We are unable to import PCAP files to Security Analytics. We keep getting the following error:
Just finished a Security Analytics virtual appliance configuration and cannot import pcaps.
There must be at least three virtual disks when building a new virtual machine. Without the three disks, there will be no capture or no index data. You can also check to see if /pfs is mounted by running df -h from the command line. This could also be caused by the appliance not being licensed yet.
The install of a virtual machine requires three virtual disks. One for capture, one for index, and the application. If there is one there will be no capture. If there is two, all metadata or index data is stored in the /var filesystem and it may fill quickly.