Configuring EFS for the ArcSight Suite

CDF and the ArcSight suite require several separated folders for storing various types of information, such database files, log files, and runtime data. In this step, you will create the following folders:

All of these folders are created in a parent folder from the filesystem, as follows:

Using different parent folders, you can use a single EFS for several different file systems (assuming they are in the same region and same VPC, and have the correct mount targets).

To configure EFS for ArcSight Suite:

  1. Using an scp client, copy the arcsight-platform-cloud-installer-XX.X.X.XXX.zip package to the bastion and unpack it.
  2. For creating the folders and setting respective permissions, unzip the aws-scripts script archive and then run the script init_efs from the aws-scripts/scripts directory.
  3. Construct the filesystem FQDN. The filesystem FQDN should have the following format:

    <FileSystemId>.efs.<Region>.amazonaws.com

    Where:

    <FileSystemId>: Previously created and recorded in the AWS worksheet.

    <Region>:The ID of the region in which you have originally asked to create restricted resources.

  4. Record the filesystem FQDN in the AWS worksheet.

    The FQDN will be used for initializing the folder structures; and will later be used during the Bootstrap CDF step and during CDF Web UI installation processes.

  5. Execute the script:

    ./arcsight-platform-cloud-installer/aws-scripts/scripts/init_efs \
    -p <Parent folder name> \
    -s <Filesystem FQDN>

    Where:

    <Parent folder name>: An optional parameter. If not specified, this value will be replaced with ArcSight. Record the chosen parent folder name to the AWS worksheet.

    <Filesystem FQDN>: The filesystem FQDN you have just created.

    Example:

    ./arcsight-platform-cloud-installer/aws-scripts/scripts/init_efs \
    -p srgdemo \
    -s fs-ebe456b3.efs.eu-central-1.amazonaws.com

  6. The mount point is created as commented in the etc/fstab file. Open the etc/fstab file and uncomment the mount point. Then run the command:

    sudo vim /etc/fstab

  7. Run the following command:

    sudo mount -a

  8. (Conditional) If Intelligence is part of the deployment, run the following command only for arcsight-volume so that the Logstash and Elasticsearch pods do not fail because of permission issues:

    cd /mnt/efs/<parent_folder_name>
    sudo chown -R 1999:1999 arcsight-volume

  9. Verify whether the created folders correspond to the structure described above, with respect to your chosen parent folder.

Next Step: Configure EKS