cancel
Showing results for 
Search instead for 
Did you mean: 

Use of NFS storage

Hi All,

Is anyone using NFS in large chunks of storage pools? If so, I want to get an opinion of 

1. How has been your experience? Have you seen any challenges with accessing and storing logs on NFS?

2. Is this stable?

3. Have you used NFS for any compliance related requirements? e.g. stroing, searching and retrieving logs for X number of months?

While using NFS, would you recommend anything (suggestions / best practices) ?

Thanks

4 Replies
Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: Use of NFS storage

1. How has been your experience? Have you seen any challenges with accessing and storing logs on NFS?
//Good.

2. Is this stable? //Yes.

3. Have you used NFS for any compliance related requirements? e.g. stroing, searching and retrieving logs for X number of months? //Yes, use as extending the local ELM storage, which won't fit for retention policy.

While using NFS, would you recommend anything (suggestions / best practices) ?
//Not really, just setup a Linux host and configured it as a NFS server.
https://www.tecmint.com/how-to-setup-nfs-server-in-linux/

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Use of NFS storage

I'd say you're mileage here will vary depending on the solution you choose.

1. I've stored data on NFS mounts before without issue. Granted these mounts where physically and logically beside (same VLAN, just switched traffic) the ELM. You may want to provision an additional ethernet interface for this traffic so that NFS traffic does not interfere with it's ingestion traffic. Probably want to look into a network bond for the NFS mount interface as well, see https://kc.mcafee.com/corporate/index?page=content&id=KB83804. 2 is 1, 1 is none.

2. It's as stable as your NFS mount and network will be. I would keep the ELM database locally stored. I have had an issue where it was moved to NFS and the mount was lost, the ELM then (as expected) died, and it was a hassle to recover.

3. Getting data back from the ELM is often not I/O bound, but CPU bound. Depending on the query the ELM needs to unpack the ~5MB chunks inside the query range, then either do a regex or filter on the data you are looking for, or just send it. The uncompressing process is very CPU intensive depending on the compression rate selected (I often leave it at low, which is basically equilivant to zlib level 1). This is why when you select just a device and time range in an ELM search the results come back very quickly, there is no server side filtering required.

If you have compliance and/or audit requirements it's likely best to use the ELMs storage and a DAS. As you add more dependencies to a system there is higher probabilities for failures.

Brent

Re: Use of NFS storage

Hi Brenta,

Thanks for sharing the insights.

Have you also tried to migrate any existing data from local storage to NFS, do you know how much time does it take?

We are talking here in GBs, and just want to double check that such an action won't hit performance of the ELM in any way.

Thanks,
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: Use of NFS storage

There are a few considerations here;

Do you really need to move the data? Or can you simply wait for the data to fall out of retention and store just add new data to the NFS shares. This technically also moves the data, but to /dev/null over a long period of time. 🙂

If your ELM is in the GB range, not into the TB range you are very much on the smaller end of ELMs. Often I see ELMs that have large DAS attached to them in addition to their local storage. Even these large ELMs are under utilized, from a CPU perspective.

Nothing replaces good monitoring and system administrators, while doing such a significant change you should always be evaluating the performance impacts, and adjusting if required.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community