Skip to content
  • There are no suggestions because the search field is empty.

Add New Volume and Extend Existing File Systems

Tags: Documentation, Version 12.1

Following commands are commonly used for the file extension.

  • /dev/sdc for extending nw-home or /var/netwitness.
  • /dev/sdd for creating /var/netwitness/xxxxxx.
  • /dev/<> for creating /var/netwitness/xxxxxx/metadb.
  • /dev/<> for creating /var/netwitness/xxxxx/sessiondb.
  • /dev/sde for creating /var/netwitness/xxxxx/index.
Note: The number of /dev/<> varies based on the retention days or the number of disks attached.

Admin Server

RSA recommended partition for AdminServer (Can be changed based on the retention days).

  • Column 1: LVM
  • Column 2: Folder
  • Column 3: Size
  • Column 4: Disk Type

  • Column 1: /dev/netwitness_vg00/nwhome
  • Column 2: /var/netwitness/
  • Column 3: 2TB
  • Column 4: SSD

Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.
Follow these steps: 
  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
  2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.
  3. pvcreate suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome  or  lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

ESAPrimary/ESASecondary/Malware 

RSA recommended partition for ESAPrimary/ESASecondary/Malware (Can be changed based on the retention days).

  • Column 1: LVM
  • Column 2: Folder
  • Column 3: Size
  • Column 4: Disk Type

  • Column 1: /dev/netwitness_vg00/nwhome
  • Column 2: /var/netwitness/
  • Column 3: 6TB
  • Column 4: HDD

Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
  2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
  3. pvcreate suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

LogCollectorLogCollector

RSA recommends the following partition for the LogCollector (Can be changed based on the retention days).

  • Column 1: LVM
  • Column 2: Folder
  • Column 3: Size
  • Column 4: Disk Type

  • Column 1: /dev/netwitness_vg00/nwhome
  • Column 2: /var/netwitness/
  • Column 3: 500GB
  • Column 4: HDD

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
  2. Execute lsblk and get the physical volume name, for example if you attach one 500GB disk
  3. pvcreate suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 488G /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

LogDecoderLog Decoder

 

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

  • Column 1: Log Decoder

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastores

  • Column 1: PacketDB
  • Column 2: SessionDB
  • Column 3: MetaDB
  • Column 4: Index

  • Column 1: 100% as calculated by Sizing & Scoping Calculator
  • Column 2: 1 GB per 1000 EPS of traffic sustained provides 8 hours cache
  • Column 3: 20 GB per 1000 EPS of traffic sustained provides 8 hours cache
  • Column 4: 0.5 GB per 1000 EPS of traffic sustained provides 4 hours cache

 

Extending File Systems

Follow the below instructions to extend the file systems.

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/
  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk. 
  2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
  3. pvcreate suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome or lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Other partitions are also required. Create the following partitions on the logdecodersmall volume group.

  • Column 1: Folder
  • Column 2: LVM
  • Column 3: Volume Group

  • Column 1: /var/netwitness/logdecoder
  • Column 2: decoroot
  • Column 3: logdecodersmall

  • Column 1: /var/netwitness/logdecoder/index
  • Column 2: index
  • Column 3: logdecodersmall

  • Column 1: /var/netwitness/logdecoder/metadb
  • Column 2: metadb
  • Column 3: logdecodersmall

  • Column 1: /var/netwitness/logdecoder/sessiondb
  • Column 2: sessiondb
  • Column 3: logdecodersmall

Follow these steps to create the partitions mentioned in the table above:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sdd
  3. vgcreate –s 32 logdecodersmall /dev/sdd
  4. lvcreate –L -n logdecodersmall
  5. mkfs.xfs /dev/logdecodersmall/
  6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on volume group LogDecoder

  • Column 1: Folder
  • Column 2: LVM
  • Column 3: Volume Group

  • Column 1: /var/netwitness/logdecoder/packetdb
  • Column 2: packetdb
  • Column 3: logdecoder

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 logdecoder /dev/sde
  4. lvcreate –L -n packetdb logdecoder
  5. mkfs.xfs /dev/logdecoder/packetdb

RSA recommends below sizing partition for LogDecoder (Can be changed based on the retention days)

  • Column 1: LVM
  • Column 2: Folder
  • Column 3: Size
  • Column 4: Disk Type

  • Column 1: /dev/netwitness_vg00/nwhome
  • Column 2: /var/netwitness/
  • Column 3: 1TB
  • Column 4: HDD

  • Column 1: /dev/logdecodersmall/decoroot
  • Column 2: /var/netwitness/logdecoder
  • Column 3: 10GB
  • Column 4: HDD

  • Column 1: /dev/logdecodersmall/index
  • Column 2: /var/netwitness/logdecoder/index
  • Column 3: 30Gb
  • Column 4: HDD

