Connecting and configuring external storage for the Sensor component

Kaspersky Anti Targeted Attack Platform saves traffic received from network interfaces as network traffic dump files. If you want to ensure long-term storage of network traffic dump files, you can connect and configure external storage. You can use network traffic dump files in external storage to download network traffic as PCAP files. We recommend using SSD drives as external storage.

To connect and configure external storage for network traffic dump files on a server with the Sensor and Central Node components installed:

  1. Connect a disk of at least 100 GB that you want to use as external storage.
  2. Enter Technical Support Mode.
  3. Run the following commands:

    sudo -i

    fdisk -l

    Make sure that the disk that you connected for external storage is displayed in the console.

  4. Run the following commands:

    mke2fs -t ext4 -L DATA -m 0 /dev/<name of the connected disk>

    sudo nano /etc/fstab

    This opens the fstab file in a text editor.

  5. Add the following line at the end of the file:

    /dev/<name of the connected disk> /data/volumes/dumps/ ext4 defaults 0 0

  6. Close the text editor.
  7. Run the following commands:

    mount

    rm -r /data/volumes/dumps/*

    These commands delete all data from the connected disk.

    The connected disk will be configured for use as external storage.

  8. Run the following commands:

    chown kluser:klusers /data/volumes/dumps/

    ls -lah /data/volumes/dumps/

    lsblk

    Make sure that in the MOUNTPOINTS column, /data/volumes/dumps is displayed next to the name of the connected disk.

  9. Run the following commands:

    docker service update kata_product_main_1_preprocessor_span --force

    docker ps | grep preprocessor_span

    Wait until the Up 2 seconds appears in the console.

  10. Run the following commands:

    docker exec -it $(docker ps | grep preprocessor_span | awk '{print $1}') bash

    lsblk

    Make sure that in the MOUNTPOINTS column, the /mnt/kaspersky/nta/dumps value is displayed next to the name of the connected disk.

  11. Select the Sensor servers section in the window of the application web interface.
  12. Click the card of the relevant Sensor component.

    This opens a window with information about the component.

  13. Click Edit.
  14. Select the External storage tab and use the Connect external storage for traffic dump files switch to enable external storage mode.
  15. Set the space limit for storing the traffic dump files under Maximum size.

    You can select the unit of measure for the space limit: MB or GB.

  16. If necessary, in the Filtering using BPF section, enable filtering and enter an expression for filtering using the BPF (Berkley Packet Filter) technology. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
  17. If necessary, in the Storage time limit section, enable a limit on the minimum storage time for the files and specify the relevant number of days.
  18. Click Save.

External storage for network traffic dump files on the server with Sensor and Central Node installed is connected and configured.

To connect and configure external storage for network traffic dump files on a standalone server with the Sensor component installed:

  1. Connect a disk of at least 100 GB that you want to use as external storage.
  2. Enter Technical Support Mode.
  3. Run the following commands:

    sudo -i

    fdisk -l

    Make sure that the disk that you connected for external storage is displayed in the console.

  4. Run the following commands:

    mke2fs -t ext4 -L DATA -m 0 /dev/<name of the connected disk>

    sudo nano /etc/fstab

    This opens the fstab file in a text editor.

  5. Add the following line at the end of the file:

    /dev/<name of the connected disk> /data/volumes/dumps/ ext4 defaults 0 0

  6. Close the text editor.
  7. Run the following command:

    rm -r /data/volumes/dumps/*

    These commands delete all data from the connected disk.

  8. Select the Sensor servers section in the window of the application web interface.
  9. Click the card of the relevant Sensor component.

    This opens a window with information about the component.

  10. Click Edit.
  11. Select the External storage tab and use the Connect external storage for traffic dump files switch to enable external storage mode.
  12. Set the space limit for storing the traffic dump files under Maximum size.

    You can select the unit of measure for the space limit: MB or GB.

  13. If necessary, in the Filtering using BPF section, enable filtering and enter an expression for filtering using the BPF (Berkley Packet Filter) technology. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
  14. If necessary, in the Storage time limit section, enable a limit on the minimum storage time for the files and specify the relevant number of days.
  15. Click Save.

External storage for network traffic dump files on the standalone server with the Sensor component installed is connected and configured.

Page top