Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

File System Options for Offboard Storage

 

Use an offboard storage solution to move the /store file system or specific subdirectories, such as the /store/ariel directory.

You can move the /store file system to increase the fault tolerance levels in your JSA deployment. Each option impacts JSA performance.

Moving the /store file system to an external device provides an alternative to implementing a high-availability system.

The /store/ariel directory is the most common file system that is moved to an offboard storage solution. By moving the /store/ariel file system, you can move collected log and network activity data to external storage. The local disk remains used for the PostgreSQL database and for temporary search results.

Administrators can move the following types of JSA data to offboard storage devices:

  • PostgreSQL metadata and configuration information

  • Log activity, payloads (raw data), normalized data, and indexes

  • Network activity, payloads, normalized data, and indexes

  • Time series graphs (global views and aggregates)

Performance Impact Of Offboard Storage Solutions

Moving the /store file system to an external device might affect JSA performance.

After the migration, all data I/O to the /store file system is no longer performed on the local disk. Before you move your JSA data to an external storage device you must consider the following information:

  • Maintain your log and network activity searches on your local disk by mounting the /store/transient file system to the unused /store file partition.

  • Searches that are marked as saved are also in the /store/transient directory. If you experience a local disk failure, these searches are not saved.

Storage Expansion

By creating multiple volumes and mounting /store/ariel/events and /store/ariel/flows, you can expand your storage capabilities past the 16 TB file system limit that is supported by JSA.

Any subdirectory in the /store file system can be used as a mount point for your external storage device.

If you want to move dedicated event or flow data, you might configure more specific mount points. For example, you can configure /store/ariel/events/records and /store/ariel/events/payloads as mount points.