  • Column 1: /dev/logdecodersmall/metadb
  • Column 2: /var/netwitness/logdecoder/metadb
  • Column 3: 3TB
  • Column 4: HDD

  • Column 1: /dev/logdecodersmall/sessiondb
  • Column 2: /var/netwitness/logdecoder/sessiondb
  • Column 3: 370Gb
  • Column 4: HDD

  • Column 1: /dev/logdecoder/packetdb
  • Column 2: /var/netwitness/logdecoder/packetdb
  • Column 3: 18TB
  • Column 4: HDD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2

/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2

/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

ConcentratorConcentrator

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

  • Column 1: Concentrator

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastores

  • Column 1: MetaDB
  • Column 2: SessionDB Index
  • Column 3: Index

  • Column 1: Calculated as 10% of the PacketDB required for a 1:1 retention ratio
  • Column 2: 30 GB per 1TB of PacketDB for standard multi protocol network deployments as seen at typical internet gateways
  • Column 3: 5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

 

  • Column 1: Log Concentrator

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastores

  • Column 1: MetaDB
  • Column 2: SessionDB Index
  • Column 3: Index

  • Column 1: Calculated as 100% of the PacketDB required for a 1:1 retention
  • Column 2: 3 GB per 1000 EPS of sustained traffic per day of retention
  • Column 3: 5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

Extending File Systems

Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.

For extending /var/netwitness partition follow below steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness/.
  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
  2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk
  3. pvcreate /dev/sdc suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome or lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

The following partitions are also required on volume group concentrator.

  • Column 1: Folder
  • Column 2: LVM
  • Column 3: Volume Group

  • Column 1: /var/netwitness/concentrator
  • Column 2: root
  • Column 3: concentrator

  • Column 1: /var/netwitness/concentrator/sessiondb
  • Column 2: sessiondb
  • Column 3: concentrator

  • Column 1: /var/netwitness/concentrator/metadb
  • Column 2: metadb
  • Column 3: concentrator

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sdd
  3. vgcreate –s 32 concentrator /dev/sdd
  4. lvcreate –L -n concentrator
  5. mkfs.xfs /dev/concentrator/
  6. Repeat steps 4 and 5 for all the LVM’s mentioned

Below partition should be on volume group index

  • Column 1: Folder
  • Column 2: LVM
  • Column 3: Volume Group

  • Column 1: /var/netwitness/concentrator/index
  • Column 2: index
  • Column 3: index

Follow these steps: 

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 index /dev/sde
  4. lvcreate –L -n index index
  5. mkfs.xfs /dev/index/index

RSA recommends below sizing partition for Concentrator (Can be changed based on the retention days)

  • Column 1: LVM
  • Column 2: Folder
  • Column 3: Size
  • Column 4: Disk Type

  • Column 1: /dev/netwitness_vg00/nwhome
  • Column 2: /var/netwitness/
  • Column 3: 1TB
  • Column 4: HDD

  • Column 1: /dev/concentrator/root
  • Column 2: /var/netwitness/concentrator
  • Column 3: 10GB
  • Column 4: HDD

  • Column 1: /dev/concentrator/metadb
  • Column 2: /var/netwitness/concentrator/metadb
  • Column 3: 3TB
  • Column 4: HDD

  • Column 1: /dev/concentrator/sessiondb
  • Column 2: /var/netwitness/concentrator/sessiondb
  • Column 3: 370GB
  • Column 4:

    HDD


  • Column 1: /dev/index/index
  • Column 2: /var/netwitness/concentrator/index
  • Column 3: 2TB
  • Column 4: SSD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Note: Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order
/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2
/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2
/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2
/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2

Archiver

The following partition is required for the Archiver volume group.

  • Column 1: Folder
  • Column 2: LVM
  • Column 3: Volume Group

  • Column 1: /var/netwitness/archiver
  • Column 2: archiver
  • Column 3: archiver

Follow these steps:

  1. Execute lsblk and get the physical volume names from the output
  2. pvcreate /dev/sde
  3. vgcreate –s 32 archiver /dev/sde
  4. lvcreate –L -n archiver archiver
  5. mkfs.xfs /dev/archiver/archiver

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for Archiver database partition.

For extending /var/netwitness partition follow these steps:

Note: No other partition should reside on this volume, only to be used for /var/netwitness.
  1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
  2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
  3. pvcreate /dev/sdc suppose the PV name is /dev/sdc
  4. vgextend netwitness_vg00 /dev/sdc
  5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome or lvextend -l +100%FREE /dev/netwitness_vg00/nwhome 

RSA recommends the following sizing partition for the Archiver (Can be changed based on the retention days).

