Firewall Analyzer - Best Practices
Firewall Analyzer - Best Practices
Disc Space Usage
Any security log analysis application is likely to consume disk space for retaining the data in the database for a considerable duration and storing archive raw log data for compliance. You have to allocate the disk space in balanced manner so that the storage space does not grow for ever and also your compliance requirements are fulfilled.
In Firewall Analyzer, the data is stored in the following directories.
All the cute graphs that you are seeing in the Firewall Analyzer UI are coming from MySQL database. MySQL data tables are stored in the <Firewall Analyzer Home>\mysql\data directory. These directories will start growing from the time Firewall Analyzer starts receiving the log data from the Firewalls. By default Firewall Analyzer keeps 1 year log data in the database.
Archive raw log data is stored in the <Firewall Analyzer Home>\server\default\archive directory to meet compliance requirements. Copy of the original firewall logs are stored in this directory. By default archived logs will be stored forever.
To give you flashing search results, Firewall Analyzer maintains indexes of archived data and they are located in the <Firewall Analyzer Home>\server\default\indexes directory. As the archived files are stored forever, this index will also be stored forever by default.
How to limit/control disc space usage in Firewall Analyzer?
If you are concerned about disk space usage, Firewall Analyzer provides a feature in the product itself to configure the options of data storage duration and change the location of storage. You can change the Archive and Database location to a different drive.
Apart from the configuration feature provided in the product, even you can move the MySQL database to different drive and also you can run the MySQL database application in a separate server.
How to configure the Data Storage Option?
Firewall Analyzer will retain the data in database for a period of one year and archive the raw logs forever. Now, you have options to restrict the data stored in database and archive folder to a configurable period of time. Data Storage Options in Firewall Analyzer lets you limit/control disc space usage. We have separate settings to configure the time for database storage and archive storage. Choosing the data storage option will purge the data that are beyond the specified time period.
Carry out the following steps to limit/control the disc space usage in Firewall Analyzer:
How to move Firewall Analyzer Raw Logs Archive and Raw Logs Indexing directory to another drive in the same physical machine?
How to move MySQL data to another drive in the same physical machine?
Follow the steps given below to move the database to a different drive:
How to run Firewall Analyzer server and MySQL server in different machines?
Carry out following steps to run the MySQL server in a separate machine.
Note: Start the MySQL server first in the MySQL server machine and then start the Firewall Analyzer application in the Firewall Analyzer server machine.
How to move Firewall Analyzer installation to a new server?
Note: Before moving the Firewall Analyzer installation to a new machine, ensure that the build of the old installation is latest. If not, upgrade in the old installation to the latest build and proceed further.
To find out the build number:
Follow the steps given below to move Firewall Analyzer installation to a different server:
[list=1:6e009ffe06]1. Stop the Firewall Analyzer server/service.
2. Check the Windows Task Manager for the processes 'java.exe' and 'mysqld-nt.exe', if any of these processes is running, kill only the Firewall Analyzer related process.
3. Copy the following folders (including the files and sub-folders) completely to another drive or to a mapped network drive as a precautionary measure.
This will help us to restore the settings and data in-case of any issue with the new machine.
4. Download and install the latest build of Firewall Analyzer from the following link in the new server:
http://manageengine.adventnet.com/products/firewall/download.html
5. Once you install the application in the new machine, ensure that you do not start the application or shutdown the application, if started.
6. Rename the folder <Firewall Analyzer Home>\MySQL as 'MySQLori'.
7. Copy the MySQL folder (which is located under <Firewall Analyzer Home>\MySQL) from the old machine to the new machine in the same location.
Note: Take extra care and ensure that the Firewall Analyzer is not running on both the machines while performing this operation.
8. Restart the Firewall Analyzer on the new machine and check whether the data and configurations are intact.
Disc Space Usage
Any security log analysis application is likely to consume disk space for retaining the data in the database for a considerable duration and storing archive raw log data for compliance. You have to allocate the disk space in balanced manner so that the storage space does not grow for ever and also your compliance requirements are fulfilled.
In Firewall Analyzer, the data is stored in the following directories.
