Reporting Engine Output Actions Tab

You can configure output actions for a Reporting Engine to determine the format you want the data to be presented to you based on your requirements. The service configuration parameters are available in the Output Actions tab of the Services Config view configured for a report or an alert execution. This tab consists of the following panels:

  • NetWitness Configuration
  • Simple Mail Transfer Protocol (SMTP)
  • Simple Network Management Protocol (SNMP)
  • Syslog
  • Simple File Transfer Protocol (SFTP)
  • Uniform Resource Locator (URL)
  • Network Share

For instance, Syslog output action is used specifically for Reporting Engine Alerts, whereas, SFTP, URL, and Network Share output action is used specifically for Reporting Engine Reports.

You can configure the required permission to access this view in Manage Services.

You must ensure that the Reporting Engine is up and running and the data source from which you want to generate a report is configured in the NetWitness.

Workflow

netwitness_repeng_gentab_wkflw.png

What do you want to do?

Role I want to... Refer to...
Administrator Configure Data Source to Reporting Engine Configure the Data Sources
Administrator Configure Data Source Permissions for Reporting Engine Configure Data Source Permissions
Administrator Configure Data Privacy for Reporting Engine Configure Data Privacy for the Reporting Engine
Administrator Define Reports, Charts, and Alerts

Define Reports, Charts and Alerts

Administrator Configure Reporting Engine Settings Configure Reporting Engine Settings
Administrator Configure NetWitness Configuration * Configure Reporting Engine General Settings

Administrator

Configure SMTP Configuration*

Configure Reporting Engine General Settings

Administrator Configure SNMP Configuration* Configure Reporting Engine General Settings
Administrator

Configure Syslog Configuration*

Configure Reporting Engine General Settings

Administrator

Configure SFTP Configuration*

Configure Reporting Engine General Settings

Administrator Configure URL Configuration* Configure Reporting Engine General Settings

Administrator

Configure Network Share Configuration*

Configure Reporting Engine General Settings

*You can complete these tasks here.

Related Topics

Quick Look

122_REConfViewOAtab_1122.png

1 Displays all the available configurable tabs.
2 Displays the NetWitness configuration host.
3 Displays all the types of output action that can be configured.

NetWitness Configuration

The following figure shows the NetWitness Configuration on the Output Actions Tab.

netwitness_saconfig.png

The following parameters identify the NetWitness host that is associated with the Reporting Engine.

Name Config Value
Host Name

IP Address or Hostname of the NetWitness server. You must specify this parameter for all kind of deployments so that you can refer to this address to create investigation links to NetWitness from Reports, Alerts, and so on. The NetWitness uses this parameter to correctly generate:

  • SMTP Output Action
  • SNMP Output Action
  • Syslog Output Action
  • SFTP Output Action
  • URL Output Action
  • Network Share Output Action
  • Hyperlinks for meta values in Report PDFs

Apply

Update the configuration.

SMTP

After an execution is completed, an email notification is sent to the user based on the SMTP configuration.

The following figure shows the SMTP Configuration on the Output Actions Tab.

netwitness_smtpsettg.png

The following parameters manage SMTP (email) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.

Name Config Value
Enable Check this box to enable SMTP as an output action for both alert and report from this Reporting Engine. By default, this value is enabled.
Server Name Specify the hostname or IP Address of the server on which the target SMTP server runs. Default value is 0.0.0.0.
Server Port Specify the SMTP server port number. Default value is 25.
Username Specify the username of your SMTP account. Default value is blank. Password Specify
Password Specify the password of your SMTP account.
SSL Check this box to use Secure Socket Layer (SSL) to communicate with the SMTP server. Default value is do not use SSL.
Enable Debug Check this box to enable debugging. Default value is do not enable debug.
Enable Compression Check this box to enable compression. Default value is enable compression. If this value is enabled, the output files will have .zip extension.
Max Size Specify the maximum size of attachments that can be sent. Default value is 100.
From Specify the email address from which Security Analytics sends all messages. Default value is do-not-reply@rsa.com.
Apply Update the configuration.

SNMP

After an execution is completed, a trap notification is sent to the user based on the SNMP configuration.

The following figure shows the SNMP Configuration on the Output Actions Tab.

netwitness_snmpsettg.png

The following parameters manage SNMP (messages to network-attached services) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.

Name Config Value
Enable Check this box to enable SNMP output action as an output for alert messages from this Reporting Engine. Default value is Disable.
Server Name Specify the hostname or IP Address of the server on which the target SNMP server runs. Default value is 0.0.0.0.
Server Port Specify the port number of the server on which the target SNMP server listens for faults and exceptions. Default value is 1610.
SNMP Version Specify the version number of the SNMP protocol NetWitness uses to send SNMP traps.
Trap OID Specify the object identification number that identifies the type of trap to send. Default value is 0.0.0.0.0.1.
Community Specify the SNMP group to which NetWitness belongs. The default value is public.
Number Of Retries Specify the maximum number of times NetWitness tries to resend the alert message through SNMP. Default value is 2.
Timeout Specify the number of seconds after which NetWitness times out (stops trying to send SNMP alerts). Default value is 1500.
Apply Update the configuration.

Syslog

After an execution is completed, all notifications are sent via Syslog messages to a particular host based on the Syslog configuration. Multiple Syslog servers can be configured on the Syslog Configuration panel.

