Skip to content
  • There are no suggestions because the search field is empty.

Task 2. Add New Volume and Extend Existing File Systems

Following commands are commonly used for the file extension.

  • /dev/sdc for extending nw-home or /var/netwitness.

  • /dev/sdd for creating /var/netwitness/xxxxxx.

  • /dev/<> for creating /var/netwitness/xxxxxx/metadb.

  • /dev/<> for creating /var/netwitness/xxxxx/sessiondb.

  • /dev/sde for creating /var/netwitness/xxxxx/index.

The number of /dev/<> varies based on the retention days or the number of disks attached.

Admin Server

NetWitness recommended partition for AdminServer.

  • LVM: /dev/netwitness_vg00/nwhome
  • Folder: /var/netwitness/
  • Size: 2TB
  • Disk Type: SSD

Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.

Follow these steps:

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.

3. pvcreate suppose the PV name is /dev/sdc

4. vgextend netwitness_vg00 /dev/sdc

5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

or,

lvextend -l +100%FREE /dev/netwitness_vg00/nwhome

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

ESAPrimary/ESASecondary/Malware

NetWitness recommended partition for ESAPrimary/ESASecondary/Malware.

  • LVM: /dev/netwitness_vg00/nwhome
  • Folder: /var/netwitness/
  • Size: 6TB
  • Disk Type: HDD

Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

Follow these steps:

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk

3. pvcreate suppose the PV name is /dev/sdc

4. vgextend netwitness_vg00 /dev/sdc

5. lvextend –L 5.9T /dev/netwitness_vg00/nwhome

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Log Collector

NetWitness recommends the following partition for the LogCollector (Can be changed based on the retention days).

  • LVM: /dev/netwitness_vg00/nwhome
  • Folder: /var/netwitness/
  • Size: 500GB
  • Disk Type: HDD

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, for example if you attach one 500GB disk

3. pvcreate suppose the PV name is /dev/sdc

4. vgextend netwitness_vg00 /dev/sdc

5. lvextend –L 488G /dev/netwitness_vg00/nwhome

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Log Decoder

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

  • Column 1: Log Decoder

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastore

  • Column 1: PacketDB
  • Column 2: SessionDB
  • Column 3: Meta DB
  • Column 4: Index

  • Column 1: 100% as calculated by Sizing & Scoping Calculator
  • Column 2: 1 GB per 1000 EPS of traffic sustained provides 8 hours cache
  • Column 3: 20 GB per 1000 EPS of traffic sustained provides 8 hours cache
  • Column 4: 0.5 GB per 1000 EPS of traffic sustained provides 4 hours cache

Extending File Systems

Follow the below instructions to extend the file systems.

Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:

No other partition should reside on this volume, only to be used for /var/netwitness/

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk

3. pvcreate suppose the PV name is /dev/sdc

4. vgextend netwitness_vg00 /dev/sdc

5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

or,

lvextend -l +100%FREE /dev/netwitness_vg00/nwhome

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

Other partitions are also required. Create the following partitions on the logdecodersmall volume group.

  • Folder: /var/netwitness/logdecoder
  • LVM: decoroot
  • Volume Group: logdecodersmall

  • Folder: /var/netwitness/logdecoder/index
  • LVM: index
  • Volume Group: logdecodersmall

  • Folder:

    /var/netwitness/logdecoder/metadb

  • LVM:

    metadb

  • Volume Group:

    logdecodersmall


  • Folder: /var/netwitness/logdecoder/sessiondb
  • LVM: sessiondb
  • Volume Group: logdecodersmall

Follow these steps to create the partitions mentioned in the table above:

1. Execute lsblk and get the physical volume names from the output

2. pvcreate /dev/sdd

3. vgcreate –s 32 logdecodersmall /dev/sdd

4. lvcreate –L -n logdecodersmall

5. mkfs.xfs /dev/logdecodersmall/

6. Repeat steps 4 and 5 for all the LVM’s mentioned

The following partition should be on volume group LogDecoder

  • Folder: /var/netwitness/logdecoder/packetdb
  • LVM: packetdb
  • Volume Group: logdecoder

Follow these steps:

1. Execute lsblk and get the physical volume names from the output

2. pvcreate /dev/sde

3. vgcreate –s 32 logdecoder /dev/sde

4. lvcreate –L -n packetdb logdecoder

5. mkfs.xfs /dev/logdecoder/packetdb

NetWitness recommends below sizing partition for LogDecoder (Can be changed based on the retention days)

  • LVM: /dev/netwitness_vg00/nwhome
  • Folder: /var/netwitness/
  • Size: 1TB
  • Disk Type: HDD

  • LVM: /dev/logdecodersmall/decoroot
  • Folder: /var/netwitness/logdecoder
  • Size: 10GB
  • Disk Type: HDD

  • LVM:

