Deploy the ExtraHop Explore Appliance on Linux KVM

In this guide, you will learn how to deploy an ExtraHop Explore virtual appliance on a Linux kernel-based virtual machine (KVM) and to join multiple Explore appliances to create an Explore cluster. You should be familiar with basic KVM administration before proceeding.

Important:If you want to deploy more than one ExtraHop virtual appliance, create the new instance with the original deployment package or clone an existing instance that has never been started.

System requirements

Your environment must meet the following requirements to deploy a virtual Explore appliance:

Important:ExtraHop tests virtual Explore clusters on local storage for optimal performance. ExtraHop strongly recommends deploying virtual Explore clusters on continuously available, low latency storage, such as a local disk, direct-attached storage (DAS), network-attached storage (NAS), or storage area network (SAN).
  • A KVM hypervisor environment capable of hosting the Explore virtual appliance. The Explore virtual appliance is available in the following configurations:
    4 CPUs 8 CPUs 16 CPUs 32 CPUs
    8 GB RAM 16 GB RAM 32 GB RAM 64 GB RAM
    4 GB boot disk 4 GB boot disk 4 GB boot disk 4 GB boot disk
    250 GB or smaller datastore disk 500 GB or smaller datastore disk 1 TB or smaller datastore disk 2 TB or smaller datastore disk
    Note:When you deploy an Explore appliance, a second virtual disk is required to store record data. The EXA-XS is preconfigured with a 250 GB datastore disk; however, you must manually add a second virtual disk to the other available EXA configurations. The minimum datastore disk size for all configurations is 150 GB.

    Consult with your ExtraHop sales representative or Technical Support to determine the datastore disk size that is best for your needs.

    Note:For KVM deployments, virtio-scsi interface is recommended for the boot and datastore disks.
  • An Explore virtual appliance license key.
  • The following TCP ports must be open:
    • TCP port 443: Enables you to administer the Explore appliance through the Web UI. Requests sent to port 80 are automatically redirected to HTTPS port 443.
    • TCP port 9443: Enables Explore nodes to communicate with other Explore nodes in the same cluster.

Package contents

The installation package for KVM systems is a tar.gz file that contains the following items:

The domain XML configuration file
The boot disk
The datastore disk

Determine the best bridge configuration

Identify the bridge through which you will access the management interface of your Explore appliance.

  1. Make sure the management bridge is accessible to the Explore virtual appliance and to all users who must access the management interface.
  2. If you need to access the management interface from an external computer, configure a physical interface on the management bridge.

Edit the domain XML configuration file

After you identify the management bridge, edit the configuration file, and create the Explore virtual appliance.

  1. Contact ExtraHop Support ( to obtain and download the Explore KVM package.
  2. Extract the tar.gz file that contains the installation package.
  3. Copy the two disks extrahop-boot.qcow2 and extrahop-data.qcow2 to your KVM system. Make a note of the location where you store these files.
  4. Open the domain XML configuration file in a text editor and edit the following values:
    1. Change the VM name to a name for your ExtraHop virtual appliance.
      For example:
    2. Change the source file path ([PATH_TO_STORAGE]) to the location where you stored the virtual disk files in step 3.
      <source file='[PATH_TO_STORAGE]/extrahop-boot.qcow2'/> 
      <source file='[PATH_TO_STORAGE]/extrahop-data.qcow2'/>
    3. Change the source bridge for the management network (ovsbr0) to match the name of your management bridge.
      <interface type='bridge'>
         <source bridge='ovsbr0'/>
         <model type='virtio'/>
         <alias name='net0'/>
         <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    4. (Optional) If your virtual bridge is configured through Open vSwitch virtual switch software, add the following virtualport type setting to the interface (after the source bridge setting):
      <virtualport type='openvswitch'>
  5. Save the XML file.
  6. Create the new Explore virtual appliance with your revised domain XML configuration file by running the following command:
    virsh define <EXA_KVM_x.xml>
    Where <EXA_KVM_x.xml> is the name of your domain XML configuration file.

Resize the datastore disk

Resize the datastore disk so that the allotted space is large enough to store the type of records you want to store for the amount of lookback desired.

Resize the datastore disk by running the following command:
qemu-img resize extrahop-data.qcow2 <+nGB>
Where <+nGB> is the size of the disk.
For example:
qemu-img resize extrahop-data.qcow2 +100GB

Start the VM

  1. Start the VM by running the following command:
    virsh start <vm_name>
    Where <vm_name> is the name of your ExtraHop virtual appliance you configured in step 4 of the Edit the domain XML file section.
  2. Log in to the KVM console and view the IP address for your new ExtraHop virtual appliance by running the following command:
    virsh console <vm_name>

(Optional) Configure a static IP address

By default, ExtraHop appliances ship with DHCP enabled. If your network does not support DHCP, you must configure a static address manually.

