.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to Re-allocate space amongst volumes on an RSA Security Analytics Virtual Log Decoder to allow for higher session retention
Issue
How to Re-allocate space amongst volumes on an RSA Security Analytics Virtual Log Decoder to allow for higher session retention.
Resolution
Instructions for re-allocating space:Need to ensure that all DB writes stop
- Stop services
stop nwappliance
stop nwlogcollector
stop nwlogdecoder
- Edit /etc/fstab and add # in front of the following mount points
/dev/mapper/VolGroup00-nwhome /var/netwitness xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-decoroot /var/netwitness/logdecoder ext4 defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-index /var/netwitness/logdecoder/index xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-sessiondb /var/netwitness/logdecoder/sessiondb xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-metadb /var/netwitness/logdecoder/metadb xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-logcoll /var/netwitness/logcollector xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-packetdb /var/netwitness/logdecoder/packetdb xfs defaults,noatime,nosuid 1 2
* Reboot OS (shutdown -r now) and once reloaded remove # from lines in /etc/fstab
* Mount volumes: mount -a
- Copy data from appliance (scp perhaps?) for the following locations: (entirely optional, if data loss is acceptable can skip)
/var/netwitness/logdecoder/sessiondb
/var/netwitness/logdecoder/metadb
/var/netwitness/logdecoder/packetdb
- umount volumes
umount -f /var/netwitness/logdecoder/sessiondb
umount -f /var/netwitness/logdecoder/metadb
umount -f /var/netwitness/logdecoder/packetdb
- Make LVM Logical Volumes inactive
lvchange -an /dev/VolGroup01/sessiondb
lvchange -an /dev/VolGroup01/metadb
lvchange -an /dev/VolGroup01/packetdb
- Remove inactive LVM
lvremove -f /dev/VolGroup01/sessiondb
lvremove -f /dev/VolGroup01/metadb
lvremove -f /dev/VolGroup01/packetdb
- Recreate LVM
lvcreate -L 60GB VolGroup01 -n sessiondb /dev/sde
lvcreate -L 1.7T VolGroup01 -n packetdb /dev/sde
lvcreate -l +100%FREE VolGroup01 -n metadb /dev/sde
- lvscan
You should see
/dev/VolGroup01/sessiondb
/dev/VolGroup01/metadb
/dev/VolGroup01/packetdb
- Create file system
mkfs.xfs /dev/VolGroup01/sessiondb
mkfs.xfs /dev/VolGroup01/metadb
mkfs.xfs /dev/VolGroup01/packetdb
- Check integrity of file system
xfs_check /dev/VolGroup01/sessiondb
xfs_check /dev/VolGroup01/metadb
xfs_check /dev/VolGroup01/packetdb
If no errors, continue.
- Remount volumes
mount -a
- Restore files (optional)
as shrinking size of packetdb, may have to choose the most recent files that will fit.
If you are NOT restoring files, then cleanup by removing logdecoder's index volume
cd /var/netwitness/logdecoder
rm -rf index
mkdir -p /var/netwitness/logdecoder/index
- Start services
start nwappliance
start nwlogcollector
start nwlogdecoder
When service goes back to normal in Administration \ Devices: - Perform the 'reconfig' method to increase Max size of /database/config/meta.dir and /database/config/session.dir and decrease size of /database/config/packet.dir
To perform database re-configuration
In Security Analytics navigate to Administration > Devices
Select logdecoder service
View > Explore
Right click on database and select Properties.