    /dev/logdecodersmall/index

  • Folder:

    /var/netwitness/logdecoder/index

  • Size:

    30GB

  • Disk Type:

    HDD


  • LVM: /dev/logdecodersmall/metadb
  • Folder: /var/netwitness/logdecoder/metadb
  • Size: 3TB
  • Disk Type: HDD

  • LVM:

    /dev/logdecodersmall/sessiondb

  • Folder:

    /var/netwitness/logdecoder/sessiondb

  • Size:

    370GB

  • Disk Type:

    HDD


  • LVM: /dev/logdecoder/packetdb
  • Folder: /var/netwitness/logdecoder/packetdb
  • Size: 18TB
  • Disk Type: HDD

Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order and mount them using mount –a.

/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2

/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2

/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2

/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2

/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2

Concentrator

Virtual Drive Space Ratios

The following table provides optimal configurations for packet and log hosts.

  • Column 1: Concentrator

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastores

  • Column 1: Meta DB
  • Column 2: SessionDB Index
  • Column 3: Index

  • Column 1: Calculated as 10% of the PacketDB required for a 1:1 retention ratio
  • Column 2: 30 GB per 1TB of PacketDB for standard multi protocol network deployments as seen at typical internet gateways
  • Column 3: 5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

  • Column 1: Log Concentrator

  • Column 1: Persistent Datastores
  • Column 2: Cache Datastores

  • Column 1: Meta DB
  • Column 2: SessionDB Index
  • Column 3: Index

  • Column 1: Calculated as 100% of the PacketDB required for a 1:1 retention ratio
  • Column 2: 3 GB per 1000 EPS of sustained traffic per day of retention
  • Column 3: 5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access

Extending File Systems

Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.

For extending /var/netwitness partition follow below steps:

No other partition should reside on this volume, only to be used for /var/netwitness/.

1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.

2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk

3. pvcreate /dev/sdc suppose the PV name is /dev/sdc

4. vgextend netwitness_vg00 /dev/sdc

5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome

or,

lvextend -l +100%FREE /dev/netwitness_vg00/nwhome

6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome

The following partitions are also required on volume group concentrator.

  • Folder: /var/netwitness/concentrator
  • LVM: root
  • Volume Group: concentrator

  • Folder: /var/netwitness/concentrator/sessiondb
  • LVM: sessiondb
  • Volume Group: concentrator

  • Folder:

    /var/netwitness/concentrator/metadb

  • LVM:

    metadb

  • Volume Group:

    concentrator


Follow these steps:

1. Execute lsblk and get the physical volume names from the output

2. pvcreate /dev/sdd

3. vgcreate –s 32 concentrator /dev/sdd

4. lvcreate –L -n concentrator

5. mkfs.xfs /dev/concentrator/

6. Repeat steps 4 and 5 for all the LVM’s mentioned

Below partition should be on volume group index

  • Folder: /var/netwitness/concentrator/index
  • LVM: index
  • Volume Group: index

Follow these steps:

1. Execute lsblk and get the physical volume names from the output

2. pvcreate /dev/sde

3. vgcreate –s 32 index /dev/sde

4. lvcreate –L -n index index

5. mkfs.xfs /dev/index/index

NetWitness recommends below sizing partition for Concentrator (Can be changed based on the retention days)

  • LVM: /dev/netwitness_vg00/nwhome
  • Folder: /var/netwitness/
  • Size: 1TB
  • Disk Type: HDD

  • LVM: /dev/concentrator/root
  • Folder: /var/netwitness/concentrator
  • Size: 10GB
  • Disk Type: HDD

  • LVM:

    /dev/concentrator/metadb

  • Folder:

    /var/netwitness/concentrator/metadb

  • Size:

    3TB

  • Disk Type:

    HDD


  • LVM: /dev/concentrator/sessiondb
  • Folder: /var/netwitness/concentrator/sessiondb
  • Size: 370GB
  • Disk Type: HDD

  • LVM: /dev/index/index
  • Folder:

    /var/netwitness/concentrator/index

  • Size:

    2TB

  • Disk Type:

    HDD


Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.

Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.

After that add the below entries in /etc/fstab in the same order

/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2

/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2

/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2

/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2

Archiver

The following partition is required for the Archiver volume group.

  • Folder: /var/netwitness/archiver
  • LVM: archiver
  • Volume Group:

,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.,,,,,, ,,,,,,, see Task 1. Add New Disk.,,,,,,, for example, if you attach one 6TB disk,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, attach external disk for extension of /var/netwitness/mongo partition, create an external disk with suffix as nwhome.,,,,,, ,,,,,,, see Task 1. Add New Disk.,,,,,,, for example, if you attach one 6TB disk,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, Log Collector, and Concentrator see Log Decoder, Log Collector, and Concentrator.,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, dev/mapper/sdc),,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,,