Linux operating system partition properties for QRadar installations on your own system
If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat® Enterprise Linux® operating system rather than modify the default partitions.
Use the values in following table as a guide when you re-create the partitioning on your Red Hat Enterprise Linux operating system. You must use these partition names. Using other partition names can cause the installation to fail and other issues.
The file system for each partition is XFS.
| Mount Path | LVM supported? | Size |
|---|---|---|
| /boot | No | 1 GB |
| /boot/efi | No | 200 MB |
| /var | Yes | 5 GB |
| /var/log | Yes | 15 GB |
| /var/log/audit | Yes | 3 GB |
| /opt | Yes | 13 GB |
| /home | Yes | 1 GB |
| /storetmp | Yes | 15 GB |
| /tmp | Yes | 3 GB |
| swap | N/A | Swap formula: Configure the swap partition size to be 75 per cent of RAM, with a minimum value of 12 GiB and a maximum value of 24 GiB. |
| / | Yes | Up to 15 GB |
| /store | Yes | 80% of remaining space |
| /transient | Yes | 20% of remaining space |
For more information about the swap partition, see https://www.ibm.com/support/pages/node/6348712 (https://www.ibm.com/support/pages/node/6348712).
Console partition configurations for multiple disk deployments
For systems with multiple disks, configure the following partitions for QRadar®:
- Disk 1
- boot, swap, OS, QRadar temporary files, and log files
- Remaining disks
-
- Use the default storage configurations for QRadar appliances as a guideline to determine what RAID type to use.
- Mounted as /store
- Store QRadar data
The following table shows the default storage configuration for QRadar appliances.
| QRadar host role | Storage configuration |
|---|---|
|
Flow collector QRadar Network Insights (QNI) |
RAID1 |
|
Data node Event processor Flow processor Event and flow processor All-in-one console |
RAID6 |
|
Event collector |
RAID10 |