  • Column 1: LVM
  • Column 2: Folder
  • Column 3: Size
  • Column 4: Disk Type

  • Column 1: /dev/netwitness_vg00/nwhome
  • Column 2: /var/netwitness/
  • Column 3: 1 TB
  • Column 4: HDD

  • Column 1: /dev/archiver/archiver
  • Column 2: /var/netwitness/archiver
  • Column 3: 4 TB
  • Column 4: HDD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

After that add the below entries in /etc/fstab in the same order

/dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2

Decoder

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

  • Column 1: Decoder

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastore

  • Column 1: /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for decoder database partition. For extending /var/netwitness partition follow these steps:,,, ,,,,,,, ,,,,,,, ,,,,,,, courier>/var/netwitness/.,,,,,,, ,,,,,,, ,,,,,,, see Task 1. Add New Disk.
  • Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
  • pvcreate /dev/sdc
  • vgextend netwitness_vg00 /dev/sdc
  • lvextend –L 1.9T /dev/netwitness_vg00/nwhome or lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
  • xfs_growfs /dev/mapper/netwitness_vg00-nwhome
    • ,,,,,,, ,,,,,,, courier>/var/netwitness/decoder
  • Column 2: decoroot
  • Column 3: decodersmall

  • Column 1: /var/netwitness/decoder/index
  • Column 2: index
  • Column 3: decodersmall

  • Column 1: /var/netwitness/decoder/metadb
  • Column 2: metadb
  • Column 3: lsblk and get the physical volume names from the output
  • pvcreate /dev/sdd
  • vgcreate –s 32 decodersmall /dev/sdd
  • lvcreate –L -n decodersmall
  • mkfs.xfs /dev/decodersmall/<>
  • Repeat steps 4 and 5 for all the LVM’s mentioned
    • ,,, courier> decoder volume group.,,,,,,, courier>/var/netwitness/decoder/packetdb
  • Column 4: packetdb
  • Column 5: decoder

,,,,,,, ,,,,,,, courier>lsblk and get the physical volume names from the output
  • pvcreate /dev/sde
  • vgcreate –s 32 decoder /dev/sde
  • lvcreate –L -n packetdb decoder
  • mkfs.xfs /dev/decoder/packetdb
    • ,,, ,,,,,,, ,,,,,,, courier>/dev/netwitness_vg00/nwhome/var/netwitness1TBHDD/dev/decodersmall/decoroot/var/netwitness/decoder10GBHDD/dev/decodersmall/index/var/netwitness/decoder/index30GBHDD/dev/decodersmall/metadb/var/netwitness/decoder/metadb3TBHDDLVM on it in serial manner, except /var/netwitness which will be already created.,,,,, ,,,,,,, ,,,,,,, ,,,,,,, courier> /var/netwitness/decoder and mount on /dev/decodersmall/decoroot then create the other folders and mount them.,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, courier>/etc/fstab in the same order and mount them using mount –a.,,,,,, courier>/dev/decodersmall/decoroot /var/netwitness/decoder xfs noatime,nosuid 1 2
    /dev/decodersmall/index /var/netwitness/decoder/index xfs noatime,nosuid 1 2
    /dev/decodersmall/metadb /var/netwitness/decoder/metadb xfs noatime,nosuid 1 2
    /dev/decodersmall/sessiondb /var/netwitness/decoder/sessiondb xfs noatime,nosuid 1 2
    ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.,,,, ,,,,,,, ,,,,,,, see Task 1. Add New Disk.
  • Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
  • pvcreate suppose the PV name is /dev/sdc
  • vgextend netwitness_vg00 /dev/sdc
  • lvextend –L 5.9T /dev/netwitness_vg00/nwhome
  • /dev/netwitness_vg00/nwhome/var/netwitness/6 TBHDD,,,,,, ,,,,,,, attach external disk for extension of /var/netwitness/mongo partition, create an external disk with suffix as nwhome.,,,, ,,,,,,, ,,,,,,, ,,,,,,, see Task 1. Add New Disk.
  • Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
  • pvcreate suppose the PV name is /dev/sdc1
  • vgextend hybrid /dev/sdc1
  • lvextend –L 5.9T /dev/hybrid-vlmng
  • /dev/hybrid-vlmng/var/netwitness/mongo6 TBHDD,,,,,, ,,,,,,, Log Collector, and Concentrator see LogDecoder, LogCollector, and Concentrator.,,,, ,,,,,,, ,,,,,,, courier>/var/netwitness/ partition. You must use nwhome as the eternal disk suffix. This procedure illustrates how to add a 2TB disk.,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, courier>/var/netwitness is the only partition that can reside on this volume.,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, courier> lsblk (for example, dev/mapper/sdc),,,,, courier>/var/netwitness/ partition.,,,,,,, courier>pvcreate where pv_name is dev/mapper/sdc,,,,,, courier>sdcvgextend netwitness_vg00 /dev/mapper/sdc,,,,,,, courier>    lvextend –L 1.9T /dev/mapper/netwitness_vg00/nwhome,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,,