All closed event data files are copied from the primary storage location to the secondary storage location. The original files are retained on primary storage to facilitate faster searches. However, if the primary storage disk space usage nears a user-defined threshold, duplicate data files on the primary storage area are deleted from the primary storage and remain only on secondary storage.
Sentinel supports the following types of storage options:
Primary Storage or SAN: The primary storage or Storage Area Network (SAN) option includes storage that is attached directly to the Sentinel computer. This option provides the best combination of performance, security, and reliability.
CIFS: The Common Internet File System (CIFS) is a native Windows protocol. It is also known as the Server Message Block (SMB) protocol in later implementations. The latest implementation from Microsoft is referred to as SMB 2.
NFS: The NFS protocol requires significant configuration to optimize performance and security, and it is recommended only if you already have a well-established NFS infrastructure in your environment.
If the secondary storage is an NFS server, additional configuration is necessary to ensure that the Sentinel server has the necessary permissions. For more information, see Exporting the Secondary Storage Volume.
WARNING:Only one Sentinel server should be configured to use a particular secondary storage directory (remote share). Configuring the same secondary storage location across multiple Sentinel servers might cause system failure.
The primary storage must use a different partition than the partition that is used for the secondary storage.
The system monitors the disk usage of both primary storage and secondary storage, freeing space on primary storage when it fills up. If both storage locations share the same underlying file system partition, the way in which the partition usage changes as a result of deleting data confuses the system and could result in undesirable behavior.
The event data is first copied to secondary storage rather than moved, because there is an assumption that these are two different disk partitions. If they are in same disk partition instead of being on the different disk partition, the storage usage monitoring is confused by how the usage is changing and could result in undesirable behavior.
You can enable and configure secondary storage for raw data and event data stored on the Sentinel server.
Raw data files are compressed and have the .gz extension. When the data is currently being written into, the raw data file appears with the .open extension.
If secondary storage is configured and enabled, Sentinel copies the compressed raw data files to the configured secondary storage location every 15 minutes.
If secondary storage is enabled, Sentinel moves the closed files to secondary storage every midnight UTC and also whenever the server starts. These files are compressed in the primary storage location, but the file indexes are compressed before moving to the secondary storage. If the secondary storage location is not configured or if there is any problem while moving the closed files, Sentinel attempts to move the files to secondary storage every 60 seconds until it succeeds.
The NFS, CIFS/SMB, and SAN must be configured so that Sentinel has read and write permissions.
For CIFS/SMB and NFS, if multiple Sentinel instances are moving the closed partitions to the same secondary storage location, ensure that each Sentinel instance has its own unique directory on that secondary storage location.
Configuring a SAN/Local directory as a secondary storage location is the preferable configuration for best performance, security, and reliability.
Log in to the Sentinel Web interface as a user in the administrator role.
Click Storage > Configuration.
From the Data Storage Location section, select SAN (locally mounted) as the secondary storage location.
In the Location field, specify the local directory path or the location on which the storage area network (SAN) is mounted.
The SAN partition must be manually mounted before the location is specified.
Click Test to check if the write permissions for the specified location are available.
Click Save to configure the specified secondary storage location.
Log in to the Sentinel Web interface as a user in the administrator role.
Click Storage > Configuration.
In the Data Storage Location section, select CIFS.
Specify the following information:
Server: Specify the IP address or hostname of the computer where the CIFS server, also known as the SMB server, is configured.
Share: Specify the share name of the SMB or CIFS server. The mounted shares are unmounted when the server stops and are mounted again when the server starts. If the configured share unmounts, the Sentinel server detects this and mounts it again.
Username: Specify the user name (if one is assigned) to access the share.
Password: Specify the password (if one is assigned) to access the share.
Mount Options: Specifies the options that are used while mounting the secondary storage location of the SMB or the CIFS server.
You can specify new mount options. For more information about the available NFS mount options, see the mount.cifs (8) - Linux man page.
The default mount options are file_mode=0660,dir_mode=0770.
(Optional) Click Restore Defaults to restore the default mount options.
Click Test to mount the SMB or CIFS server and to check the write permissions on the server.
Click Save to configure the specified secondary storage location.
The NFS protocol requires significant configuration to improve performance and security. NFS server is recommended only when you already have a well-established NFS infrastructure in your environment.
The NFS server needs to export (share) the secondary storage volume to the Sentinel server so that the secondary storage is readable by the root user on the Sentinel server. The settings described in this section indicate one of the methods to achieve this readability:
The NFS server must have a user and a group with a UID and a GID that correspond to the novell user and group on the Sentinel server.
In the following examples, the user on the NFS server is novell with UID=5555 and the group is novell with GID=5555. The Sentinel server has the hostname log-manager-server, which can be resolved by the NFS server.
The novell user and group must own the secondary storage destination directory on the NFS server. In the following examples, the secondary storage destination is /archive.
Map the root user on the Sentinel server to the novell user and group on the NFS server.
Linux: Add the following line to the /etc/exports file:
/archive sentinel=server(rw,root_squash,anonuid=5555,anongid=5555)
Solaris: Add the following line to the /etc/dfs/dfstab file:
/usr/bin/share -F nfs -o sec=sys,rw=sentinel-server,anon=5555 -d "/archive" /archive
HP-UX: Add the following line to the /etc/exports file:
archive -access=sentinel-server,anon=5555
You can speed up the archiving process by adding the async option. However, this might increase the risk of lost or corrupt secondary storage if the NFS server crashes. The following examples demonstrate using the async option:
Linux: Add the following line to the/etc/exports file:
/archive sentinel=server(rw,root_squash,anonuid=5555,anongid=5555),async
HP-UX: Add the following line to the /etc/exports file:
archive -access=sentinel-server,anon=5555,async
For information about security recommendations for NFS, see Section 3.0, Security Considerations.
Configure the secondary storage as follows:
Log in to the Sentinel Web interface as a user in the administrator role.
Click Storage > Configuration.
In the Data Storage Location section, select the NFS option.
Specify the following information:
Server: Specify the IP address or hostname of the computer where the NFS server is configured.
Share: Specify the share name of the NFS server.
The mounted shares are unmounted when the server stops and are mounted again when the server starts. If the configured share unmounts, the Sentinel server detects this and mounts it again.
Mount Options: Specifies the options that are used while mounting the secondary storage location of the NFS server.
You can also specify new mount options. For more information about the available NFS mount options, see NFS (5) Linux Programmer’s Manual.
The default mount options are soft,proto=tcp,retrans=1,timeo=60.
(Optional) Click Restore Defaults to restore the default mount options.
Click Test to verify the configuration of the NFS server and to check the write permissions on the server.
This procedures tests a subset of all the settings that are necessary for the NFS server and client.
Click Save to configure the specified secondary storage location.
Log in to the Sentinel Web interface as a user in the administrator role.
Click Storage > Configuration.
In the Data Storage Location section, select Change Location. The Change Location option is displayed only if the secondary storage location is configured.
Click Change Location.
Select the option to disable data collection.
You can select this option to avoid filling the primary storage before Sentinel moves the data to the new location. If this option is not selected and if the primary storage is filled before the new data storage location is configured, Sentinel deletes the oldest data to make space for the incoming data.
Configure the new data storage location.
For more information about configuring the NIFS or SMB/CIFS or primary/SAN secondary storage locations, see Configuring Secondary Storage.
Click Save to save the changes and configure the new secondary storage location.
Manually copy the files from the old secondary storage location to the new secondary storage location.
After copying the files, select Copy Done to start data storage at the new location.