000032378 - Reporting Engine Output Actions - How to Configure Network Share in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 17, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032378
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition:
Platform: CentOS
O/S Version: 6
Product Name: SA-AIO-L
Product Description: Security Analytics All-in-One for Logs
IssueUnder Administration > Services > Reporting engine > Config > Output Actions > NetworkShare configuration, I've created the following entry: Network Share name: tmp Mounted Path: \\PE72B\tmp Also, I gave Everyone write permissions Is there something wrong?
Seeing error in /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log as below:
Copying file from /home/rsasoc/rsa/soc/reporting-engine/outputactions/nwshare/EXEC_RUNDEF_43_20160113212355/
RULE_1_20151120140159.csv to network share \\PE72B\tmp/20160113/DI - IPS critique/212355_222 failed.
ResolutionYou will need to create manually the mount point first:
1. make the necessary shared folder permissions on your network share, e.g., on your windows machine
2. note the username and account credentials needed to access the windows shared folder
3. ssh onto your SA server
4. mkdir -p /mnt/win
5. mount -t cifs -o username=<share user>,password=<share password>,dir_mode=0777,file_mode=0777 //WIN_PC_IP/<share name>  /<mntpoint>
-sample: mount -t cifs -o username=shareuser,password=Password01-,dir_mode=0777,file_mode=0777 // /mnt/win
6. df -h to confirm your mount point for the windows folder is mounted, on the example above, I used /mnt/win as my windows share mount point.
7. you may now configure the mount point on your Reporting Engine Output Actions Network Share.
8. to make the mount point persistent across reboots, you will need to add the below entry to your /etc/fstab:
Please make a backup of the /etc/fstab before making changes.
//WIN_PC_IP/<share name>   /<mntpoint>   cifs username=<share user>,password=<share password>,uid=rsasoc,gid=rsasoc 0 0
-sample: // /mnt/win cifs username=shareuser,password=Password01-,uid=rsasoc,gid=rsasoc 0 0
Note: We removed the 'dir_mode=0755,file_mode=0755' parameters and included instead 'uid=rsasoc,gid=rsasoc'. This will prevent others from writing to the mounted share, only root and Reporting Engine (rsasoc) will be able to write.