Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Disk Manager

Snare Central includes a Disk Manager utility that allows the administrator to easily increase storage capacity for event data allocation by adding extra hard drives to an existing system, or by allowing the server to connect to an existing NAS device.

Disk Manager also allows the administrator to have transparent access to data backups in CD, DVD or USB media created with the Snare Central Data Backup utility directly, without needing to restore data to the local hard drive.


Snare Central disk layout

Snare Central complies with the “Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG)” recommendation from the US DoD, and uses the Linux logical volume manager (LVM) to provide the following file system structure by default:

PartitionSize and Details of UsageDisk Manger Resize Capability
/10.00 GB - part of operating systemNo
/boot0.50 GB - part of operating systemNo

/usr

5.00 GB - part of operating systemNo

/var

5.00 GB - part of operating systemNo

/var/log

5.00 GB - part of operating systemNo
/var/log/audit0.50 GB - part of operating systemNo
/home2.00 GB - User home directoriesNo
/tmp5.00 GB noudev,nosuid,noexec - used for temporary operating system and application filesNo
/data50.00 GB contains the Snare application and various operational componentsNo - can be resized using snare CLI menu
/data/SnareCache10.00 GB reserved for new database reporting engineYes
/data/SnareIndex10.00 GB reserved for new database reporting engineYes
/data/SnareResultsCache10.00 GB reserved for new database reporting engineYes
/data/SnareReflector5.00 GB used for new disk cache feature of reflectorYes
/data/SnareTransition10.00 GB used for Snare Collection subsystem before being archived to SnareArchiveYes
/data/SnareArchive00Any remaining disk spaceYes
/data/SnareArchiveOverlayfs file system used to allow the mounting of NFS, CIFS (Windows and Samba) shares, DVD, CDROM and USB backup media

If additional physical disk resources are assigned to the Snare Server, the Disk Manager objective will provide the ability to assign some or all of the available disk, to the partitions marked as compatible with resizing ("Yes") in the table above.

Interface

The Disk Manager user interface shows existing file systems represented as cylinders. It highlights the current space allocated and used. In the above example, the root file system is shown in black and is currently at 53% of capacity.

The Disk Manager top level icons include:

  1. Show/Hide (eye icon). Show or hide the non editable file systems.

  2. Reset (circular arrow icon). To reset the disks to their original sizes.

  3. Submit (right pointing arrow). To submit disk resize changes.

  4. NAS (cloud icon). To mount or unmount a NAS.

  5. DVD (CD icon). To mount or unmount a CD, DVD or USB data backup.

Selecting, or hovering the mouse over a particularly cylinder, displays the filesystem status and disk summary information.


 Mounting a CD, DVD or USB

The following image shows the DVD dialog. This dialog provides the capability to mount and/or unmount a data backup device. Once the device has been made available, the data on the device is merged with the default Snare data archive, making it available to query through the Snare Server user interface.

Ticking the 'mount at startup' checkbox will modify the system filesystem configuration to make the change persistent after a reboot.


Mounting a NAS

The NAS dialogue allows the user to mount or unmount a Network Attached Storage.


NAS devices are generally mounted as read-only data stores for historical/forensic data storage and archive. Although a NAS can be mounted as a writeable device, it will take the place of the current Snare Central archives, rendering them invisible until the NAS is unmounted.

Be aware that that a NAS device is unlikely to be as fast as a local hard drive and this could lead to collection and query performance issues if the system receives a high number of events-per-second (EPS).

Most NAS systems do not implement synchronous write acceleration. Please consider local disk or fibre attached SAN for systems with significant EPS collection requirements.

Please be aware that Snare Central has not been designed to take into consideration the loss of local disk availability in situations where network connectivity to the NAS is interrupted. User interface, report generation and other normal Snare Central activities may be significantly impacted.

In order to mount a NAS the user needs to provide:

  • A name to identify this device (e.g NAS1 or central_storage).
  • NAS IP address or name (FQDN) and port number to use.
  • The type of NAS to attach to (CIFS or NFS)
  • The share name inside the NAS as a path (or directory name in case of NFS).
  • User name and Password.
  • Workgroup if required (CIFS only).
  • If access to this device after reboot is needed or not (this checkbox actually updates /etc/fstab system file so becomes persistent).

Resizing a local file system

Important

IMPORTANT. Before changing the sizes on any file system, unmount any NAS, DVD, CD or USB device from the server as it may interfere with the resizing process and lead to unpredictable results.

DO NOT JUST INCREASE THE SIZE OF AN EXISTING DISK WHEN USING VIRTUAL BASED SYSTEMS, ADD A NEW DISK OF THE EXTRA SIZE CAPACITY YOU NEED TO THE SYSTEM. 

Due to the way the disks are managed and allocated the is no support for extending the size of a disk, it has to be a new disk for volume manager to manage the disk and slice up the space for partitions to use. 

If you want to use a new contiguous larger disk for storing the data then you will need to build a FULL new Snare Central and then do a side by side migration if you want to keep the existing data to use this newer larger disk space. 

Each of the local file systems on the server is represented by a cylinder in the Disk Manager user interface. Another cylinder represents the amount of “Free Space” available on the server.

Some file systems can be modified (grown or shrunk) by selecting and dragging the handle in the top left corner of the cylinder, up or down. It is also possible to change the file system size by entering an appropriate number directly in the text-entry box located at the top of the cylinder. Sizes can be entered in G (GB), T (TB), M (MB) or K (KB). If no units are specified the manager defaults to GB.

When growing a file system the free space cylinder will shrink. When reducing a disk the available free space will grow.

Any editable file system can grow up to the point where all available free space has been exhausted.

Any editable file system can be shrunk to within 20% of its unallocated (free) space.

Until modifications have been applied to the system, the 'reset' icon can restore all cylinders to their original values.

Once all the editable file systems are configured according to requirements, the submit button (right pointing arrow) will apply the changes.

It is highly recommended that only one file system at a time be resized.

Once the submit button has been clicked, a confirmation dialog will be shown. Selecting the 'x' close button on that dialog will abandon all changes.



Note

When resizing any file system all Snare back processes need to be stopped and depending on the size of the file system this could take several minutes.

Adding a new hard disk to Snare archive

If no more disk space is available, the administrator can add another physical disk (or disks) to the server. After a system reboot, the new drive will be available as free space in the Disk Manager ready to be assigned to existing files systems as described.


In the case of upgraded servers, Disk Manager will detect the new disk and ask you if you want to use the whole disk to increase the Snare Central disk capacity. Click the submit (arrow) button and after a few seconds the disk will be ready for use.


Note

Snare Disk Manager requires that the new disk does not contain an existing partition/filesystem in order for the disk to be correctly detected and used.

All new incoming data will be stored in the new disk and all previously existing data will remain in your old disk, in a read-only mode.

It is possible to add as many disks as the underlying hardware allows, but only the last disk added, will receive new events from the Snare Server event collection system. The data on all other disks will be set to read only mode. As such, it is recommended that a new disk not be added to the system, until your previous installation is at at least 80% full.

  • No labels