.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to reduce the size taken up by an RSA Security Analytics test machine
Issue
How to reduce the size taken up by an RSA Security Analytics test machine.Resolution
1) Power off the machine that you wish to change the disk size on.
2) Add a new disk to the virtual machine via the VMWare Console of your desired size. We will be replacing a disk of 104GB with one of 32GB.
- Power On the machine
3) Review disk usage.
[root@rsadecoder ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7.9G 520M 7.0G 7% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/mapper/VolGroup00-usr
4.0G 1.1G 2.7G 29% /usr
/dev/mapper/VolGroup00-usrhome
2.0G 67M 1.9G 4% /home
/dev/mapper/VolGroup00-var
4.0G 170M 3.6G 5% /var
/dev/mapper/VolGroup00-log
4.0G 372M 3.4G 10% /var/log
/dev/mapper/VolGroup00-tmp
4.0G 732M 3.1G 20% /tmp
/dev/mapper/VolGroup00-vartmp
4.0G 136M 3.7G 4% /var/tmp
/dev/mapper/VolGroup00-nwhome
10G 771M 9.3G 8% /var/netwitness
/dev/mapper/VolGroup01-decoroot
20G 3.9G 15G 21% /var/netwitness/decoder
/dev/mapper/VolGroup01-sessiondb
30G 375M 30G 2% /var/netwitness/decoder/sessiondb
/dev/mapper/VolGroup01-index
10G 64M 10G 1% /var/netwitness/decoder/index
/dev/mapper/VolGroup01-metadb
44G 5.7G 39G 13% /var/netwitness/decoder/metadb
/dev/mapper/VolGroup01-packetdb
104G 54G 50G 52% /var/netwitness/decoder/packetdb
4) Stop the decoder service
stop nwdecoder
5) On Security Analytics Rollout the data on the partition you want to change. The purpose of this command is to reduce the amount of data so that it will fit on our new partition. Change the values to adjust the amount of data that is retained. To do this go to the device and explorer view
Right click on /database and click Properties
Use the command sizeRoll
Parameters type=packet maxPercent=20
6) Verify that our new disk that we added can be seen by the operating system
[root@rsadecoder ~]# fdisk -l |grep sd
Disk /dev/sda: 17.2 GB, 17179869184 bytes
/dev/sda1 * 1 1306 10485760 83 Linux
/dev/sda2 1306 2089 6290432 82 Linux swap / Solaris
Disk /dev/sdb: 34.4 GB, 34359738368 bytes
/dev/sdb1 1 4177 33551721 8e Linux LVM
Disk /dev/sdc: 111.7 GB, 111669149696 bytes
/dev/sdc1 1 13576 109049188+ 8e Linux LVM
Disk /dev/sdd: 180.4 GB, 180388626432 bytes
/dev/sdd1 1 21931 176160726 8e Linux LVM
Disk /dev/sde: 34.4 GB, 34359738368 bytes
7) Find out which Logical Volume are partition is on
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
sda 8:0 0 16G 0 disk
|-sda1 8:1 0 8G 0 part /
`-sda2 8:2 0 8G 0 part [SWAP]
sdb 8:16 0 32G 0 disk
`-sdb1 8:17 0 32G 0 part
|-VolGroup00-usr (dm-5) 253:5 0 4G 0 lvm /usr
|-VolGroup00-usrhome (dm-6) 253:6 0 2G 0 lvm /home
|-VolGroup00-var (dm-7) 253:7 0 4G 0 lvm /var
|-VolGroup00-log (dm-8) 253:8 0 4G 0 lvm /var/log
|-VolGroup00-tmp (dm-9) 253:9 0 4G 0 lvm /tmp
|-VolGroup00-vartmp (dm-10) 253:10 0 4G 0 lvm /var/tmp
`-VolGroup00-nwhome (dm-11) 253:11 0 10G 0 lvm /var/netwitness
sdc 8:32 0 104G 0 disk
`-sdc1 8:33 0 104G 0 part
|-VolGroup01-decoroot (dm-0) 253:0 0 20G 0 lvm /var/netwitness/decoder
|-VolGroup01-sessiondb (dm-1) 253:1 0 30G 0 lvm /var/netwitness/decoder/sessiondb
|-VolGroup01-index (dm-2) 253:2 0 10G 0 lvm /var/netwitness/decoder/index
`-VolGroup01-metadb (dm-3) 253:3 0 44G 0 lvm /var/netwitness/decoder/metadb
sdd 8:48 0 32G 0 disk
`-VolGroup01-packetdb (dm-4) 253:4 0 104G 0 lvm /var/netwitness/decoder/packetdb
Here we can see that the /var/netwitness/decoder/packetdb is in VolGroup01 and on sdd
8) We will add sde to VolGroup01
[root@rsadecoder ~]# vgextend VolGroup01 /dev/sde
No physical volume label read from /dev/sde
Physical volume "/dev/sde" successfully created
Volume group "VolGroup01" successfully extended
9 Copy off data /var/netwitness/decoder/packetdb to a new location. Here I am copying data to the sessiondb partition as it has more size. We have 25GB of data to copy, and we compress it and then copy onto a different partition.
