This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Thsoot script execution in ESA

Go to solution
IgorMaxFernande
Beginner
Beginner

‎2016-12-27 03:54 PM

Hello,

 

I´m building a script that extracts an IP from an raw alert (default script template) and execute some stuff.

My output script is, the basic that i´ve found at documentation and at forum:

#!/usr/bin/env python
import json
import sys
def invoke_rest_API(alert):
#
 with open('data.txt', 'w') as outfile:
  json.dump(alert, outfile)
if __name__ == "__main__":
 invoke_rest_API(json.loads(sys.argv[1]))
 sys.exit(0)

 

First, I´m testing the execution of the alert to create a file. The issue is that the "data.txt" isn´t created.

I added another notification via smtp to test and to get the raw alert. I executed the script (via CLI) with the output (from smtp) and the file were created. The script works with the output. My conclusion is that maybe the ESA isn´t running the script.

 

My notification configuration is:

Output: SCRIPT

Notification: Invoke REST API (above)

Notification Server: Script Executor (from documentation: Configure Script as a Notification Server - RSA Security Analytics Documentation )

Template: Default Script Template

 

How can I check what is wrong? Any ideia what is wrong?

As soon my file were created I would change the script and extract only what I need.

 

Thanks

 

Igor Max

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
DavidWaugh1
Employee
Employee

‎2016-12-28 03:47 AM

Hi the script will be run under a user called "notification" so make sure that this user has the correct permissions to write data to the directory.

 

It might also be worthwhile specifying the full path where you want to write data too. Eg /tmp/data.txt

View solution in original post

2 REPLIES 2

Go to solution
DavidWaugh1
Employee
Employee

‎2016-12-28 03:47 AM

Hi the script will be run under a user called "notification" so make sure that this user has the correct permissions to write data to the directory.

 

It might also be worthwhile specifying the full path where you want to write data too. Eg /tmp/data.txt

Go to solution
IgorMaxFernande
Beginner
Beginner
In response to DavidWaugh1

‎2016-12-28 05:29 AM

Hi.

Directory permissions was something that I figured out after i had left work. I changed the script permissions yesterday, but I forgot to check the directory. I just changed the directory from '/opt/rsa/esa/script/' to the one that you suggested '/tmp/'. It worked.

Thanks for the reply.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.