Installing the Database

This section provides information about configuring the database server and installing the ArcSight Database.

Recon and Intelligence are the only capabilities that need the database currently.

Preparing the Database Nodes for Installation

Follow the applicable instructions in the sections below to prepare the database nodes for installation.

Updating CentOS (conditional)

If you are deploying the database with CentOS 8.4 2105, you need to update the distros by running the commands below on all database nodes:

sudo dnf --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos
sudo dnf distro-sync
If the distro repo above is broken, update the --enablerepo repositories from https://www.centos.org/centos-stream.

Configuring Operating System Settings

The database requires that you manually configure several general operating system settings.

  1. Provision the server with at least 2 GB of swap space.

    In case the pre-check on swap space fails after provisioned 2 GB on swap, a provision swap with 2.2 GB should solve the problem.
  2. Add the following parameters to /etc/sysctl.conf.
    3. Parameter Description
    net.core.somaxconn = 1024 Increases the number of incoming connections
    net.core.wmem_max = 16777216 Sets the send socket buffer maximum size in bytes
    net.core.rmem_max = 16777216 Sets the receive socket buffer maximum size in bytes
    net.core.wmem_default = 262144 Sets the receive socket buffer default size in bytes
    net.core.rmem_default = 262144 Controls the default size of receive buffers used by sockets
    net.core.netdev_max_backlog = 100000 Increase the length of the network interface input queue
    net.ipv4.tcp_mem = 16777216 16777216 16777216
    net.ipv4.tcp_wmem = 8192 262144 8388608
    net.ipv4.tcp_rmem = 8192 262144 8388608
    net.ipv4.udp_mem = 16777216 16777216 16777216
    net.ipv4.udp_rmem_min = 16384
    net.ipv4.udp_wmem_min = 16384
    vm.swappiness = 1

    Defines the amount and frequency at which the kernel copies RAM contents to a swap space

    For more information, see Check for Swappiness.
  3. Add the following parameters to /etc/rc.local.
    4. The following commands assume that sdb is the data drive ( i.e. /opt ), and sda is the operating system/catalog drive.
    Parameter Description

    echo deadline > /sys/block/sdb/queue/scheduler

    		Resolve FAIL (S0150)

    /sbin/blockdev --setra 2048 /dev/sdb

    		Resolve FAIL (S0020) when database resides on /dev/sdb
    echo never > /sys/kernel/mm/transparent_hugepage/enabled  
    tuned-adm profile throughput-performance Resolve WARN (S0140/S0141) (CentOS only)
    \nchmod x /etc/rc.d/rc.local  
  4. In /etc/default/grub, append line GRUB_CMDLINE_LINUX with intel_idle.max_cstate=0 processor.max_cstate=1. For example:
    GRUB_CMDLINE_LINUX="vconsole.keymap=us crashkernel=auto  vconsole.font=latarcyrheb-sun16 rhgb quiet intel_idle.max_cstate=0 processor.max_cstate=1"

    Execute the following command:

    grub2-mkconfig -o /boot/grub2/grub.cfg

  5. Run these commands to disable the firewall WARN (N0010):

    systemctl mask firewalld

    systemctl disable firewalld

    systemctl stop firewalld

    During installation, the database requires that host-based firewalls are disabled on database nodes. After installation, the host-based firewalls can be enabled and the database requires several ports to be open on the local network. We recommend for optimal performance using host-based firewalls between database nodes and a network-based firewall to protect the segment that database cluster is within. However, there is no restriction against using a network-based firewall between database nodes. When using any kind of firewall, ensure that all the database ports are available. For more information, see Firewall Considerations.
  6. Set SELinux to permissive mode in /etc/selinux/config. 
    SELINUX=permissive

    For more information, see SELinux Configuration.

  7. Run this command to ensure that rng-tools packages are installed in all cluster nodes:

    sudo dnf install rng-tools -y

  8. Set the UTC time for all cluster nodes:

    sudo timedatectl set-timezone UTC
    For CentOS 8.4, any changes to the timezone will require a cluster nodes reboot.
  9. Reboot the system for your changes to take effect.

 

Configuring BIOS for Maximum Performance

Depending on your hardware, you might be able to access options to configure power and performance. Configure the system for maximum performance in the BIOS while the system is powering on. For example, for HPE hardware, the following setting is available. 

System Configuration > BIOS/Platform Configuration (RBSU) > Power Management > HPE Power Profile > Maximum Performance

 

Enabling Passwordless Communication

This section describes how to configure passwordless communication from the node1 server to all of the node servers in the cluster. You can perform this procedure as a root or the sudo (non-root) user.

You must repeat the authentication process for all nodes in the cluster.
  1. On the node1 server, run the ssh-keygen command:
    2. ssh-keygen -q -t rsa
  2. Copy the key from node1 to all of the nodes, including node1, using the node IP address: 
    ssh-copy-id -i ~/.ssh/id_rsa.pub <node_IP_address>

    For example:

    ssh-copy-id -i ~/.ssh/id_rsa.pub 11.111.111.111

    The system displays the key fingerprint and requests to authenticate with the node server.

