Following commands are commonly used for the file extension.
-
/dev/sdc for extending nw-home or /var/netwitness.
-
/dev/sdd for creating /var/netwitness/xxxxxx.
-
/dev/<> for creating /var/netwitness/xxxxxx/metadb.
-
/dev/<> for creating /var/netwitness/xxxxx/sessiondb.
-
/dev/sde for creating /var/netwitness/xxxxx/index.
The number of /dev/<> varies based on the retention days or the number of disks attached.
Admin Server
NetWitness recommended partition for AdminServer.
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
2TB |
SSD |
Attach external disk for extension of /var/netwitness/ (refer to the steps in attaching the disk) partition. Create an additional disk with suffix as nwhome.
Follow these steps:
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk.
3. pvcreate <pv_name> suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
or,
lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
ESAPrimary/ESASecondary/Malware
NetWitness recommended partition for ESAPrimary/ESASecondary/Malware.
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
6TB |
HDD |
Attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.
Follow these steps:
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
3. pvcreate <pv_name> suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
Log Collector
NetWitness recommends the following partition for the LogCollector (Can be changed based on the retention days).
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
500GB |
HDD |
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, for example if you attach one 500GB disk
3. pvcreate <pv_name> suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 488G /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
Log Decoder
Virtual Drive Space Ratios
The following table provides optimal configurations for packet and log hosts.
| Log Decoder |
| Persistent Datastores |
Cache Datastore |
| PacketDB |
SessionDB |
Meta DB |
Index |
| 100% as calculated by Sizing & Scoping Calculator |
1 GB per 1000 EPS of traffic sustained provides 8 hours cache |
20 GB per 1000 EPS of traffic sustained provides 8 hours cache |
0.5 GB per 1000 EPS of traffic sustained provides 4 hours cache |
Extending File Systems
Follow the below instructions to extend the file systems.
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for LogDecoder database partition. For extending /var/netwitness partition follow these steps:
No other partition should reside on this volume, only to be used for /var/netwitness/
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
3. pvcreate <pv_name> suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
or,
lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
Other partitions are also required. Create the following partitions on the logdecodersmall volume group.
| /var/netwitness/logdecoder |
decoroot |
logdecodersmall |
| /var/netwitness/logdecoder/index |
index |
logdecodersmall |
|
/var/netwitness/logdecoder/metadb
|
metadb
|
logdecodersmall
|
| /var/netwitness/logdecoder/sessiondb |
sessiondb |
logdecodersmall |
Follow these steps to create the partitions mentioned in the table above:
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 logdecodersmall /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> logdecodersmall
5. mkfs.xfs /dev/logdecodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned
The following partition should be on volume group LogDecoder
| /var/netwitness/logdecoder/packetdb |
packetdb |
logdecoder |
Follow these steps:
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 logdecoder /dev/sde
4. lvcreate –L <disk_size> -n packetdb logdecoder
5. mkfs.xfs /dev/logdecoder/packetdb
NetWitness recommends below sizing partition for LogDecoder (Can be changed based on the retention days)
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
1TB |
HDD |
| /dev/logdecodersmall/decoroot |
/var/netwitness/logdecoder |
10GB |
HDD |
|
/dev/logdecodersmall/index
|
/var/netwitness/logdecoder/index
|
30GB
|
HDD
|
| /dev/logdecodersmall/metadb |
/var/netwitness/logdecoder/metadb |
3TB |
HDD |
|
/dev/logdecodersmall/sessiondb
|
/var/netwitness/logdecoder/sessiondb
|
370GB
|
HDD
|
| /dev/logdecoder/packetdb |
/var/netwitness/logdecoder/packetdb |
18TB |
HDD |
Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.
Create the folder /var/netwitness/logdecoder and mount on /dev/logdecodersmall/decoroot then create the other folders and mount them.
After that add the below entries in /etc/fstab in the same order and mount them using mount –a.
/dev/logdecodersmall/decoroot /var/netwitness/logdecoder xfs noatime,nosuid 1 2
/dev/logdecodersmall/index /var/netwitness/logdecoder/index xfs noatime,nosuid 1 2
/dev/logdecodersmall/metadb /var/netwitness/logdecoder/metadb xfs noatime,nosuid 1 2
/dev/logdecodersmall/sessiondb /var/netwitness/logdecoder/sessiondb xfs noatime,nosuid 1 2
/dev/logdecoder/packetdb /var/netwitness/logdecoder/packetdb xfs noatime,nosuid 1 2
Concentrator
Virtual Drive Space Ratios
The following table provides optimal configurations for packet and log hosts.
| Concentrator |
| Persistent Datastores |
Cache Datastores |
| Meta DB |
SessionDB Index |
Index |
| Calculated as 10% of the PacketDB required for a 1:1 retention ratio |
30 GB per 1TB of PacketDB for standard multi protocol network deployments as seen at typical internet gateways |
5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access |
| Log Concentrator |
| Persistent Datastores |
Cache Datastores |
| Meta DB |
SessionDB Index |
Index |
| Calculated as 100% of the PacketDB required for a 1:1 retention ratio |
3 GB per 1000 EPS of sustained traffic per day of retention |
5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access |
Extending File Systems
Attach external disk for extension of /var/netwitness/ partition, Create an external disk with suffix as nwhome, attach other external disks for Concentrator database partition.
