ONTAP Discussions
ONTAP Discussions
I see the system default protection policy "MirrorAndVault" is daily 7 and weekly 52. Does it mean the system will keep 7 daily snapshots and 52 weekly snapshots? For these long term snapshot, I am always wondering if data changes often and big, snapshot space usage will run out of control. we were used to have 7TB snapshotd for a 5TB CIFS share on EMC in 30 days.
Can someone share your experience how can we manage snapshot space usage for long term snapvaults? thanks.
Solved! See The Solution
Hi,
A growth this big means someone deletes / change files very frequently.
If you can't find the cause, you can maybe try and fiddle with the snapdiff API - https://www.slideshare.net/AshwinPawar/snapdiff-150649347
Once you found the "offender", You need to understand what they do and why.
In my environment I usually keep the snap-reserve configuration to be very low and use AIUM (OCUM) to monitor breaches as an indicator for ransomware and intentional/accidental deletion. That's also how I found a case where a developer compress existing files again and again (to hourly, then daily, then weekly and monthly zip archives). Ideally this kind of activity need to be moved to a low retention volume, and once the files been fully processed - moved to long retention volume.
Hi,
A growth this big means someone deletes / change files very frequently.
If you can't find the cause, you can maybe try and fiddle with the snapdiff API - https://www.slideshare.net/AshwinPawar/snapdiff-150649347
Once you found the "offender", You need to understand what they do and why.
In my environment I usually keep the snap-reserve configuration to be very low and use AIUM (OCUM) to monitor breaches as an indicator for ransomware and intentional/accidental deletion. That's also how I found a case where a developer compress existing files again and again (to hourly, then daily, then weekly and monthly zip archives). Ideally this kind of activity need to be moved to a low retention volume, and once the files been fully processed - moved to long retention volume.
Auditing/fpolicy can possibly also be used to track what is writing to a volume or deleting stuff. Auditing works on CIFS, but fpolicy works on NFS. Make sure if you go down the fpolicy route to enable first-read/write on both CIFS/NFS.