ONTAP Discussions

snapvault space management

FelixZhou
1,816 Views

I see the system default protection policy "MirrorAndVault" is daily 7 and weekly 52.  Does it mean the system will keep 7 daily snapshots and 52 weekly snapshots? For these long term snapshot, I am always wondering if data changes often and big, snapshot space usage will run out of control. we were used to have 7TB snapshotd for a 5TB CIFS share on EMC in 30 days.

Can someone share your experience how can we manage snapshot space usage for long term snapvaults? thanks.

1 ACCEPTED SOLUTION

GidonMarcus
1,774 Views

Hi,

 

A growth this big means someone deletes / change files very frequently.

If you can't find the cause, you can maybe try and fiddle with the snapdiff API -  https://www.slideshare.net/AshwinPawar/snapdiff-150649347

Once you found the "offender", You need to understand what they do and why.

 

In my environment I usually keep the snap-reserve configuration to be very low and use AIUM (OCUM) to monitor breaches as an indicator for ransomware and intentional/accidental deletion. That's also how I found a case where a developer compress existing files again and again (to hourly, then daily, then weekly and monthly zip archives). Ideally this kind of activity need to be moved to a low retention volume, and once the files been fully processed - moved to long retention volume.

 

 

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

2 REPLIES 2

GidonMarcus
1,775 Views

Hi,

 

A growth this big means someone deletes / change files very frequently.

If you can't find the cause, you can maybe try and fiddle with the snapdiff API -  https://www.slideshare.net/AshwinPawar/snapdiff-150649347

Once you found the "offender", You need to understand what they do and why.

 

In my environment I usually keep the snap-reserve configuration to be very low and use AIUM (OCUM) to monitor breaches as an indicator for ransomware and intentional/accidental deletion. That's also how I found a case where a developer compress existing files again and again (to hourly, then daily, then weekly and monthly zip archives). Ideally this kind of activity need to be moved to a low retention volume, and once the files been fully processed - moved to long retention volume.

 

 

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

paul_stejskal
1,722 Views

Auditing/fpolicy can possibly also be used to track what is writing to a volume or deleting stuff. Auditing works on CIFS, but fpolicy works on NFS. Make sure if you go down the fpolicy route to enable first-read/write on both CIFS/NFS.

Public