For extending /var/netwitness partition follow below steps:
No other partition should reside on this volume, only to be used for /var/netwitness/.
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, for example if you attach one 2TB disk
3. pvcreate /dev/sdc suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
or,
lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
The following partitions are also required on volume group concentrator.
| /var/netwitness/concentrator |
root |
concentrator |
| /var/netwitness/concentrator/sessiondb |
sessiondb |
concentrator |
|
/var/netwitness/concentrator/metadb
|
metadb
|
concentrator
|
Follow these steps:
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 concentrator /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> concentrator
5. mkfs.xfs /dev/concentrator/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned
Below partition should be on volume group index
| /var/netwitness/concentrator/index |
index |
index |
Follow these steps:
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 index /dev/sde
4. lvcreate –L <disk_size> -n index index
5. mkfs.xfs /dev/index/index
NetWitness recommends below sizing partition for Concentrator (Can be changed based on the retention days)
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
1TB |
HDD |
| /dev/concentrator/root |
/var/netwitness/concentrator |
10GB |
HDD |
|
/dev/concentrator/metadb
|
/var/netwitness/concentrator/metadb
|
3TB
|
HDD
|
| /dev/concentrator/sessiondb |
/var/netwitness/concentrator/sessiondb |
370GB |
HDD |
| /dev/index/index |
/var/netwitness/concentrator/index
|
2TB
|
HDD
|
Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.
Create the folder /var/netwitness/concentrator and mount on /dev/concentrator/root then create the other folders and mount them.
After that add the below entries in /etc/fstab in the same order
/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2
/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2
/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2 2
/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2
Archiver
The following partition is required for the Archiver volume group.
| /var/netwitness/archiver |
archiver |
archiver |
Follow these steps:
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 archiver /dev/sde
4. lvcreate –L <disk_size> -n archiver archiver
5. mkfs.xfs /dev/archiver/archiver
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for Archiver database partition.
For extending /var/netwitness partition follow these steps:
No other partition should reside on this volume, only to be used for /var/netwitness.
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
3. pvcreate /dev/sdc suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
or,
lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
NetWitness recommends the following sizing partition for the Archiver (Can be changed based on the retention days).
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
1TB |
HDD |
| /dev/archiver/archiver |
/var/netwitness/archiver |
4TB |
HDD |
Create each directory and mount the LVM on it in a serial manner, except /var/netwitness which will be already created.
After that add the below entries in /etc/fstab in the same order
/dev/archiver/archiver /var/netwitness/archiver xfs noatime,nosuid 1 2
Decoder
Virtual Drive Space Ratios
The following table provides optimal configurations for packet and log hosts.
| Decoder |
| Persistent Datastores |
Cache Datstore |
| PacketDB |
SessionDB |
Meta DB |
Index |
| 100% as calculated by Sizing & Scoping Calculator |
6 GB per 100Mb/s of traffic sustained provides 4 hours cache |
60 GB per 100Mb/s of traffic sustained provides 4 hours cache |
3 GB per 100Mb/s of traffic sustained provides 4 hours cache |
Extending File Systems
Attach an external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome, attach other external disks for decoder database partition. For extending /var/netwitness partition follow these steps:
No other partition should reside on /var/netwitness/.
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, suppose if you had add attach one 2TB disk
3. pvcreate /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 1.9T /dev/netwitness_vg00/nwhome
or,
lvextend -l +100%FREE /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
The following four partitions should be on the decodersmall volume group.
| /var/netwitness/decoder |
decoroot |
decodersmall |
| /var/netwitness/decoder/index |
index |
decodersmall |
|
/var/netwitness/decoder/metadb
|
metadb
|
decodersmall
|
| /var/netwitness/decoder/sessiondb |
sessiondb |
decodersmall |
Follow these steps:
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sdd
3. vgcreate –s 32 decodersmall /dev/sdd
4. lvcreate –L <disk_size> -n <lvm_name> decodersmall
5. mkfs.xfs /dev/decodersmall/<lvm_name>
6. Repeat steps 4 and 5 for all the LVM’s mentioned
The following partition should be on the decoder volume group.
| /var/netwitness/decoder/packetdb |
packetdb |
decoder |
1. Execute lsblk and get the physical volume names from the output
2. pvcreate /dev/sde
3. vgcreate –s 32 decoder /dev/sde
4. lvcreate –L <disk_size> -n packetdb decoder
5. mkfs.xfs /dev/decoder/packetdb
NetWitness recommends the following sizing partition for the Decoder (Can be changed based on the retention days).