  3. Specify the required credentials for the node.
  4. The operation is successful when the system displays the following message:
    5. Number of key(s) added: 1
  5. To verify successful key installation, run the following command from node1 to the target node to verify that node1 can successfully log in: 
    ssh <node_IP_address>

 

Modifying the System Clock

A network time server must be available. chrony implements this protocol and is installed by default on some versions of RHEL and CentOS. chrony must be installed on every node.

Verify the chrony configuration by using the command:

chronyc tracking

To install chrony, start the chrony daemon, then verify operation with these commands:

dnf install chrony
systemctl start chronyd
systemctl enable chronyd
chronyc tracking
After modifying the system clock, you must reboot each node by running the reboot command.

Determining FIPS Configuration

To enable or disable FIPS, follow the steps in Enabling FIPS Mode on the Database Server

Configuring and Installing the Database Server

Before installing the database, ensure that you estimate the storage needed for the incoming EPS (event per second) and event size, and also evaluate the retention policy accordingly.
  1. On the Database cluster node1 server, create a folder for the database installer.

    For example:

    mkdir /opt/arcsight-db-tools
    2. /opt/arcsight-db-tools should not be under /root or /opt/vertica.

  2. From the master node where you performed the Downloading Installation Packages steps, copy the following directory on the Database cluster node1 server:

    {unzipped-installer-dir}/installers/database/db-installer_x.x.x-x.tar.gz file to the /opt/arcsight-db-tools

  3. To extract the installer file and place it in the correct directory, run the following commands:

    cd /opt/arcsight-db-tools
tar xvfz db-installer_x.x.x.x.tar.gz

  4. Edit the config/db_user.properties file and add all database node IPs to the hosts property.

    Property

    Description

    hosts

    A comma separated list of the database servers in IPv4 format (for example, 1.1.1.1,1.1.1.2,1.1.1.3).

    If it is necessary to construct the cluster, avoid using local loopback (localhost, 127.0.0.1, etc.).

  5. Install the database.

    ./db_installer install

  6. When prompted, create the database administrator user.

    The database administrator user account is used during database deployment, configuration, upgrade, and debugging. For security reasons, the platform deployed capabilities will not ask you for the credentials for this user.

    ---------------------------------------
Please specify a username for [ DB Admin ] user:
dbadmin

---------------------------------------
Please specify a password for [ DB Admin ] user:
********
Re-enter password:
********
    For a list of options that you can specify when installing the database, see Understanding the Database Installer Options.

  7. Specify the shard count. We recommend a shard count of 3 for single-node, or a count of 18 for multi-node to allow for scalability. The prompt options are based on your environment, single-node or multi-node:

    Once the database is installed, this value cannot be changed.

    • Single-node:

      # ========================================
# STEP 1: Specify Database Shard Count for Eon Mode
Do you plan to keep the database cluster to a single node in the future?
If yes, the database will be optimized for performance on a single node by setting the default shard count to 3.
Shard Count [3]:
Shard count cannot be changed after installation.
Confirm shard count [3]?(y/n):y
Check memory size, 48GB required for single node installation with shard count > 3.
PASS: Single node installation for shard count: 3

    • Multi-node:

      # ========================================
# STEP 1: Specify Database Shard Count for Eon Mode
Recommended shard count for multi node database deployment is 18. 
Shard Count [18]:
Shard count cannot be changed after installation.
Confirm shard count [18]?(y/n):y

  8. Set up the communal storage type for S3 when prompted. For example:

    # ========================================
# STEP 2: Specify communal storage details
Supported communal storage types - 
1) S3
2) Azure Blob Storage
Choose a communal storage type from the above (1/2):1
Specify S3 server:<IP address>
Specify S3 server port (1-65535):9000
Specify S3 server access key:<access_key>
Specify S3 server password:
Specify AWS region (leave empty for MinIO):
Is TLS enabled(y/n):y
Specify S3 bucket for communal storage:<yourS3BucketName>
Specify the folder under bucket for communal storage if applicable:<newFolderNametoCreate>

  9. Create the schema.

    ./db_installer create-schema

  10. When prompted, create the following users:

    • App admin user: A regular database user granted elevated permissions for performing operations on the database to manage the database, schema, and resource pools. The credentials for this user will need to be provided later in the CDF Management Portal when you are deploying capabilities.

    • Search user: A regular database user with permissions restricted to event search operations. The credentials for this user will need to be provided later in the CDF Management Portal when you are deploying capabilities.

  11. Monitor your database cluster status constantly. For more information, see Monitoring the Database.

    • Database nodes status: Ensures all nodes are up

    • Database nodes storage status: Ensures storage is sufficient