Define Notification Server Dialogs

This topic describes the Define Notification Server dialogs used to configure the settings of the various types of notification servers. You configure notification servers in the netwitness_adminicon_25x22.png (Admin) > System > Global Notifications > Servers tab.

Notifications are used by a variety of components in NetWitness, such as Event Stream Analysis (ESA), Respond, and Global Audit Logging. Notification settings are called Notification Servers. In the Servers tab of the Administration System view Notifications panel, you can create multiple Notification Server configurations.

You can configure the following types of notification server settings in NetWitness:

  • Email
  • SNMP
  • Syslog
  • Script

For Global Audit Logging, you can only use Syslog Notification Servers.

Procedures related to notification servers are described in Configure Notification Servers.

To access the Define Notification Server dialogs

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. In the left navigation panel, select Global Notifications.
  3. In the Notifications Servers panel, click netwitness_add.png and then select a type of notification server (Email, SNMP, Syslog, or Script)
    The Define Notification Server dialog is displayed for your selection.

There are four notification server dialogs, which allow you to configure notification servers.

Email

Email notification servers enable you to configure email server settings to send alert notifications.

The following figure shows the Define Email Notification Server dialog.
netwitness_defineemailnotification_512x413.png

The following table lists the various parameters that you need to define for the email notification servers.

Parameters Description
Enable Select to enable the notification server.
Name A name to identify or label the notification server.
Description A brief description about the notification server.
Server IP Or Hostname Hostname of the email server. For ESM/SMS and ESA notifications, you must specify only the hostname/FQDN.
Server Port The server port.
SSL Select the option if you want the communication to happen through SSL.
From EMail Address Email account from which you want to send email notifications.
Username Username for logging into the email account if the SMTP server requires user authentication to relay emails successfully.
Password User password for logging into the email account if the SMTP server requires user authentication to relay emails successfully.
Max Alerts Per Minute Describes the maximum number of alerts per minute.
Max Alert Wait Queue Size Describes the maximum number of alerts to be queued before they are dropped.

SNMP

SNMP notification servers enable you to configure SNMP trap host settings as a notification server to send alert notifications.

The following figure shows the Define SNMP Notification Server dialog.

netwitness_dfsnmpns_535x505.png

The following table lists the various parameters that you need to define for the SNMP notification servers.

Parameters Description
Enable Select to enable the notification server.
Name A name to identify or label the notification server.
Description A brief description about the notification server.
Server IP Or Hostname SNMP trap host IP address or hostname.
Server Port Listening port number on the SNMP trap host.
SNMP Version

SNMP version. The following are the options:

  • V1
  • V2C
  • V3
    If you select SNMP Version 3 (v3), the following parameters are displayed:
Parameters Description
Notification Type

Based on the notification type a SNMP messages are sent each time an alert is generated.
The following notification types are supported:

  • Inform - Inform is acknowledged trap. The sender gets an acknowledgement from the receiver.
  • Trap - Trap is unacknowledged notification

Authoritative Engine ID (This optioin is availabe only for notification type TRAP) An identifier which is used to identify the agents. Authoritative engine ID along with the username is used to uniquely identify the agent.
Security Level

Define the security level. The following are the options:

  • Unauthenticated and Unencrypted

  • Authenticated and Unencrypted
  • Authenticated and Encrypted

 

Auth Protocol ( This option is available only for security level Authenticated and Unencrypted and Authenticated and Encrypted)

Authentication protocol which is used to validate a user before providing an access to the server. The options are:

  • SHA
  • MD5
Auth Key ( This option is available only for security level Authenticated and Unencrypted and Authenticated and Encrypted) A password that you want to use for authentication.
Privacy Protocol ( This option is available only for security level Authenticated and Encrypted) Privacy protocol is an encryption technique for data communication.
Private Key ( This option is avaliable only for security level Authenticated and Encrypted) A password that you want to use for encryption.
Community Community string used to authenticate on the SNMP trap host. The default value is public.
Number of Retries Number of retries for the trap.
Max Alerts Per Minute Maximum number of alerts per minute.
Max Alert Wait Queue Size Maximum number of alerts to be queued before they are dropped.

Syslog

Syslog notification servers allow you to configure Syslog settings as a notification server to send notifications. When enabled, Syslog provides auditing through the use of the RFC 5424 Syslog protocol. Syslog has proven to be an effective format to consolidate logs, as there are many open source and proprietary tools for reporting and analysis.

You cannot disable notification servers associated with global audit logging configurations.

The following figure shows the Define Syslog Notification Server dialog.

netwitness_definesyslognotification_539x456.png

The following table lists the various parameters that you need to define for the Syslog notification servers.

Parameters Description
Enable Select to enable the notification server.
Name A name to identify or label the notification server.
Description A brief description about the notification server.
Server IP Or Hostname The hostname of the host where the target Syslog process is running.
Server Port The port number where the target Syslog process is listening.
Protocol The protocol to be used to transfer the Syslog files.
Facility The designated Syslog facility to use for all outgoing messages.

It is used to specify what type of program is logging the message. Some possible values are KERN, USER, MAIL, and DAEMON. This lets the configuration file specify that messages from different facilities will be handled differently.
Max Alerts Per Minute Maximum number of alerts per minute.
This field is not used for Global Audit Logging.
Max Alert Wait Queue Size Maximum number of alerts to be queued before they are dropped.
This field is not used for Global Audit Logging.

Script

Script notification servers enable you to configure Script as a Notification Server.

The following figure shows the Define Script Notification Server dialog.

defineScriptNotification1.png

The following table lists the various parameters that you need to define for the Script notification servers.

Parameters Description
Enable Select to enable the notification server.
Name A name to identify or label the notification server.
Description A brief description about the notification server.
Run As User Name of the user identity under which the script is executed. The default user identity is notification.
For ESA, you cannot set this to anything else unless you have created the account on the Admin Server.
Max Runtime (Sec) The maximum time (in seconds) the script is allowed to run.