All the cute graphs that you are seeing in the Firewall Analyzer UI are coming from MySQL database. MySQL data tables are stored in the <Firewall Analyzer Home>\mysql\data directory. These directories will start growing from the time Firewall Analyzer starts receiving the log data from the Firewalls. By default Firewall Analyzer keeps 1 year log data in the database.
Archive raw log data is stored in the <Firewall Analyzer Home>\server\default\archive directory to meet compliance requirements. Copy of the original firewall logs are stored in this directory. By default archived logs will be stored forever.
To give you flashing search results, Firewall Analyzer maintains indexes of archived data and they are located in the <Firewall Analyzer Home>\server\default\indexes directory. As the archived files are stored forever, this index will also be stored forever by default.
How to limit/control disc space usage in Firewall Analyzer?
If you are concerned about disk space usage, Firewall Analyzer provides a feature in the product itself to configure the options of data storage duration and change the location of storage. You can change the Archive and Database location to a different drive.
-
* How to configure the Data Storage Option?
* How to move Raw Logs Archive and Raw Logs Indexing directory to another drive in the same physical machine?
Apart from the configuration feature provided in the product, even you can move the MySQL database to different drive and also you can run the MySQL database application in a separate server.
-
* How to move MySQL data to another drive in the same physical machine?
* How to move Firewall Analyzer Raw Logs Archive and Raw Logs Indexing directory to mapped network drive?
* How to run Firewall Analyzer server and MySQL server in different machines?
* How to move Firewall Analyzer installation to a new server?
How to configure the Data Storage Option?
Firewall Analyzer will retain the data in database for a period of one year and archive the raw logs forever. Now, you have options to restrict the data stored in database and archive folder to a configurable period of time. Data Storage Options in Firewall Analyzer lets you limit/control disc space usage. We have separate settings to configure the time for database storage and archive storage. Choosing the data storage option will purge the data that are beyond the specified time period.
Carry out the following steps to limit/control the disc space usage in Firewall Analyzer:
-
* Click the
Settings tabs on the top of the client. Set the
Database and
Archive as per your requirement in the Data Storage Options.
-
o For the
Database setting, options available are:
Forever, 1 year, 6 months, 3 months, and 1 week.
Select this option, as per your requirement. You would be able to retain the log data in the database for the selected time period.
o For the Archive setting, options available are: Forever, 1 year, 6 months, 3 months, 1 month, and 1 week.
Select this option, as per your requirement. You would be able to retain the log data in the archive for the selected time period, after the time period it will be purged.
How to move Firewall Analyzer Raw Logs Archive and Raw Logs Indexing directory to another drive in the same physical machine?
-
* Click the
Settings tabs on the top of the client.
* Click on Archived Files. Archived Files page opens up.
* Click Archive Settings. File Archive Settings page pops-up.
-
o Select
Change Raw Logs Archive Location option and change the path of the Raw Logs Archive location. Ensure that you give the absolute path, where you want to move the archive files storage.
For example: D:\Firewall\archive
The default path is <Firewall\ Analyzer Home>server\default\archive
o Select the option Change Raw Logs Indexing Location and change the path of the Raw Logs Index files storage location.
The default path is <Firewall Analyzer Home>\server\default\indexes
Note: After you configure the new location for the Raw Log Index files, ensure that you copy all the files and sub-folders of the hot, warm, and cold sub-folders of the indexes folder from the existing location to the newly configured location.
How to move MySQL data to another drive in the same physical machine?
Follow the steps given below to move the database to a different drive:
-
* Stop the Firewall Analyzer server/service, if it is running.
* Check the task manager for the process java.exe and mysqld-nt.exe, kill the process if any of these process is running.
* Copy the folder <Firewall Analyzer Home>\mysql\data to a folder in another drive (e.g., D:\Firewall\data).i.e., the new location to which you want to move the data of MySQL database.
* Rename the present data folder under mysql folder as dataold and you can delete it later.
* Open the startDB.bat/sh file, located under <Firewall Analyzer Home>\bin directory.
For Windows:
Edit the following command in the mysql startup line:
--datadir=%DB_HOME%\data
as
--datadir=D:\Firewall\data
where, the D:\Firewall\data is the new location for the MySQL database.
