All closed event data files are copied from the local storage location to the networked storage location. The original files are retained on Sentinel to facilitate faster searches. However, if the Sentinel server disk space usage nears a user-defined threshold, duplicate data files on the local storage area are deleted from the Sentinel server.
Sentinel supports the following types of storage options:
Local Storage or SAN: The local storage or Storage Area Network (SAN) option includes storage that is attached directly to the Sentinel machine. This option provides the best combination of performance, security, and reliability.
CIFS: The Common Internet File System (CIFS) is a native Windows protocol. It is also known as the Server Message Block (SMB) protocol in later implementations. The latest implementation from Microsoft is referred to as SMB 2.
NFS: The NFS protocol requires significant configuration to improve performance and security, and it is recommended only if you already have a well-established NFS infrastructure in your environment.
If the networked storage is an NFS server, additional configuration is necessary to ensure that the Sentinel server has the necessary permissions. See Exporting the Networked Storage Volume for more information.
WARNING:Only one Sentinel server should be configured to use a particular networked storage directory (remote share). Configuring the same networked storage location across multiple Sentinel servers can cause system failure.
The local storage must use a different partition than the partition that what is used for the networked storage.
The system monitors the disk usage of both local storage and networked storage, freeing space on local storage when it fills up. If both storage locations share the same underlying file system partition, the way in which the partition usage changes as a result of deleting data confuses the system and could result in undesirable behavior.
The event data is first copied to networked storage rather than moved, because there is an assumption that these are two different disk partitions. If they are in different disk partition instead of being on the same disk partition, the storage usage monitoring is confused by how the usage is changing and could result in undesirable behavior.
You can enable and configure networked storage for raw data and event data stored on the Sentinel server.
A raw data file can be in the .open state when the data is currently being written, in the .log state when the data is no longer being written to the file but the file is not yet compressed, or in the .zip state when the file is compressed. The file compression process runs every 10 minutes, by default. These compressed files appear in both the local storage and networked storage locations if networked storage is configured and enabled.
If networked storage is configured and enabled, compressed raw data files are copied to the configured networked storage location every 15 minutes.
For more information on raw data storage, see Raw Data Storage.
If networked storage is enabled, the closed files are moved to networked storage every midnight UTC and also whenever the server starts. These files are compressed in the local storage location, but the file indexes are compressed before moving to the networked storage. If the networked storage location is not configured or if there is any problem while moving the closed files, attempts are made every 60 seconds to move the files to networked storage until it succeeds.
The NFS, CIFS/SMB, and SAN must be configured so that Sentinel has read and write permissions.
For CIFS/SMB and NFS, if multiple Sentinel instances are moving the closed partitions to the same networked storage location, ensure that each Sentinel instance has its own unique directory on that networked storage location.
This is the preferable configuration for the best performance, security, and reliability.
Log in to the Sentinel Web interface as a user in the administrator role.
Click in the toolbar.
Click the tab.
The configuration page is displayed.
From the Data Storage Location section, select as the networked storage location.
In the field, specify the local directory path or the location on which the storage area network (SAN) is mounted.
The SAN partition must be manually mounted before the location is specified.
Click to check if the write permissions for the specified location are available.
If the location is configured properly, a message is displayed confirming that the test is successful.
If the location is not configured, the test fails, and the reason for failure is displayed.
Click to configure the specified networked storage location.
Log in to the Sentinel Web interface as a user in the administrator role.
Click in the toolbar.
Click the tab.
In the Data Storage Location section, select .
Specify the following information:
Server: Specify the IP address or hostname of the machine where the CIFS server, also known as the SMB server, is configured.
Share: Specify the share name of the SMB or CIFS server. The mounted shares are unmounted when the server stops and are mounted again when the server starts. If the configured share unmounts, the Sentinel server detects this and mounts it again.
Username: Specify the username (if one is assigned) to access the share.
Password: Specify the password (if one is assigned) to access the share.
Mount Options: Specifies the options that are used while mounting the networked storage location of the SMB or the CIFS server.
You can specify new mount options. For more information about the available NFS mount options, see the mount.cifs (8) - Linux man page.
The default mount options are file_mode=0660,dir_mode=0770.
(Optional) Click to restore the default mount options.
Click to mount the SMB or CIFS server and to check the write permissions on the server. If the CIFS server is configured properly, a message is displayed that the test was successful.
If the CIFS server is not configured, the test fails, and the reason for failure is displayed.
Click to configure the specified networked storage location.
The NFS protocol requires significant configuration to improve performance and security, and it is recommended only when you already have a well-established NFS infrastructure in your environment.
