How Reporting Engine Works

NetWitness Reporting Engine is a service on the NetWitness Admin Server. It facilitates the data extraction from different data sources to generate reports for compliance and analysis. Reporting Engine stores the definitions of the charts, rules, reports and alerts that are used to generate reports, charts and alerts.

Reporting Engine configuration includes configuring the data sources, definitions of outputs or notifications and parameters to improve the performance of data extraction and report, chart, and alert generation.

When you install the NetWitness, Reporting Engine is automatically installed as a service. This enables the Reports, Charts, and Alerts to be maintained in the NetWitness and be available to view, download reports as PDF or CSV format, download charts as PDF and be added as dashlets.

For the Reporting Engine to run reports and alerts based on the data drawn from a data source, you must associate a data source, or multiple data sources to a Reporting Engine. There are three types of data sources:

  • NWDB - The NetWitness Database (NWDB) data sources are Decoders, Log Decoders, Brokers, Concentrators, Archiver, and Collection. Reporting Engine supports the generation of reports, alerts, and charts.
  • Warehouse - The Warehouse data sources are Horton Works and MapR which collects information from the Warehouse Connector and generates reports and alerts. This data source generates Reports only.
  • Respond - Respond is used to generate reports on alerts and incidents. This data source generates Reports only.


The following workflow shows an overview of the Reporting Engine configuration which enables the user to generate Reports, Charts, and Alerts.