File System Options for Offboard Storage
Use an offboard storage solution to move the /store file system or specific subdirectories, such as the /store/ariel directory.
You can move the /store file system to increase the fault tolerance levels in your JSA deployment. Each option impacts JSA performance.
Moving the /store file system to an external device provides an alternative to implementing a high-availability system.
The /store/ariel directory is the most common file system that is moved to an offboard storage solution. By moving the /store/ariel file system, you can move collected log and network activity data to external storage. The local disk remains used for the PostgreSQL database and for temporary search results.
Administrators can move the following types of JSA data to offboard storage devices:
PostgreSQL metadata and configuration information
Log activity, payloads (raw data), normalized data, and indexes
Network activity, payloads, normalized data, and indexes
Time series graphs (global views and aggregates)
Performance Impact Of Offboard Storage Solutions
Moving the /store file system to an external device might affect JSA performance.
After the migration, all data I/O to the /store file system is no longer performed on the local disk. Before you move your JSA data to an external storage device you must consider the following information:
Maintain your log and network activity searches on your local disk by mounting the /store/transient file system to the unused /store file partition.
Searches that are marked as saved are also in the /store/transient directory. If you experience a local disk failure, these searches are not saved.
Storage Expansion
Storage Expansion
By creating multiple volumes and mounting /store/ariel/events and /store/ariel/flows, you can expand your storage capabilities past the single file system that is configured by default with JSA. A single file system supports up to 500 TB.
Store partition
Any subdirectory in the /store file system can be used as a mount point for your external storage device. However, only the /store and /store/ariel file systems are supported for offboard with a high-availability deployment.
If you want to move dedicated event or flow data, you might configure more specific mount points. For example, you can configure /store/ariel/events/records and /store/ariel/events/payloads as mount points.
More storage expansion options
You can add more data storage to JSA host or optimize your current storage by using one or more of these options:
Install a Data Node. Data Nodes enable new and existing JSA deployments to add storage and processing capacity on demand as required. For more information, see the Juniper Secure Analytics Architecture and Deployment Guide.
Configure your Network File System (NFS) storage. You can configure NFS for a stand-alone JSA Console, new JSA HA deployments, or existing JSA HA deployments.
Configure your retention policies to define how long JSA is required to keep event and flow data, and what to do when that data reaches a certain age. For more information, see the Juniper Secure Analytics Administration Guide.
Enable event coalescing to improve performance, and reduce storage impacts, when a large burst of events is received that match a specific criteria.