volume Groups, and Logical Volumes" in Configure Storage Using the REST API.

NW Server, ESA Primary, ESA Secondary and Malware AnalysisNW Server, ESA Primary, ESA Secondary and Malware Analysis

For an extension of /var/netwitness/ partition, attach an external volume.

Run lsblk to get the physical volume name and run the following commands:

1. pvcreate (for example, pv_name is /dev/sdc)

2. vgextend netwitness_vg00 /dev/sdc

3. lvresize --resizefs --extents +100%FREE /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

NetWitness recommends the following partition definitions. However, you can change these values based on the retention days.

Log CollectorLog Collector

For an extension of /var/netwitness/ partition, attach an external volume

Run lsblk to get the physical volume name and run the following commands:

1. pvcreate (for example, pv_name is dev/sdc)

2. vgextend netwitness_vg00 /dev/sdc

3. lvresize --resizefs --extents +100%FREE /dev/netwitness_vg00/nwhome

4. xfs_growfs /dev/netwitness_vg00/nwhome

NetWitness recommends the following partition definitions. However, you can change these values based on the retention days.

Log Decoder

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

Extending File Systems

Follow the below instructions to extend the file systems.

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition, follow these steps:

No other partition should reside on this volume, only to be used for /var/netwitness/

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk.

3. pvcreate  suppose the PV name is /dev/sdc.

4. vgextend netwitness_vg00 /dev/sdc.

5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome.

or,

lvextend -l +100%FREE /dev/netwitness_vg00/nwhome.

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome.

Other partitions are also required. Create the following partitions on the logdecodersmall volume group.

Follow these steps to create the partitions mentioned in the table above:

1. Execute lsblk and get the physical volume names from the output.

2. pvcreate /dev/sdd.

3. vgcreate –s 32 logdecodersmall /dev/sdd.

4. lvcreate –L -n logdecodersmall.

5. mkfs.xfs /dev/logdecodersmall/ .

6. Repeat steps 4 and 5 for all the LVM’s mentioned.

The following partition should be on volume group LogDecoder.

Follow these steps:

1. Execute lsblk and get the physical volume names from the output.

2. pvcreate /dev/sde.

3. vgcreate –s 32 logdecoder /dev/sde.

4. lvcreate –L -n packetdb logdecoder.

5. mkfs.xfs /dev/logdecoder/packetdb.

NetWitness recommends below sizing partition for LogDecoder (Can be changed based on the retention days).

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2

/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2

/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

Concentrator

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

Extending File Systems

Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.

For extending /var/netwitness partition follow below steps:

No other partition should reside on this volume, only to be used for /var/netwitness/.

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.

3. pvcreate /dev/sdc suppose the PV name is /dev/sdc.

4. vgextend netwitness_vg00 /dev/sdc.

5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome.

or,

lvextend -l +100%FREE /dev/netwitness_vg00/nwhome.

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome.

The following partitions are also required on volume group concentrator.

Follow these steps:

1. Execute lsblk and get the physical volume names from the output.

2. pvcreate /dev/sdd.

3. vgcreate –s 32 concentrator /dev/sdd.

4. lvcreate –L -n concentrator.

5. mkfs.xfs /dev/concentrator/ .

6. Repeat steps 4 and 5 for all the LVM’s mentioned.

Below partition should be on volume group index.

Follow these steps:

1. Execute lsblk and get the physical volume names from the output.

2. pvcreate /dev/sde.

3. vgcreate –s 32 index /dev/sde.

4. lvcreate –L -n index index.

5. mkfs.xfs /dev/index/index.

NetWitness recommends below sizing partition for Concentrator (Can be changed based on the retention days).

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order.

/dev/concentrator/root /var/netwitness/concentrator xf