  1. Log into the KVM host.
  2. Run the following command to connect to the ExtraHop appliance through the virtual serial console:
    virsh console <vm_name>

    Where <vm_name> is the name of your virtual machine.

  3. Press ENTER twice to get to the appliance login prompt.
    ExtraHop Discover Appliance Version
    exampleium login: 
  4. At the login prompt, type shell, and then press ENTER.
  5. At the password prompt, type default, and then press ENTER.
  6. To configure the static IP address, run the following commands:
    1. Enable privileged commands:
    2. At the password prompt, type default, and then press ENTER.
    3. Enter configuration mode:
    4. Enter the interface configuration mode:
    5. Run the ip command and specify the IP address and DNS settings in the following format: ip ipaddr <ip_address> <netmask> <gateway> <dns_server>
      For example:
      ip ipaddr
    6. Leave the interface configuration section:
    7. Save the running config file:
      running_config save
    8. Type y and then press ENTER.

Configure the Explore appliance

After you obtain the IP address for the Explore appliance, log into the Explore Admin UI through the following URL: https://<explore_ip_address>/admin and complete the following recommended procedures.

Note:The default login username is setup and the password is default.

Create an Explore cluster

For the best performance, data redundancy, and stability, you must configure at least three Explore appliances in an Explore cluster.

Before you begin

You must have already installed the Explore appliances in your environment before proceeding.

In the following example, the Explore appliances have the following IP addresses:

  • Node 1:
  • Node 2:
  • Node 3:

You will join nodes 2 and 3 to node 1 to create the Explore cluster.

Important:Each node that you join must have the same configuration (physical or virtual) and the same ExtraHop firmware version. EXA 5100 and EXA 5200 physical appliances can be in the same cluster.
  1. Log into the Admin UI on all three Explore appliances with the setup user account in three separate browser windows or tabs.
  2. Select the browser window of node 1.
  3. In the Status and Diagnostics section, click Fingerprint and note the fingerprint value. You will later confirm that the fingerprint for node 1 matches when you join the remaining two nodes.
  4. Select the browser window of node 2.
  5. In the Explore Cluster Settings section, click Join Cluster.
  6. In the Host field, type the hostname or IP address of node 1 and then click Continue.
    Note:For cloud-based deployments, be sure to type the IP address listed in the Interfaces table on the Connectivity page.
  7. Confirm that the fingerprint on this page matches the fingerprint you noted in step 3.
  8. In the Setup Password field, type the password for the node 1 setup user account and then click Join.
    When the join is complete, the Explore Cluster Settings section has two new entries: Cluster Members and Cluster Data Management.
  9. Click Cluster Members. You should see node 1 and node 2 in the list.
  10. In the Status and Diagnostics section, click Explore Cluster Status. Wait for the Status field to change to Green before adding the next node.
  11. Repeat steps 5 - 10 to join each additional node to the new cluster.
    Note:To avoid creating multiple clusters, always join a new node to an existing cluster and not to another single appliance.
  12. When you have added all of your Explore appliances to the cluster, click Cluster Members in the Explore Cluster Settings section. You should see all of the joined nodes in the list, similar to the following figure.
  13. In the Explore Cluster Settings section, click Cluster Data Management and make sure that Replication Level is set to 1 and Shard Reallocation is ON.

Connect the Explore appliance to Discover and Command appliances

After you deploy the Explore appliance, you must establish a connection from all ExtraHop Discover and Command appliances to the Explore appliance before you can query records.

Important:If you have an Explore cluster of three or more Explore nodes, connect the Discover appliance to each Explore node so that the Discover appliance can distribute the workload across the entire Explore cluster.
Note:If you manage all of your Discover appliances from a Command appliance, you only need to perform this procedure from the Command appliance.
  1. Log into the Admin UI on the Discover or Command appliance .
  2. In the ExtraHop Explore Settings section, click Connect Explore Appliances.
  3. Click Add New.
  4. In the Explore node field, type the hostname or IP address of any Explore appliance in the Explore cluster.
  5. For each additional Explore appliance in the cluster, click Add New and enter the individual hostname or IP address in the corresponding Explore node field.

  6. Click Save.
  7. Confirm that the fingerprint on this page matches the fingerprint of node 1 of the Explore cluster.
  8. In the Explore Setup Password field, type the password for the Explore node 1 setup user account and then click Connect.
  9. When the Explore Cluster settings are saved, click Done.

Next steps

Important:If you only deployed a single Explore appliance, after you connect to your Discover or Command appliance, you must log into the Admin UI on the Explore appliance and set the Explore Cluster Settings > Cluster Data Management > Replication Level to 0.

Send record data to the Explore appliance

After your Explore appliance is connected to all of your Discover and Command appliances, you must configure the type of records you want to store.

See Records for more information about Explore configuration settings, how to generate and store records, and how to create record queries.
Published 2021-12-01 20:14