The NFS server needs to export (share) the networked storage volume to the Sentinel server so that the networked storage is readable by the root user on the Sentinel server. The settings described in this section indicate one method to achieve this readability:
The NFS server must have a user and a group with a UID and a GID that correspond to the novell user and group on the Sentinel server.
In the following examples, the user on the NFS server is novell with UID=5555 and the group is novell with GID=5555. The Sentinel server has the hostname log-manager-server, which can be resolved by the NFS server.
The networked storage destination directory on the NFS server must be owned by the novell user and group. In the following examples, the networked storage destination is /archive.
The root user on the Sentinel server must be mapped to the novell user and group on the NFS server.
Linux: Add the following line to the /etc/exports file:
/archive sentinel=server(rw,root_squash,anonuid=5555,anongid=5555)
Solaris: Add the following line to the /etc/dfs/dfstab file:
/usr/bin/share -F nfs -o sec=sys,rw=sentinel-server,anon=5555 -d “/archive” /archive
HP-UX: Add the following line to the /etc/exports file:
archive -access=sentinel-server,anon=5555
You can speed up the archiving process by adding the async option. However, this might increase the risk of lost or corrupt networked storage if the NFS server crashes. The following examples demonstrate using the a sync option:
Linux: Add the following line to the/etc/exports file:
/archive sentinel=server(rw,root_squash,anonuid=5555,anongid=5555),async
HP-UX: Add the following line to the /etc/exports file:
archive -access=sentinel-server,anon=5555,async
For information on security recommendations for NFS, see Section 4.0, Security Considerations.
You must configure networked storage in the Sentinel administrator interface as follows:
Log in to the Sentinel Web interface as a user in the administrator role.
Click in the toolbar.
Click the tab.
In the Data Storage Location section, select the option.
Specify the following information:
Server: Specify the IP address or hostname of the machine where the NFS server is configured.
Share: Specify the share name of the NFS server.
The mounted shares are unmounted when the server stops and are mounted again when the server starts. If the configured share unmounts, the Sentinel server detects this and mounts it again.
Mount Options: Specifies the options that are used while mounting the networked storage location of the NFS server.
You can also specify a new mount options. For more information about the available NFS mount options, see NFS (5) Linux Programmer’s Manual.
The default mount options are soft,proto=tcp,retrans=1,timeo=60.
(Optional) Click to restore the default mount options.
Click to verify the configuration of the NFS server and to check the write permissions on the server. If the NFS server is configured properly, a message is displayed that the test was successful.
If the NFS server is not configured, the test fails and the reason for failure is displayed.
This procedures tests a subset of all of the settings that are necessary for the NFS server and client.
Click to configure the specified networked storage location.
The options to enable and disable networked storage appear only when the data storage location is configured. However, event search and reporting work even when the data storage is disabled.
Log in to the Sentinel Web interface as a user in the administrator role.
Click in the toolbar.
Click the tab.
To enable writing to the data storage location, select .
If you use this option, you can write both the raw data and event data to the configured networked storage location.To configure the networked storage locations, refer to Configuring Networked Storage.
To disable writing to the data storage location, select .
This selection disables the writing of the raw data and event data storage.
If you use this option, you cannot write to the data storage location, but you can still read the stored data. Search shows the events that are stored, and you can also download the stored raw data.
Click .
If the networked storage location is unmounted, data storing is disabled and searches and reports results include only the local storage data. The option appears only if the data storage location is configured.
Log in to the Sentinel Web interface as a user in the administrator role.
Click in the toolbar.
Click the tab.
To unmount the data storage location, select .
A confirmation message is displayed, asking if you really want to unmount the networked storage.
If you unmount networked storage, Sentinel can no longer access the data in the networked storage. If the networked storage location is configured to a remote location such as NFS or SMB/CIFS, the networked storage location is unmounted.
Click .
Log in to the Sentinel Web interface as a user in the administrator role.
Click in the toolbar.
Click the tab.
In the Data Storage Location section, select . The option is displayed only if the networked storage location is configured.
A confirmation message is displayed, asking if you want to change the networked storage location.
Click .
Select the option to disable data collection.
You can select this option to avoid filling the local storage before data is moved to the new location. If this option is not selected and if the local storage is filled before the new data storage location is configured, the oldest data is deleted to make space for the incoming data.
Configure the new data storage location.
For more information about configuring the NIFS or SMB/CIFS or local/SAN networked storage locations, see Configuring Networked Storage.
Click to save the changes and configure the new networked storage location.
Manually copy the files from the old networked storage location to the new networked storage location.
After copying the files, select the option to start data storage at the new location.
(Optional) Click to return to the previous networked storage configuration.