After changing the command, the start command will look like:
@start /B %DB_HOME%\bin\mysqld-nt --standalone --basedir=%DB_HOME%
--port=%DB_PORT% --datadir=D:\Firewall\data --innodb_buffer_pool_size=180M
--key-buffer-size=32M --innodb_file_per_table --max_heap_table_size=32M
--tmp_table_size=40M --innodb_flush_log_at_trx_commit=0 --log-error
For Linux:
Please add "--datadir=<desired location>" after "--basedir" attribute in the mysql startup line.
After adding the "--datadir" attribute to the command, the start command will look like:
#default
$DB_HOME/bin/mysqld --no-defaults --basedir=$DB_HOME --datadir=/advent/5g/Working/Latest/data --port=$DB_PORT --socket=$TMP_HOME/mysql.sock --user=root..............
Note: The above command may slightly differ for various builds, however, ensure that,
in Windows "--datadir=%DB_HOME%\data" is changed to "--datadir=<new drive with absolute path>"
or
in Linux "--datadir=<new drive with absolute path>" is added.
* Save the file.
* Start the Firewall Analyzer server/service.
* Check whether the data is correct and the D:\Firewall\data directory size is getting increased.
How to run Firewall Analyzer server and MySQL server in different machines?
Carry out following steps to run the MySQL server in a separate machine.
-
* Stop the Firewall Analyzer server/service.
* Edit <Firewall Analyzer Home>/server/default/deploy/mysql-ds.xml with the following line.
<connection-url>jdbc:mysql://localhost:33336/firewall</connection-url>
* Instead of localhost, enter the IP address/hostname of the machine in which you intend to run MySQL server.
* Edit <Firewall Analyzer Home>/server/default/conf/nms-service.xml file and change StartDBServer value to false. By default its value will be true.
* Carry out the following steps in MySQL server machine
-
o Install Firewall Analyzer if it is not installed or if you do not have MySQL server installed here.
o Edit <Firewall Analyzer Home>/bin/startDB.bat/sh to tune MySQL parameters as given in the following sizing guide.
http://manageengine.adventnet.com/products/firewall/system_requirement.html
o Execute <Firewall Analyzer Home>/bin/startDB.bat/sh to start MySQL server. Ensure that you never start the application in this machine.
* Start the Firewall Analyzer in the Firewall Analyzer machine. You should be able to see the reports.
Note: Start the MySQL server first in the MySQL server machine and then start the Firewall Analyzer application in the Firewall Analyzer server machine.
How to move Firewall Analyzer installation to a new server?
Note: Before moving the Firewall Analyzer installation to a new machine, ensure that the build of the old installation is latest. If not, upgrade in the old installation to the latest build and proceed further.
To find out the build number:
-
* You can click on
About link in the top right hand corner, the build number will be displayed in the About pop-up screen.
* If you are not able to open the UI, go to the folder C:\AdventNet\ME\Firewall\troubleshooting and open the file build.properties in a notepad, you can find the build number in the file.
Follow the steps given below to move Firewall Analyzer installation to a different server:
[list=1:6e009ffe06]1. Stop the Firewall Analyzer server/service.
2. Check the Windows Task Manager for the processes 'java.exe' and 'mysqld-nt.exe', if any of these processes is running, kill only the Firewall Analyzer related process.
3. Copy the following folders (including the files and sub-folders) completely to another drive or to a mapped network drive as a precautionary measure.
This will help us to restore the settings and data in-case of any issue with the new machine.
-
a. The folder, '
MySQL' located under
<Firewall Analyzer Home>\.
b. The folder, 'Archive' located under <Firewall Analyzer Home>\server\default\archive\.
4. Download and install the latest build of Firewall Analyzer from the following link in the new server:
http://manageengine.adventnet.com/products/firewall/download.html
5. Once you install the application in the new machine, ensure that you do not start the application or shutdown the application, if started.
6. Rename the folder <Firewall Analyzer Home>\MySQL as 'MySQLori'.
7. Copy the MySQL folder (which is located under <Firewall Analyzer Home>\MySQL) from the old machine to the new machine in the same location.
Note: Take extra care and ensure that the Firewall Analyzer is not running on both the machines while performing this operation.
8. Restart the Firewall Analyzer on the new machine and check whether the data and configurations are intact.