NetIQ Sentinel Storage requirements and configuration

Share This:

Sentinel requires big chunk of very fast storage to retain the events for the default period of 90 days.

I have been requested to design and implement the system to come with logging an average of 5000 events per second.

To balance the required space and speed (very high I/0 is a quote expensive demand to meet) I have purchased Dell PowerEdge 720XD with 24+2 chassis.

Local storage configuration:

2x 300GB 15K SAS for SLES

24x 900GB 10k SAS for Sentinel in RAID 10 configuration with a span of 4.(To maximize the I/Ops)

Network storage:

Additional 20TB of SAN storage for the older data to be pushed down into.

 

Filesystem?

This has been very tricky:

as for SLES you’d go for recommneded XFS however it’s very slow with small files.

EXT4 – brilliant but not supported,

JFS – problematic

EXT3 – too slow for disk checks

The only option left was Btrfs, with gives a balance between reliability and speed – Supported since SLES 11 SP2

Sentinel by defaults installs on / partition and this is where data is stored.

Make sure you mount /dev/xxx to /mnt/x (vi fstab as well)

and use ./install-sentinel –location /mnt/x

 

More guides about integration with other systems soon.

Leave a comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.