000032378 - Reporting Engine Output Actions in RSA NetWitness Logs and Network - How to Configure Network Share

Document created by RSA Customer Support Employee on Aug 17, 2016Last modified by RSA Customer Support on Apr 15, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032378
Applies ToRSA Product Set: NetWitness Logs and Network (Security Analytics)
RSA Product/Service Type: RSA NetWitness Reporting Engine
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7
IssueUnder Administration > Services > Reporting engine > Config > Output Actions > NetworkShare configuration, I've created the following entry: Network Share name: tmp Mounted Path: \\PE72B\tmp . Also, I gave everyone writing permissions, is there something wrong?

Seeing an error in /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log as below:

Copying file from /home/rsasoc/rsa/soc/reporting-engine/outputactions/nwshare/EXEC_RUNDEF_43_20160113212355/
RULE_1_20151120140159.csv to network share \\PE72B\tmp/20160113/DI - IPS critique/212355_222 failed.
ResolutionYou will need to create manually the mount point first:
  1. Make the necessary shared folder permissions on your network share, e.g., on your windows machine
  2. Note the username and account credentials needed to access the windows shared folder
  3. ssh onto your SA server or Nw Admin server where the Reporting Engine service runs
  4. mkdir -p /mnt/win
  5. mount -t cifs -o username=<share user>,password=<share password>,dir_mode=0777,file_mode=0777 //WIN_PC_IP/<share name>  /<mntpoint>
    -sample: mount -t cifs -o username=shareuser,password=Password01-,dir_mode=0777,file_mode=0777 // /mnt/win
  6. df -h to confirm your mount point for the windows folder is mounted, on the example above, I used /mnt/win as my windows share mount point.
  7. You may now configure the mount point on your Reporting Engine Output Actions Network Share.
  8. To make the mount point persistent across reboots, you will need to add the below entry to your /etc/fstab:
Please make a backup of the /etc/fstab before making changes.

//WIN_PC_IP/<share name>   /<mntpoint>   cifs username=<share user>,password=<share password>,uid=rsasoc,gid=rsasoc 0 0

-sample: // /mnt/win cifs username=shareuser,password=Password01-,uid=rsasoc,gid=rsasoc 0 0

Note: We removed the 'dir_mode=0755,file_mode=0755' parameters and included instead 'uid=rsasoc,gid=rsasoc'. This will prevent others from writing to the mounted share, only root and Reporting Engine (rsasoc) will be able to write.