Prepare Physical StoragePrepare Physical Storage
IMPORTANT: NetWitness recommends you to create a block device for NetWitness Storage.
This section provides two options to configure block device:
Note: Block device is also referred to as Virtual Drive or Drive Group
Configure Block devices for Drive pack Configure Block devices for Drive pack
You can add additional drives to the Series 6 or 6E appliances to accommodate various use cases. These drives provide the capability for the decoder meta or concentrator index volumes to reside on the appliance. A minimum of 2 drives and a maximum of 6 drives are possible. The number of drives will depend on how much meta cache or index is needed.
Benefits of Series 6/6E Drive PackBenefits of Series 6/6E Drive Pack
Maximize PowerVault Storage Capacity - Traditionally, PowerVault storage allocates a volume for the Decoder metadata. This reduces the usable storage on the PowerVault. Drive Packs reduce this issue by providing 20TB of extra usable PV storage.
Reduces Cost for Meta Only Use Case - For metadata-only deployments, drive pack fits for a customer who want to purchase hardware from NetWitness. This provides more cost-effective solution, because a drive pack can substitute a PowerVault.
Enable existing deployments to utilize compression options.
Provides capability for expanding meta keys and associated indexing.
Decoder Meta Use CasesDecoder Meta Use Cases
Maximize Power Vault Storage
Two or more 2.4TB 10K SAS SED drives can be added to a Decoder for the decodersmall or logdecodersmall volumes. These volumes are used to store the meta cache on the Decoders.
Both the Log Decoders and Network Decoders parse out meta data from the raw captured traffic. The meta data is then aggregated to a Concentrator for indexing.
The host requires storage to store a cache for the meta extracted during the data capture for Concentrator aggregation. The meta cache on a Decoder is generally fixed in size, but you can expand it to support additional cache to avoid possible connectivity loss between the Decoder and the corresponding Concentrator.
Typically, the decodersmall or logdecodersmall volumes are stored on the first three drives of the first and second (10G config only) PowerVault enclosures. By utilizing the drive pack option, these three drives can instead be used for the packetdb (maximizing Power Vault storage).
For meta-only scenarios, the decodersmall volume would be stored on the drive pack, therefore eliminating the need for a Power Vault.
Concentrator Index Use CasesConcentrator Index Use Cases
Support Additional Meta-Key Indexing
Capability to Enable compression for Existing Deployments
Two or more 3.84 TB SSD SED drives can be added to a Concentrator to increase the index volume. The index storage needs are scaled based on the NetWitness Platform deployment retention requirements. If additional meta keys are enabled and indexed, it may impact index retention.
For existing deployments, an SSD index drive pack is required if you need to enable compression. When compressing the packetdb and metadb, additional index is needed to support compression of those databases.
See Appendix F. Sample Storage Configuration Scenarios for Meta Disk Kits for sample storage configuration scenarios for Meta Disk Kits.
Configure Block Devices for PowerVaultsConfigure Block Devices for PowerVaults
The Physical, Virtual, or Cloud NetWitness hosts for Decoders, Log Decoders, Concentrators, and Archivers need block storage attached. Make sure that the allocated storage meets all of the storage requirements. Specifically, make sure that the required storage volumes are created (for more information, see Required NetWitness Platform Storage Volumes in Storage Requirements), and:
At least two block devices are created for Decoders (Meta, Session and Packet volumes)
Note: The larger block devices hold the packet volume, and the smaller block devices hold the meta and session.
At least two block devices are created for Concentrators (Index and Meta volumes).
Ensure that the block device meets the minimum IOPS for expected ingestion rates.
Configure Block Device for Decoder / Log DecoderConfigure Block Device for Decoder / Log Decoder
While creating the block device RAID configuration, the best practice is to configure a RAID 6 for the larger NL-SAS drives and RAID 5 or 1 for any 10k SAS or SSD type drives.
- Identify the controller ID (Ctl) for ‘PERC H840P Adaptor’.
In the below figure the controller ID is ‘1’ corresponds to ‘PERCH840PAdaptor’.
- Identify the Enclosure ID (EID) for controller ‘1’. In this case the EID is ‘247’.
/opt/MegaRAID/perccli/perccli64 /c1 /eall show
- Identify the existing block devices on the host. The block device name is identified under NAME column. The block devices names shown below are sda,sdb and sdc. Use ‘lsblk’ to list the block devices.
Create the Virtual Drive or Drive Group (DG) on PERCH840PAdaptor using disks in slot 0 through 9 (for example, all the drives) using below command.
Warning: Every decoder needs a logdecodersmall or decodersmall volume for meta. This example assumes the meta volume already exists on another PowerVault or Drive Pack. If this enclosure will account for the meta volume, the first two or 3 drives would need to be allocated for the meta volume block device. Another block device would need to be created with the remaining drives for the packetdb volume.
/opt/MegaRAID/perccli/perccli64 /c1 add vd type=raid6 drives=247:0-11 strip=128 force
To view the Virtual Drive created in the above step:
/opt/MegaRAID/perccli/perccli64 /c1 /vall show
Identify the new block device on the host. The block device name is identified under NAME column. The new block device corresponding to the above virtual drive is sdd. This block device name is required when configuring storage. Use ‘lsblk’ to list the block devices.
You must Configure Storage for Decoder / LogDecoder and Concentrator Configure Storage to complete the configuration.
Configure Block Device for ConcentratorConfigure Block Device for Concentrator
Block Devcies must be configured on PowerVaults before configuring the PowerVaults as storage to Concentrator. The Block Devices can be configured using the steps similar to Configure Block Device for Decoder / Log Decoder using percli64 utility. Use the SSD drives for index and the remaining drives for the Meta or Session DB.
Configure StorageConfigure Storage
Configure Storage for Decoder / LogDecoderConfigure Storage for Decoder / LogDecoder
Use REST API tool to configure the above block devices or virtual drives as Storage for Decoder / Log Decoder or Concentrator. For more information, see Storage Configuration Tasks (Task 3 and Task 4) for Decoder or Log Decoder and Task 1 to Task 5 for Concentrator in Configure Storage Using the REST API topic.
|Decoder / Log Decoder||PERC H740 Mini Adaptor||decodersmall||Refer to step 7 in Prepare Physical Storage (Decoder / Log Decoder) in this example the block device is ‘sdc’.|
|Decoder / Log Decoder||PERC H840 Adaptor||decoder||Refer to Step 6 in Configure Block Device for Decoder / Log Decoder in this example the block device is ‘sdd’.|
Configure Storage for ConcentratorConfigure Storage for Concentrator
Use REST API tool to configure the block devices created on Drive Pack and/or Power Vaults. The block devices created on SSD is allocated to Index database and the one created on HDD to Meta/Session Database. See Storage Configuration Tasks (Task 3 and Task 4) for Concentrator in Configure Storage Using the REST API topic.
Enable Security on SED Capable DrivesEnable Security on SED Capable Drives
To enable Security on the SED Capable Drive Group on PERC H740 Mini and PERC H840 Adaptors, see Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py) .