Configure Reporting EngineConfigure Reporting Engine

Ensure that:

  • You have Decoders that are connected to the Concentrator added to the Reporting Engine for the selected data source, before creating an alert rule.
  • You have installed and configured a Syslog server that supports TCP/TLS in your environment. For example, WinSyslog. You can configure the Reporting Engine to send Syslog messages over TCP with Transport Layer Security (TLS) when an alert is triggered.

To configure the Reporting Engine to send Syslog alerts over TCP with Transport Layer Security (TLS):

  1. Obtain the required certificates.

  2. Append the CA certificate to the ca.pem file on the NetWitness server.

  3. Configure the Syslog server to accept messages from client machines.

  4. Configure the delivery of alert messages in the NetWitness UI.

Task 1: Obtain the required certificates

To generate certificates for configuring Reporting Engine to send Syslog messages over TCP with TLS:

  1. Generate a Certifying Authority (CA) certificate. For more information, go to https://www.rsyslog.com/doc/master/tutorials/tls_cert_summary.html

Note: You can ignore this step if you already have a CA running in your environment.

  1. Generate a key pair for the Syslog server. For more information, go to https://www.rsyslog.com/doc/master/tutorials/tls.html

Note: You can ignore this step if you have already configured security for the Syslog server using the key and certificates generated by the same CA.

Task 2: Append the CA certificate to the ca.pem file on the NetWitness Server

To append an existing CA certificate to the ca.pem file:

  1. Manually append the contents of the CA certificate that you generated to the /etc/pki/CA/certs/ca.pem file.
  2. Run the following command on the NetWitness server to have the certificate populate to the Truststore:
    keytool -import -file /etc/pki/CA/certs/ca.pem -keystore cacerts

Task 3: Configure the Syslog Server to accept messages from client machines

To configure the Syslog server to accept messages from client machines that have the same CA certificates:

  1. Copy the following files to your secure TCP server target location:

    • ca_cert.pem

    • server_cert.pem

    • server_key.pem

      Where:

      ca_cert.pem - is the CA certificate

      server_cert.pem - is the server certificate

      server_key.pem - is the server key

      For more information, see the documentation specific to your Syslog server. If you are using rsyslog, refer to https://www.rsyslog.com/doc/master/index.html.

Task 4: Configure the delivery of alert messages in NetWitness

Configure Reporting Engine to send Syslog messages over TCP with Transport Layer Security (TLS) when an alert is triggered by enabling SECURE_TCP in the Output Actions tab for the Reporting Engine service in the Reporting Engine Services Config View. For more information, see the "Reporting Engine Output Actions" topic in the Host and Services Configuration Guide.