How to Use CB Qualifier to Verify Storage Drive Speeds for New EDR Servers

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to run the CB Qualifier Utility

To estimate the storage drives ability to handle the load from sensors on a new EDR server with no previous data.

Environment

EDR Server: All Supported Versions
RHEL/CentOS: All Supported Versions

Resolution

Pre-requisites

Verify the storage volume being used for data storage.
```
grep 'DatastoreRootDir' /etc/cb/cb.conf
```
Verify the volume has at least 100GB of free space available.
```
du -h
```
Services will need to be down to run this test properly, a large instance could take a few hours. Schedule accordingly.
If this is a Clustered instance, the test will need to be run on just one eventful minion node.

Determining Multiplication Factor

This will be based on the amount of endpoints that will connect to the EDR server.
Determine (estimate) if the environment will fall into low, medium, or high activity range.
- Medium is generally Windows Workstations and Servers.
- High is macOS, Linux and development servers.
Please reference the Server Operating Environment Requirements for full information.
- For medium activity, use a factor of 1 to determine ratio of actual to effective endpoints.
- For high activity, use a factor of 2 to determine ratio of actual to effective endpoints.
- Formula m = (licensed_endpoints / number_of_event_cluster_nodes) * effective_factor / 1,000
```
Medium example with 3000 sensors
(3000 / 1) * 1 / 1000


High example with 3000 sensors
(3000 / 1) * 2 / 1000
```

Running the Storage Drive Test

Stop the services.

Standalone:
/usr/share/cb/cbservice cb-enterprise stop

Cluster:
/usr/share/cb/cbcluster stop

Using the multiplication factor calculated, run this command. .

cbr-qualifier disk <DatastoreRootDir> -m <estimated_multiplier> --o edr_qual.yml

Example of a multiplier of 20 with DatastoreRootDir of /var/cb/data:

cbr-qualifier disk /var/cb/data -m 20 --o edr_qual.yml

After the test has completed, start services again.
Reading the output. Reading the CB Qualifier Storage Drive Utility Results

Additional Information

cbr-qualifier disk --help

Usage:

    cbr-qualifier disk --help

    cbr-qualifier disk [--config=config.yml] --list

    cbr-qualifier disk [--config=config.yml] [--profile=PROFILE] --list_tests

    cbr-qualifier disk --get_config

    cbr-qualifier disk [--verbose] --print_output <output.yml>

    cbr-qualifier disk [--config=config.yml] [--factor=FACTOR]

         [--runtime=RUNTIME] [--filesize=FILESIZE] [--profile=PROFILE]

         [--test=TEST] [--output=output.yml] [--multiplier=MULTIPLIER]

         [--no_delete] [--verbose] <test_directory>

Options

    -h, --help

    -c config.file --config=confg.yml   Disk Test Config File

    -f factor --factor=FACTOR           Fudge factor (Match to factor percent of thresholds)

    -r runtime --runtime=RUNTIME        Override runtime in profile

    -s filesize --filesize=FILESIZE     Override filesize in profile

    -p profile --profile=PROFILE        Specify Profile

    -l --list                           List IO profiles

    -T --list_tests                     List IO tests

    -n --no_delete                      Do not delete fio test file

    -t test --test=TEST                 Run a Specific Test

    -g --get_config                     Get the default config file yaml

    -o --output=output.yml              Write output in yaml to file

    -m --multiplier=MULTIPLIER          Multiplier on test profile, most useful with the per_million_process_doc profile

    -v --verbose                        Verbose mode, prints IOPS numbers

    -P --print_output                   Pretty print results from a output.yml file