Choose reconfig method from the dropdown menu, put in the Parameters of 'update=1' and select Send button
Notes
Background:
Previously determined that retention on each of the DB is as follows:
packetdb: 2.9T = 45 days, 21 hours
metadb: 613G = 9 days, 8 hours
sessiondb: 35G = 14 days, 16 hours
Supporting Detail:
df -h:
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 9.9G 1.9G 7.6G 20% /
tmpfs 20G 188K 20G 1% /dev/shm
/dev/mapper/VolGroup00-usr
4.0G 1.2G 2.6G 31% /usr
/dev/mapper/VolGroup00-usrhome
2.0G 68M 1.9G 4% /home
/dev/mapper/VolGroup00-var
4.0G 167M 3.6G 5% /var
/dev/mapper/VolGroup00-log
4.0G 950M 2.9G 25% /var/log
/dev/mapper/VolGroup00-tmp
4.0G 563M 3.2G 15% /tmp
/dev/mapper/VolGroup00-vartmp
4.0G 136M 3.7G 4% /var/tmp
/dev/mapper/VolGroup00-nwhome
10G 210M 9.8G 3% /var/netwitness
/dev/mapper/VolGroup01-decoroot
20G 1.2G 18G 6% /var/netwitness/logdecoder
/dev/mapper/VolGroup01-index
40G 66M 40G 1% /var/netwitness/logdecoder/index
/dev/mapper/VolGroup01-sessiondb
40G 35G 5.4G 87% /var/netwitness/logdecoder/sessiondb
/dev/mapper/VolGroup01-metadb
665G 613G 53G 93% /var/netwitness/logdecoder/metadb
/dev/mapper/VolGroup01-logcoll
64G 868M 64G 2% /var/netwitness/logcollector
/dev/mapper/VolGroup01-packetdb
3.0T 2.9T 169G 95% /var/netwitness/logdecoder/packetdb
pvdisplay -C:
PV VG Fmt Attr PSize PFree
/dev/sdb1 VolGroup00 lvm2 a-- 32.00g 0
/dev/sdc1 VolGroup01 lvm2 a-- 104.00g 0
/dev/sdd1 VolGroup01 lvm2 a-- 168.00g 0
/dev/sde VolGroup01 lvm2 a-- 3.54t 1012.00m
vgdisplay -C
VG #PV #LV #SN Attr VSize VFree
VolGroup00 1 7 0 wz--n- 32.00g 0
VolGroup01 3 6 0 wz--n- 3.81t 1012.00m
lvscan:
Finding all logical volumes
ACTIVE '/dev/VolGroup01/decoroot' [20.00 GiB] inherit
ACTIVE '/dev/VolGroup01/index' [40.00 GiB] inherit
ACTIVE '/dev/VolGroup01/sessiondb' [40.00 GiB] inherit
ACTIVE '/dev/VolGroup01/metadb' [665.00 GiB] inherit
ACTIVE '/dev/VolGroup01/logcoll' [64.00 GiB] inherit
ACTIVE '/dev/VolGroup01/packetdb' [3.00 TiB] inherit
ACTIVE '/dev/VolGroup00/usr' [4.00 GiB] inherit
ACTIVE '/dev/VolGroup00/usrhome' [2.00 GiB] inherit
ACTIVE '/dev/VolGroup00/var' [4.00 GiB] inherit
ACTIVE '/dev/VolGroup00/log' [4.00 GiB] inherit
ACTIVE '/dev/VolGroup00/tmp' [4.00 GiB] inherit
ACTIVE '/dev/VolGroup00/vartmp' [4.00 GiB] inherit
ACTIVE '/dev/VolGroup00/nwhome' [10.00 GiB] inherit
/etc/fstab:
UUID=47b608f7-c1ee-45ff-b5b4-125ab6343806 / ext3 defaults 1 1
UUID=a8a64b2e-773f-48ef-83c0-a8ace849e32c swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/mapper/VolGroup00-usr /usr ext4 defaults 1 2
/dev/mapper/VolGroup00-usrhome /home ext4 defaults,nosuid 1 2
/dev/mapper/VolGroup00-var /var ext4 defaults 1 2
/dev/mapper/VolGroup00-log /var/log ext4 defaults 1 2
/dev/mapper/VolGroup00-tmp /tmp ext4 defaults,nosuid 1 2
/dev/mapper/VolGroup00-vartmp /var/tmp ext4 defaults,nosuid 1 2
/dev/mapper/VolGroup00-nwhome /var/netwitness xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-decoroot /var/netwitness/logdecoder ext4 defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-index /var/netwitness/logdecoder/index xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-sessiondb /var/netwitness/logdecoder/sessiondb xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-metadb /var/netwitness/logdecoder/metadb xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-logcoll /var/netwitness/logcollector xfs defaults,noatime,nosuid 1 2
/dev/mapper/VolGroup01-packetdb /var/netwitness/logdecoder/packetdb xfs defaults,noatime,nosuid 1 2
/var/netwitness/logcollector/upload /var/netwitness/logcollector/upload_chroot/home/upload/eventsources none bind 0 0
Summary:
Current Allocation:
/var/netwitness/logdecoder/sessiondb - 40G
/var/netwitness/logdecoder/metadb - 613G
/var/netwitness/logdecoder/packetdb - 3.0T
Desired Allocation:
/var/netwitness/logdecoder/sessiondb - 60GB
/var/netwitness/logdecoder/metadb - 1.72TB (the rest)
/var/netwitness/logdecoder/packetdb - 1.7TB
Assumes that Log Decoder is a VM and so space used by packetdb, metadb & sessiondb is using the same LVM Volume Group (below can see they belong to /dev/VolGroup01)
Warning: This procedure does represent some risk in terms of data loss (which is why this KB is internal only)
Need to check all supporting detail below (particular block device names such as /dev/sdb1 and /dev/VolGroup01/decoroot) differs on different appliances due to differences of build.
Internal Comments
UserName:shurtj8/7/2014 2:02:22 PM - Updated Article
Updated article and made changes to abide by Primus best practices.
Product Details
RSA Security AnalyticsRSA Security Analytics Virtual Log Decoder
INTERNAL ONLY!!!
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue