Disk Manager
Snare Central includes a Disk Manager utility that allows the administrator to easily increase storage capacity for event data allocation by adding extra hard drives to existing system or by allowing the server to connect to an existing NAS system.
Disk Manager also allows the administrator to have transparent access to data backups in CD, DVD or USB media created with the Snare Central Data Backup utility directly. There is no need to restore to the hard disk any more to view old data.
With this flexibility it is easier for the administrator to cope with Snare Central growing requirements in large and busy networks.
Snare Central disk layout
Snare Central complies with the “Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG)” recommendation from DoD and with "Center for Internet Security (CIS)" benchmark with the following independent file systems structure using Linux logical volume manager (LVM):
| Partition | Size and Details of Usage | Disk Manger Resize Capability |
| / | 10.00 GB - part of operating system | No |
| /boot | 0.50 GB - part of operating system | No |
/usr | 5.00 GB - part of operating system | No |
/var | 5.00 GB - part of operating system | No |
/var/log | 5.00 GB - part of operating system | No |
| /var/tmp | 5.00 GB - part of operating system | No |
| /var/log/audit | 0.50 GB - part of operating system | No |
| /home | 2.00 GB - User home directories | No |
| /tmp | 5.00 GB noudev,nosuid,noexec - used for temporary operating system and application files | No |
| /data | 50.00 GB contains the Snare application and various operational components | No - can be resized using snare CLI menu |
| /data/SnareCache | 10.00 GB reserved for new database reporting engine | Yes |
| /data/SnareIndex | 10.00 GB reserved for new database reporting engine | Yes |
| /data/SnareResultsCache | 10.00 GB reserved for new database reporting engine | Yes |
| /data/SnareReflector | 5.00 GB used for new disk cache feature of reflector | Yes |
| /data/SnareTransition | 10.00 GB used for Snare Collection subsystem before being archived to SnareArchive | Yes |
| /data/SnareArchive00 | rest of disk space | Yes |
| /data/SnareArchive | Overlayfs file system used to allow the mounting of NFS, CIFS( Windows and Samba) shares, DVD, CDROM and USB backup media |
With Snare Central using LVM for its file systems, it allows users to easily resize any of them if enough free disk space is available. One thing to notice is that the Snare Central main data storage is the rest of the server's disk capacity. If a new physical disk is added to the system, it can fully or partially be assigned to this file system within the Disk Manager.
Interface
The Disk Manager user interface shows the existing file systems represented as cylinders and their current usage (in above example, the root file system is showed in black and currently is a 53% of its capacity).
The menu includes:
Show/Hide (eye icon). Show or hide the non editable file systems.
Reset (circular arrow icon). To reset the disks to their original sizes.
Submit (right pointing arrow). To submit disk resize changes.
NAS (cloud icon). To mount or unmount a NAS.
DVD (CD icon). To mount or unmount a CD, DVD or USB data backup.
Selecting a cylinder displays the filesystem status. The following image show the disk summary available by clicking on the corresponding disk or hovering the mouse on top of it.
Mounting a CD, DVD or USB
The following image shows the DVD dialogue which allows to mount a data backup device making it available directly into Snare storage. Thus making the archived data immediately available to Snare so the user can run any objective right after mounting the corresponding device.
All that is needed is to specify what kind of device to mount and if access to this device after reboot is required or not (this checkbox actually updates /etc/fstab system file so it's persistent after a reboot if desired).
Note
When mounting or unmounting any device, all Snare back end processes are automatically stopped.
Mounting a NAS
The NAS dialogue is displayed below, which allows the user to mount a Network Attached Storage device making it available directly for Snare to use.
A NAS can be mounted to increase Snare Central capacity so any new data will be stored in the network device and at the same time, all previous data stored in the server's local hard drive will still be inaccessible for the system to use though. Be aware that a NAS device will never be as fast as a local hard drive and this could lead to performance constraints is the system has a high EPS demand on it. Most NAS systems don’t implement synchronous write acceleration like SAN disk systems do so will perform at a lower performance than conventional local disk or fibre attached SAN disk will. Another consideration is that if Snare Central loses network connectivity to the NAS access all data stored there won't be accessible and the system may experience long time-outs when trying to retrieve any data or become non responsive.
In order to mount a NAS the user needs to provide:
- A name to identify this device (e.g NAS1 or central_storage).
- NAS IP address or name (FQDN) and port number to use.
- The type of NAS to attach to (CIFS or NFS)
- The protocol version to use.
- The share name inside the NAS (or directory name in case of NFS).
- User name and Password.
- Workgroup if required (CIFS only).
- If access to this device after reboot is needed or not (this checkbox actually updates /etc/fstab system file so becomes persistent).
Note
When mounting or unmounting any device, all Snare back end processes will be stopped automatically.
Resizing a local file system
Important
IMPORTANT. Before changing the sizes on any file system, unmount any NAS, DVD, CD or USB device from the server as it may interfere with the resizing process and lead to unpredictable results.
As mentioned, each of the local file systems in the server is represented by a cylinder. There is one cylinder for each file system plus another that represents the available “Free Space” in the server. Some of these file systems can be modified (grown or shrunk) by dragging the handler in the top left corner of the cylinder. It is also possible to change the file system size by entering a size directly in the entry in the top of the cylinder. The user can enter a new size in G (GB default), T (TB), M (MB) or K (KB) if no units are specified the manager uses GB.
The user will notice that when growing a file system the free space will shrink and when reducing a disk the free space will grow.
Any editable file system can grow up to the available free space so when there is no more free space available no other file system can be expanded.
Any editable file system can be shrunk to a maximum of 20% of its available free space. If there is no free space in the files system (100% use) no shrinking is possible.
At any moment the user can reset the cylinders to their original values by clicking the reset icon in the Disk Manager menu.
Once all the editable file systems sizes are set as required, the user must submit the changes to the server with the submit button (right pointing arrow). Its highly recommended to resize only one file system at a time. Upon submit a warning as shown in the next image will be prompted.
Note
When resizing any file system all Snare back processes need to be stopped and depending on the size of the file system this could take several minutes.
Adding a new hard disk to Snare archive
If no more disk space is available, the administrator can add another physical disk (or disks) to the server and after a system reboot the new drive will be available as free space in the Disk Manager ready to be assigned to existing files systems as described.