Sentinel closes the event data partitions after one day, and no more events are written to the closed partitions. Even though the duration for event data partitions is one day, a grace period of 10 minutes is given to accommodate events arriving late. You can change the grace period as necessary. For more information, see Setting the Grace Period to Close Event Data Partitions.
By default, after the partitions are closed, Sentinel copies a compressed copy of the partition to secondary storage, but also retains the uncompressed copy on primary storage as a fast-access cache for searching. When the primary storage reaches its maximum disk usage, Sentinel deletes the copy in the primary storage and the copy in the secondary storage remains online for searching.
NOTE:However, if disk space in primary storage is at a premium, you can compress these partitions as soon as they are closed to save the disk space on the primary storage. This requires additional I/O to compress and store on the primary partition, which means that the supported EPS rate will be significantly lower. Also, searches on these partitions will be slower. Therefore, this option is only suitable for lower EPS rates and if you want to get the most out of primary storage space. For information about compressing the storage index on primary partitions, see Compressing the Storage Index on Primary Partition.
The partitions are laid out as follows:
Primary storage: Open partitions + Most recent N days of closed partitions
Open partitions: The partitions that new data is being written to.
Most recent N days of closed partitions: As many of the most recently written closed partitions that can fit in primary storage.
Secondary storage: Most recent N days of closed partitions + The rest of the online data
The rest of the online data: The older closed partitions that primary storage no longer has room to hold. This data is online (searchable), just like the data in primary storage.
NOTE:Because of the above design consideration, the secondary storage size must be always larger than the primary storage size.
Sentinel stores the primary storage partitions in the /var/opt/novell/sentinel/data/eventdata directory, which is on the local file system. Sentinel creates partitions based on the dates and retention policies.
A central partition index is maintained in the database that keeps track of all the existing partitions and their location.
The following table describes the directory structure under the installation directory where event data is stored:
Table 13-3 Event Data Directory Structure
|
Directory Structure |
Description |
|---|---|
|
/data |
The primary directory for all data storage. |
|
/data/eventdata |
The subdirectory where all event data is stored. |
|
/data/eventdata/events/YYYYMMDD_<classid> |
A partition consists of the events for a single day (midnight-midnight UTC) within a given data retention class and is held within a subdirectory named YYYYMMDD_<class-id>. YYYYMMDD: is the UTC date stamp. <class_id>: is a UUID identifier associated with the data retention class. |
|
/data/eventdata/events/YYYYMMDD_<class_id>/events.evt |
events.evt contains the binary event data for the partition. The format of the binary event data is stored as a Reliable Persistent Random Access Compressed Stream. |
|
/data/eventdata/events/YYYYMMDD_<class_id>/index |
The index directory contains the Lucene index for the partition. |
|
/data/eventdata/exported_associations |
This directory contains the event associations data. It includes both the correlated event association data and the incident event association data. |