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
1TB |
HDD |
| /dev/decodersmall/decoroot |
/var/netwitness/decoder |
10GB |
HDD |
|
/dev/decodersmall/index
|
/var/netwitness/decoder/index
|
30GB
|
HDD
|
| /dev/decodersmall/metadb |
/var/netwitness/decoder/metadb |
3TB |
HDD |
|
/dev/decodersmall/sessiondb
|
/var/netwitness/decoder/sessiondb
|
370GB
|
HDD
|
| /dev/decoder/packetdb |
/var/netwitness/decoder/packetdb |
18TB |
HDD |
Create each directory and mount the LVM on it in serial manner, except /var/netwitness which will be already created.
Create the folder /var/netwitness/decoder and mount on /dev/decodersmall/decoroot then create the other folders and mount them.
After that add the below entries in /etc/fstab in the same order and mount them using mount –a.
/dev/decodersmall/decoroot /var/netwitness/decoder xfs noatime,nosuid 1 2
/dev/decodersmall/index /var/netwitness/decoder/index xfs noatime,nosuid 1 2
/dev/decodersmall/metadb /var/netwitness/decoder/metadb xfs noatime,nosuid 1 2
/dev/decodersmall/sessiondb /var/netwitness/decoder/sessiondb xfs noatime,nosuid 1 2
/dev/decoder/packetdb /var/netwitness/decoder/packetdb xfs noatime,nosuid 1 2
Endpoint Log Hybrid
Virtual Drive Space Ratios
The following table provides optimal configurations for packet and log hosts.
| EndPoint Log Decoder |
| |
MetaDB |
PacketDB |
SessionDB |
Index |
Total |
| Log Decoder |
120 GB |
26GB |
6Gb |
NA
|
152GB |
| Concentrator |
206GB |
NA |
6GB |
4GB |
216GB |
| MongoDB |
NA |
NA |
NA |
NA
|
13GB (12 GB tracking data, 1 GB scan data) |
The above Endpoint Log Hybrid sizing guidelines are for 20 K agents and 20 K events per day per agent with an event size of 1500 bytes.
The same sizing guidelines are applicable for scan data with 20 K sessions per day per agent except MongoDB as mentioned above.
Extending File Systems
For Endpoint Server, attach external disk for extension of /var/netwitness/ partition, create an external disk with suffix as nwhome.
Follow these steps:
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
3. pvcreate <pv_name> suppose the PV name is /dev/sdc
4. vgextend netwitness_vg00 /dev/sdc
5. lvextend –L 5.9T /dev/netwitness_vg00/nwhome
6. xfs_growfs /dev/mapper/netwitness_vg00-nwhome
NetWitness recommended partition for Endpoint Server (Can be changed based on the retention days).
| /dev/netwitness_vg00/nwhome |
/var/netwitness/ |
6TB |
HDD |
For Mongo DB, attach external disk for extension of /var/netwitness/mongo partition, create an external disk with suffix as nwhome.
Follow these steps:
1. Ensure you have added a new disk. For more information, see Task 1. Add New Disk.
2. Execute lsblk and get the physical volume name, for example, if you attach one 6TB disk
3. pvcreate <pv_name> suppose the PV name is /dev/sdc1
4. vgextend hybrid /dev/sdc1
5. lvextend –L 5.9T /dev/hybrid-vlmng
6. xfs_growfs /dev/mapper/hybrid-vlmng
NetWitness recommended partition for Mongo DB (Can be changed based on the retention days).
| /dev/hybrid-vlmng |
/var/netwitness/mongo |
6TB |
HDD |
For Log Decoder, Log Collector, and Concentrator see Log Decoder, Log Collector, and Concentrator.
UEBA
The following procedure attaches an external disk and extends the /var/netwitness/ partition. You must use nwhome as the eternal disk suffix. This procedure illustrates how to add a 2TB disk.
/var/netwitness is the only partition that can reside on this volume.
1. List the physical volume name.
lsblk (for example, dev/mapper/sdc)
2. Extend the /var/netwitness/ partition.
pvcreate <pv_name>where pv_name is dev/mapper/sdc
vgextend netwitness_vg00 /dev/mapper/sdc
lvextend –L 1.9T /dev/mapper/netwitness_vg00/nwhome
xfs_growfs /dev/mapper/netwitness_vg00-nwhome
This partition is the NetWitness recommended partition for UEBA. You can change it based on retention days.
