Linux operating system partition properties for QRadar installations on your own system
If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat® Enterprise Linux® operating system rather than modify the default partitions.
Use the values in following table as a guide when you re-create the partitioning on your Red Hat Enterprise Linux operating system. You must use these partition names. Using other partition names can cause the installation to fail and other issues.
Mount Path | LVM supported? | Size | File System | |
---|---|---|---|---|
/boot | No | 1 GB | XFS | |
/boot/efi | No | 200 MB | EFI System Partition | |
/var | Yes | 5 GB | XFS | |
/var/log | Yes | 15 GB | ||
/var/log/audit | Yes | 3 GB | ||
/opt | Yes | 13 GB | ||
/home | Yes | 1 GB | ||
/storetmp | Yes | 15 GB | ||
/tmp | Yes | 3 GB | ||
swap | N/A | Swap formula: Configure the swap partition size to be 75 per cent of RAM, with a minimum value of 12 GiB and a maximum value of 24 GiB. |
||
/ | Yes | Up to 15 GB | ||
QRadar Console App Host |
/transient | Yes | 20% of remaining space | |
/store | Yes | 80% of remaining space | ||
Processors and Collectors | /transient | Yes | The lesser of 20% of the remaining space and 500 GB | |
/store | Yes | The remaining space after /transient allocation | ||
Data Nodes | /transient | Yes | The lesser of 10% of the remaining space and 100 GB | |
/store | Yes | The remaining space after /transient allocation |
For more information about the swap partition, see https://www.ibm.com/support/pages/node/6348712 (https://www.ibm.com/support/pages/node/6348712).
Console partition configurations for multiple disk deployments
For systems with multiple disks, configure the following partitions for QRadar:
- Disk 1
- boot, swap, OS, QRadar temporary files, and log files
- Remaining disks
-
- Use the default storage configurations for QRadar appliances as a guideline to determine what RAID type to use.
- Mounted as /store
- Store QRadar data
The following table shows the default storage configuration for QRadar appliances.
QRadar host role | Storage configuration |
---|---|
Flow collector QRadar Network Insights (QNI) |
RAID1 |
Data node Event processor Flow processor Event and flow processor All-in-one console |
RAID6 |
Event collector |
RAID10 |