cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can anyone help me with the process of diskspace expansion for Virtual Receiver (VM ERC)

 
4 Replies
pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Can anyone help me with the process of diskspace expansion for Virtual Receiver (VM ERC)

Dear Customer,

Please find the below steps for resizing a VM ERC.

From 11.2 & 10.4 onwards we have a new ResizeVmVolume script that will expand the disk size.

Please refer the below URL:

https://docs.mcafee.com/bundle/enterprise-security-manager-11.2.x-installation-guide/page/GUID-2A664...

> Enterprise Security Manager > 11.2.x > McAfee Enterprise Security Manager 11.2.x Installation Guide > Post-deployment tasks
> Increase VM disk space > Task:
1. Use the VM hypervisor to enlarge the disk so that there is at least 10 GB of unallocated space.
2. Run the resizing script (ResizeVmVolume).
The script:
Stops cpservice and all databases
Re-creates the last partition using all unallocated space
Resizes the file system
Updates the drivesetup.conf configuration file
Changes the size of each database
Restarts services

Important Note:
===============

Please open a service request referring this post if you would like to have McAfee Technical Support assist you with this request.

Executing commands on the SIEM CLI are risky as executing any incorrect command can render the device to be in an unusable state & only McAfee Technical Support is authorized & trained to execute commands via the CLI of the SIEM.

It is also best recommended to upgrade the SIEM devices to 11.3.x or 11.4.0 after performing the tests in your test environment as going forward we will be releasing fixes & patches only for 11.3.x versions & above.

SIEM V11.x VM appliances with 250GB.
===================================

The appliances VMs we send out are configured with 250 GB disks by default, but this is only sufficient in all common cases for SIEM 10.x. The Kafka software used in SIEM 11.x requires additional space in some percentage of these cases, and so 500 GB disks are more suitable (see KB82516). We can mitigate this need by reducing the amount of time Kafka keeps its messages on disk (3 days by default, workaround item 1 below). The drawback to reducing this retention period is if a REC loses contact with the ESM or DSB, then the customer will have less time to restore contact before Kafka starts dropping its oldest messages.


Thus, the best option is to use larger disks (item 2 below).

-------------------------------------------------------------------------------------------------------------------------------------------------------
1. Receiver Workaround:
File /usr/local/kafkaconfig/Modules/Config.pm
Change the line use constant REC_CLASS_RETENTION_HOURS => 3 * 24; to use constant
REC_CLASS_RETENTION_HOURS => 1 * 24;
Then restart the databus ==> service databus restart
This will retain the events on kafka for one day instead of 3;

2. Example showing the steps on a Current Receiver VM on Version 11.2.x with 250GB:
================================================================================

Step 1) Execute 'df -h' & 'parted' command on the ERC VM.

McAfee-ERC-VM8 ~ # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 240G 5.3G 223G 3% / <=====================current storage space size (240GB); not enough for V11...
/dev/sda1 960M 41M 869M 5% /boot
shm 998M 0 998M 0% /dev/shm


McAfee-ERC-VM8 ~ # parted
GNU Parted 3.1
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 268GB <== current 250GB set on VMware Hard disk 1
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
4 17.4kB 1000kB 983kB primary bios_grub
1 1000kB 1040MB 1039MB ext3 primary
2 1040MB 6180MB 5140MB linux-swap(v1) primary
3 6180MB 267GB 261GB ext4 primary
(parted) q


Step 2) Shutdown the Receiver VM and changed on VM Hypervisor the HD to 270GB (added 20GB), for production system at least should
be 500GB; better if expanded to 1TB or above:


McAfee-ERC-VM8 ~ # ResizeVmVolume sda
ResizeVmVolume[7733]: Checking that this is a VM...
ResizeVmVolume[7733]: Checking that disk is mounted in a known location...
ResizeVmVolume[7733]: Checking for available unpartitioned space...
ResizeVmVolume[7733]: Checking that mounted partition is at the end of the disk...
ResizeVmVolume[7733]: Resizing from 242GB to 264GB...
WARNING: Please backup all data on disk sda before continuing
WARNING: This script may destroy all data on the disk if it fails
Are you sure you want to continue (yes/no)? yes
ResizeVmVolume[7733]: Stopping services...
Stopping authlog...
Ok
ResizeVmVolume[7733]: Resizing partition...
Warning: The kernel is still using the old partition table.
Page 4 of 8
The new table will be used at the next reboot or after you
run partprobe(8) or kpartx(8)
The operation has completed successfully.
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot or after you
run partprobe(8) or kpartx(8)
The operation has completed successfully.
ResizeVmVolume[7733]: Resizing file system...
resize2fs 1.44.5 (15-Dec-2018)
Filesystem at /dev/sda3 is mounted on /; on-line resizing required
old_desc_blocks = 31, new_desc_blocks = 34
The filesystem on /dev/sda3 is now 69270011 (4k) blocks long.
ResizeVmVolume[7733]: Updating drivesetup.conf...
ResizeVmVolume[7733]: Resizing databases...
GetDiskInfo DiskInfoPos=35
ResizeVmVolume[7733]: Restarting services...
Starting authlog...
[ OK ]
Ok
ResizeVmVolume[7733]: Ok: sda was successfully resized.
Ok: sda was successfully resized

Step 3) Execute 'df -h' & 'parted' command to verify:

McAfee-ERC-VM8 ~ # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 261G 5.3G 243G 3% / <== 20GB added
/dev/sda1 960M 41M 869M 5% /boot
shm 998M 0 998M 0% /dev/shm


McAfee-ERC-VM8 ~ # parted
GNU Parted 3.1
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
print
Model: VMware Virtual disk (scsi)
Disk /dev/sda: 290GB <========================= new space added on VM Disk
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
4 17.4kB 1000kB 983kB primary bios_grub
1 1000kB 1040MB 1039MB ext3 primary
2 1040MB 6180MB 5140MB linux-swap(v1) primary
3 6180MB 290GB 284GB ext4

3. Example showing the steps on a ETM VM on Version 11.2.x and above with 240GB:
================================================================================


McAfee-ETM-VM ~ # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 240G 9.8G 218G 5% / <======================= current storage space size (240GB); not enough for V11...
/dev/sda1 960M 41M 870M 5% /boot
shm 158G 0 158G 0% /dev/shm


McAfee-ETM-VM ~ # parted ==> (parted) print
Model: ORACLE BlockVolume (scsi)
Disk /dev/sda: 8796GB <== new space added on VM Disk 8.5TB.
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
4 17.4kB 1000kB 983kB primary bios_grub
1 1000kB 1040MB 1039MB ext3 primary
1040MB 1040MB 187kB Free Space
2 1040MB 6180MB 5140MB linux-swap(v1) primary
3 6180MB 267GB 261GB ext4 primary
267GB - 8796GB = 8529GB Free Space <== new space added on VM Disk,
recommended at least 500GB( KB82516 ); best 1TB or above for V11.


McAfee-ETM-VM4 ~ # ResizeVmVolume sda


McAfee-ETM-VM4 ~ # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 8.0T 9.8G 7.6T 1% / <======================= new space size (8TB); available 7.6TB....
/dev/sda1 960M 41M 870M 5% /boot
shm 158G 0 158G 0% /dev/shm

 

Regards,

 

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Can anyone help me with the process of diskspace expansion for Virtual Receiver (VM ERC)

Important Note: It seems there is an issue with the ResizeVmVolume script & currently we have stopped recommending the script as it could lead to data loss.

Engineering is working on correcting the script.

Please use the VMdata option if you would like to increase the space on the ESM.

Please contact McAfee Technical Support for available solutions on resizing a disk for the devices other than the ESM.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Can anyone help me with the process of diskspace expansion for Virtual Receiver (VM ERC)

As an update, the corrected ResizeVMVolume script is available from 11.3.0 Patch 14 onwards.

It should be available in the latest patches of the respective versions as well as in 11.3.2.

Please check with support for the patch.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

Re: Can anyone help me with the process of diskspace expansion for Virtual Receiver (VM ERC)

That´s it!

Steps:
1. Turn off VM.
2. Just resize your VM_disk with vmware to increase the disk.
3. Turn on VM.
4. NitroStop --nod
5. service cpservice stop
6. ResizeVmVolume sda
6.1. yes [enter]

7. And wait (you can pray 🙏)

It works very well here with ESM and ERC.

That´s all folks! Thank you guys! 🙂

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community