Re: [security-onion] To RAID or not to RAID?
472 views
Skip to first unread message
Brad Shoop
Sep 30, 2012, 8:22:35 PM9/30/12
to securit...@googlegroups.com
I'm expecting hardware in a few weeks and our plan is RAID 1 for root/OS on a couple drives, then LVM for /nsm volume across the remainder. Our logic is the same as yours in that the packet data is one facet of SO that, while valuable, can be sacrificed without negating the benefits. We've been running SO with nsm_sensor_ps-stop --only-daemonlogger for 9 months now due to lack of capacity and have been more than happy with the data we get. That's not to say full packet capture won't make me much happier. :)
Brad
--
Brad Shoop
On Fri, Sep 28, 2012 at 11:03 AM, Brian <brian...@gmail.com> wrote:
Going to finally get my "big boy" hardware that I'll be using for BDR and ironing out some of the details...
I don't get to get involved in general IT infrastructure topics much these days, so I'm not exactly up to date on some of the current trends and best practices, but I do recall hearing/reading that the ol' faithful RAID 5 has been essentially dead for a while with large disks as the chances for a 2nd failure during rebuild are so high, and RAID 6 not much better with 3TB+ disks and probably not worth the additional overheard of capacity and performance.
So... just wondering what others are running here on both sensors/servers... For the sensors, my thoughts are straying to a pair of disks in RAID 1 for the root/OS and just using either RAID 0 or LVM striping for the /nsm volume. Figure if I lose a disk and it all goes poof.... hey, the captures would have been gone in a few weeks anyway, excepting an active incident that needed to be investigated, nothing critical is lost.
Less sure on the server... given the total capacity is significant less, less need to stuff as much as possible usable storage in the chassis gives more options, so thinking 1+0.
Thoughts?
--
Brad Shoop
GCIH GCFA
twitter: @bradshoop
Peter Feger
Oct 2, 2012, 10:59:43 AM10/2/12
to securit...@googlegroups.com
IMHO choosing the raid level is more about what your needs are. For
/nsm I still go with RAID5. The point about a 2nd disk failing during
a rebuild is valid. However, if you have proper monitoring of the
disks and take action as soon as you see a problem you can mitigate
that issue.
Currently I setup the RAID on 8 3Tb disks in 2 virtual drives. 25
gigs for the OS and the remainder for /nsm. The /nsm data has a
limited time of usefulness. If I was to loose a drive its no big deal
to take it down for a little bit to replace it and bring it back into
the array. The system will chug along in a degraded state for a bit
but will recover. IF I loose a 2nd drive during the rebuild its not
a big deal. Yes I loose that week or 2 of pcaps, but I can rebuild
the system in about an hour start to finish. For me the more disk
real-estate I have for pcaps and session data the better. Bottom line
is that a sensor is a tier 4 best effort service. The data it
contains looses its value very quickly.
For the record, I have deployed several hundred sensors with this
method and I have only seen maybe 4 or 5 servers suffer a 2nd disk
fail during rebuild. And on all of them we did not have proper
monitoring in place. Once we deployed methods to monitor the hardware
health, we were able to take proactive action avoiding the 2nd disk
fail during a rebuild.
Again it is all about what you are comfortable with and what your shop
may require in DR or service level requirements.
Regards
Pete Feger
> --
>
>
/nsm I still go with RAID5. The point about a 2nd disk failing during
a rebuild is valid. However, if you have proper monitoring of the
disks and take action as soon as you see a problem you can mitigate
that issue.
Currently I setup the RAID on 8 3Tb disks in 2 virtual drives. 25
gigs for the OS and the remainder for /nsm. The /nsm data has a
limited time of usefulness. If I was to loose a drive its no big deal
to take it down for a little bit to replace it and bring it back into
the array. The system will chug along in a degraded state for a bit
but will recover. IF I loose a 2nd drive during the rebuild its not
a big deal. Yes I loose that week or 2 of pcaps, but I can rebuild
the system in about an hour start to finish. For me the more disk
real-estate I have for pcaps and session data the better. Bottom line
is that a sensor is a tier 4 best effort service. The data it
contains looses its value very quickly.
For the record, I have deployed several hundred sensors with this
method and I have only seen maybe 4 or 5 servers suffer a 2nd disk
fail during rebuild. And on all of them we did not have proper
monitoring in place. Once we deployed methods to monitor the hardware
health, we were able to take proactive action avoiding the 2nd disk
fail during a rebuild.
Again it is all about what you are comfortable with and what your shop
may require in DR or service level requirements.
Regards
Pete Feger
>
>
Reply all
Reply to author
Forward
0 new messages