[root@rsadecoder ~]# tar zcvf /var/netwitness/decoder/sessiondb/packetdb.tgz /var/netwitness/decoder/packetdb
tar: Removing leading `/' from member names
/var/netwitness/decoder/packetdb/
/var/netwitness/decoder/packetdb/packet-000000052.nwpdb
/var/netwitness/decoder/packetdb/packet-000000052.nwpdbindex
...
10) Unmount the volumes on sdd
umount -f /var/netwitness/decoder/packetdb
11) Mark the volumes as inactive
lvchange -an /dev/mapper/VolGroup01-packetdb
12) Remove inactive LVMs
lvremove /dev/mapper/VolGroup01-packetdb
13) Create our new volumes
lvcreate -L 30GB VolGroup01 -n packetdb /dev/sde
14) Make the filesystem on the Disk
mkfs.xfs /dev/VolGroup01/packetdb
meta-data=/dev/VolGroup01/packetdb isize=256 agcount=4, agsize=1966080 blks
= sectsz=512 attr=2, projid32bit=0
data = bsize=4096 blocks=7864320, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0
log =internal log bsize=4096 blocks=3840, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
15) Remount the volume
mount -a
16) Restore Backed Up Data
tar zxvf /var/netwitness/decoder/sessiondb/packetdb.tgz -C /
17) Remove Backup File
rm -rf /var/netwitness/decoder/sessiondb/packetdb.tgz
18) Confirm that the new partition now takes up less space
/dev/mapper/VolGroup01-packetdb
25G 20G 5.7G 78% /var/netwitness/decoder/packetdb
19) Confirm that no Logical Volumes use the drive. In the example below any volumes on sdd have now been moved to sde
[root@rsadecoder ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
sda 8:0 0 16G 0 disk
|-sda1 8:1 0 8G 0 part /
`-sda2 8:2 0 8G 0 part [SWAP]
sdb 8:16 0 32G 0 disk
`-sdb1 8:17 0 32G 0 part
|-VolGroup00-usr (dm-5) 253:5 0 4G 0 lvm /usr
|-VolGroup00-usrhome (dm-6) 253:6 0 2G 0 lvm /home
|-VolGroup00-var (dm-7) 253:7 0 4G 0 lvm /var
|-VolGroup00-log (dm-8) 253:8 0 4G 0 lvm /var/log
|-VolGroup00-tmp (dm-9) 253:9 0 4G 0 lvm /tmp
|-VolGroup00-vartmp (dm-10) 253:10 0 4G 0 lvm /var/tmp
`-VolGroup00-nwhome (dm-11) 253:11 0 10G 0 lvm /var/netwitness
sdc 8:32 0 104G 0 disk
`-sdc1 8:33 0 104G 0 part
|-VolGroup01-decoroot (dm-0) 253:0 0 20G 0 lvm /var/netwitness/decoder
|-VolGroup01-sessiondb (dm-1) 253:1 0 30G 0 lvm /var/netwitness/decoder/sessiondb
|-VolGroup01-index (dm-2) 253:2 0 10G 0 lvm /var/netwitness/decoder/index
`-VolGroup01-metadb (dm-3) 253:3 0 44G 0 lvm /var/netwitness/decoder/metadb
sde 8:48 0 32G 0 disk
`-VolGroup01-packetdb (dm-4) 253:4 0 25G 0 lvm /var/netwitness/decoder/packetdb
sdd 8:48 0 168G 0 disk
`-sdd1 8:49 0 168G 0 part
20) Start the Relevant Security Analytics Service
For decoder type start nwdecoder
21) In the Security Analytics GUI go to device ->explorer ->Database and right click properties.
Use the command reconfig with parameters update=1
packet.dir:/var/netwitness/decoder/packetdb=28.48 GB
packet.free.space.min:267 MB
packet.file.size:4 GB
meta.dir:/var/netwitness/decoder/metadb=41.77 GB
meta.free.space.min:391 MB
session.dir:/var/netwitness/decoder/sessiondb=28.48 GB
session.free.space.min:267 MB
23)Remove the old disk with
vgreduce VolGroup01 /dev/sdd1
24) Shut down the VM machine
25) Remove the disk from the VMware Console. Note /dev/sdd will have Unit Number 3, Make sure the correct disk is deleted.
26) Power On the VM and check that everything works.
Notes
Some lab machines have been given disks that are in excess of 104GB. For a customer, the disks should be as large as possible to retain as much data as possible. However for a test lab data retention over a period of time is less important so it may be preferable to install a smaller disk so that overall diskspace in the test lab is conserved.
We use steps in knowledgebase articles
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a59784
http://cs-server.na.rsa.net/tools/search/data/primus/a64887.htm
Internal Comments
UserName:shurtj8/12/2014 2:04:53 PM - Updated Article
Updated article and made changes to abide by Primus best practices.
Product Details
RSA Security AnalyticsINTERNAL ONLY !!!!