Solr uses new cbevents directories (mount points) if their name is prefixed with cbevents* or _cbevents*.

Note:

The cbevents directory (without the suffix) is the default directory but does not need to remain on the original data partition. You can remove it if needed.

The following is an example of a valid multi-volume configuration:

A valid multi-volume configuration

In this example, the default data drive is mounted to /dev/xvdb, and /data is configured as the data root inside of cb.conf. In addition, two more volumes are added and mounted to /data/solr/cbevents2 and /data/solr/cbevents3.

Caution:

The system assigns the correct user:group upon cb-enterprise restart. If you created the mount points on a live server, ensure that the user assigned to the Carbon Black EDR server has write permissions on the mounted directory. Failure to do so causes the system to ignore the new mount points.

Use a symlinked Location for Event Storage

You can use symlink to expand cbevents storage.

Procedure

  1. Create a mount point in another location in the file system, such as /data2.
  2. Create a symlink to the cbevents* directory inside the solr directory that points to the mounted directory. For example: 
    ln -s /data2 /var/cb/data/solr/cbevents2
  3. Make sure that the Carbon Black EDR user has write permissions in the mounted directory (/data2).