The following figure displays the Syslog Configuration on the Output Actions Tab.

netwitness_sysconfig.png

The following parameters manage syslog output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

Name Config Value
Syslog Name The name of the Syslog configuration.

Note: You cannot create a Syslog configuration with a name that already exists in the Reporting Engine Syslog configuration list.

Encoding Specify the internationalization encoding for Syslog messages. Default value is UTF8.
Server Name Specify the hostname or IP Address of the server on which the target Syslog process runs. Default value is blank.
Server Port Specify the port number of the server on which the target Syslog server listens for faults and exceptions. Default value is 514.
Max Length Specify the maximum size (in bytes) of each Syslog alert message. Default value is 2048. If UDP is the transport type and the Syslog message size is greater than 1024 bytes, you must configure a Syslog server that supports message sizes greater than 1024 bytes.
Identity String Specify the string NetWitness inserts as a prefix in all Syslog alert messages. Default value is blank.
Include Local Hostname Check this box to include the local hostname in all Syslog alert messages. Default value is do not include local hostname.
Truncate Message Check this box to truncate all Syslog alert messages. Default value is do not truncate Syslog messages.
Use Identity Check this box to use the IDENT protocol. Default value is does not use this protocol.
Include Local Timestamp Check this box to include the local timestamp in all Syslog alert messages. Default value is do not include local timestamp.
Transport Protocol Specify the transport type for Syslog message delivery. There are three parts to the Syslog transport type: UDP, TCP, and SECURE_TCP. Default value is UDP.
Syslog Message Delimiter Specify the delimiter for the Syslog message. There are three delimiters: CR, LF, and CRLF. By default the value is CR.

Note: This field populates when you select TCP or SECURE_TCP as the transport protocol.

Trust Store Password Specify the password for the Trust store.

Note: ​This field populates when you select SECURE_TCP as the transport protocol.

Key Store Password Specify the password for the Key store.

Note: ​This field populates when you select SECURE_TCP as the transport protocol.

Apply Save the configuration.

SFTP

After an execution is completed, you can send or transfer files to a remote location based on the SFTP configuration.

The following figure displays the SFTP Configuration on the Output Actions Tab.

netwitness_sftpconfig.png

The following parameters manage SFTP (file transfer to a local drive) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

Name Config Value
SFTP Name The name of the SFTP configuration.

Note: You cannot create an SFTP configuration with a name that already exists in the Reporting Engine SFTP configuration list.

Host The IP Address or Hostname of the Reporting Engine server associated with the file transfer.
Port If you want to use a different port than the default port, enter a port number. Default value is 22.
Username Specify the username for the SFTP configuration.
Password Specify the password for the SFTP configuration.
Custom Folder Select an SFTP location where you want to transfer the file to. You can use the pre-defined Windows or Linux directory structure in the custom folder path. For example, /root/Downloaded_Files.

Note: If the directory does not exist, RE will create the directory in the custom folder path and copy files to this directory.

Enable Compression Select this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

URL

After an execution is completed, the output files are published to a URL based on the URL configuration.

The following figure shows the URL Configuration on the Output Actions Tab.

netwitness_urlsettg.png

The following parameters manage URL (file transfer to a URL) output action configuration for a Reporting Engine service. When you add an Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

Name Config Value
URL Name The name of the URL configuration.

Note: You cannot create a URL configuration with a name that already exists in the Reporting Engine URL configuration list.

URL The URL address associated with the file transfer.
Username Specify the username for the URL configuration.
Password Specify the password for the URL configuration.
Enable Compression Select this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

After the URL is configured, the files will be copied under the "URL_OUTPUT_ACTION" directory and the following parameters are sent to the server along with the compressed file.

Name Config Value
filename The name of the file.
filesize The file size in bytes.
filetype The file type associated with the file.
filechecksum The number computed from a file that can be used to confirm that this is the one you expect and has been downloaded and stored properly.
hashingalgorithm The hashing algorithm used to calculate the file checksum.
reportname The name of the downloaded report.
executionid The execution id associated with the report execution.
reportexecutionstarttime The start time the report was executed.
status The report creation status.
status description The status description.

Network Share

After an execution is completed, you can transfer the output files to a mounted path or shared location based on the Network Share configuration.

The following figure shows the Network Share Configuration on the Output Actions Tab.

netwitness_networksharesettg.png

The following parameters manage Network Share (file transfer to a shared location on the network) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

Name Config Value
Network Share Name The name of the Network Share.

Note: You cannot create a Network Share configuration with a name that already exists in the Reporting Engine Network Share configuration list.

Mounted Path The path (location) associated with the file transfer. You can use the pre-defined Linux directory structure in the mounted path. For example, /mnt/win.

Note: The ‘rsasoc’ user must have read-write access to the specified Network Share mounted path.

netwitness_tool-tip_icon.png Click to view how the mounted path is created. This pop-up notifies that you must manually create the mounted path.
Destination Directory Name of the directory where the transferred file is stored in the shared location.
Enable Compression Select this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

The following table lists the common operations you can perform in the Syslog, SFTP, URL and Network Share sections.

Operation Description
netwitness_add.png Create a Syslog, SFTP, URL and Network Share configuration.
netwitness_delete.png Delete a Syslog, SFTP, URL and Network Share configuration.
netwitness_edit_icon.png Edit a Syslog, SFTP, URL and Network Share configuration.