Configuring the Filestore for the ArcSight Suite

OMT and the ArcSight suite require several independent folders for storing various types of information, such as database files, log files, and runtime data.

Following this procedure, you will create this folder structure for ArcSight:

By the use of different parent folders, you can use a single filestore for several different file systems (as long as they are in the same region and same VPC).

If you performed the upload of product images to the bastion when you followed the Upload Product Images to the Artifact Registry procedure, you already have the needed packages in the right location. Otherwise, use an scp client to copy the arcsight-platform-cloud-installer-XX.X.X.XXX.zip package to the bastion and unpack it.

  1. To create the folders and set the respective permissions, unzip the gcp-scripts script archive and then run the createFileStorescript from the gcp-scripts/scripts directory:

    ./createFileStore.sh --file-store <FILESTORE_IP_ADDRESS> --file-share <FILE_SHARE_NAME> -p <PARENT_FOLDER_NAME> --user_uid <USER_ID> --user_gid <GROUP_ID>

    Where:

    <FILESTORE_IP_ADDRESS> is a required value, obtained while Creating the filestore (check the Google Cloud worksheet)

    <FILE_SHARE_NAME> is a required value is a required value, obtained while Creating the filestore (check the Google Cloud worksheet). It's the share file from the mountable filestore.

    <PARENT_FOLDER_NAME> is an optional value. It's the folder name to be created at the top level of hierarchy, and if not specified it defaults to 'arcsight'.

    <USER_ID> is an optional value. It should match the System user ID that will be used to install the ArcSight Suite, and if not specified it defaults to '1999'.

    <GROUP_ID> is an optional value. It should match the System group ID that will be used to install the ArcSight Suite, and if not specified it defaults to '1999'.

    For example:

    ./createFileStore.sh --file-store 10.197.224.90 --file-share arcsight-suite -p arcsight

  2. The mount point exists commented out in the etc/fstab file. Open the etc/fstab file and uncomment the mount point using the following command:

    sudo vim /etc/fstab

  3. Run the following command to attach the file system:

    sudo mount -a

  4. (Conditional) If Intelligence is part of the deployment, run the following command only for arcsight-volume so that the Logstash and Elasticsearch pods do not fail because of permission issues:

    cd /mnt/filestore/<FILE_SHARE_NAME>/<PARENT_FOLDER_NAME>
sudo chown -R 1999:1999 arcsight-volume

    Where <FILE_SHARE_NAME> and <PARENT_FOLDER_NAME> are defined as in Where:.

  5. Verify that the folders created under your chosen parent folder correspond to the structure described above with the following command:

    ls -l /mnt/filestore/<FILE_SHARE_NAME>/<PARENT_FOLDER_NAME>

    Where <FILE_SHARE_NAME> and <PARENT_FOLDER_NAME> are defined as in Where:.