Reporting Engine: Output Actions

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic introduces the service configuration parameters available in the Output Actions tab of the Services Config view for the Reporting Engine. Output action is the action configured for a report or an alert execution. The output action can be configured from the Output Actions tab in the Services Config view for the Reporting Engine. This tab consists of the following panels:

  • SA Configuration
  • Simple Mail Transfer Protocol (SMTP)
  • Simple Network Management Protocol (SNMP)
  • Syslog
  • Simple File Transfer Protocol (SFTP)
  • Uniform Resource Locator (URL)
  • Network Share

Each of these output actions serve certain purposes. For instance, Syslog output action is used specifically for Reporting Engine Alerts, whereas, SFTP, URL, and Network Share output action is used specifically for Reporting Engine Reports.

The required permission to access this view is Manage Services

To access this view:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services Grid, select a Reporting Engine service.
  3. Click  > View > Config.
  4. Click the Output Actionstab.

    The Services Config View is displayed with the Reporting Engine Output Actions tab open.

SA Configuration

The following figure shows the SA Configuration on the Output Actions Tab.

The following parameters identify the Security Analytics host that is associated with the Reporting Engine.

                   
NameConfig Value
Host NameIP Address or Hostname of the Security Analytics server.  You must specify this parameter for all kind of deployments so that you can refer to this address to create investigation links to Security Analytics from Reports, Alerts, and so on. The Security Analytics uses this parameter to correctly generate:
  • SMTP Output Action
  • SNMP Output Action
  • Syslog Output Action
  • SFTP Output Action
  • URL Output Action
  • Network Share Output Action
  • Hyperlinks for meta values in Report PDFs
Update the configuration.

SMTP

Once an execution is completed, an email notification is sent to the user based on the SMTP configuration. 

The following figure shows the SMTP Configuration on the Output Actions Tab.

The following parameters manage SMTP (email) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                                       
NameConfig Value
EnableCheck this box to enable SMTP as an output action for both alert and report from this Reporting Engine. Default value is Enable.
Server NameSpecify the hostname or IP Address of the server on which the target SMTP server runs. Default value is 0.0.0.0.
Server PortSpecify the SMTP server port number. Default value is 25.
UsernameSpecify the username of your SMTP account. Default value is blank.
PasswordSpecify the password of your SMTP account.
SSLCheck this box to use Secure Socket Layer (SSL)  to communicate with the SMTP server. Default value is do not use SSL.
Enable DebugCheck this box to enable debugging. Default value is do not enable debug.
Enable CompressionCheck this box to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.
Max SizeSpecify the maximum size of attachments that can be sent. Default value is 100.
FromSpecify the email address from which Security Analytics sends all messages. Default value is do-not-reply@rsa.com.
Update the configuration.

SNMP

Once an execution is completed, a trap notification is sent to the user based on the SNMP configuration.  

The following figure shows the SNMP Configuration on the Output Actions Tab.

The following parameters manage SNMP (messages to network-attached services) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                               
NameConfig Value
EnableCheck this box to enable SNMP output action as an output  for alert messages from this Reporting Engine. Default value is Disable.
Server NameSpecify the hostname or IP Address of the server on which the target SNMP server runs. Default value is 0.0.0.0.
Server PortSpecify the port number of the server on which the target SNMP server listens for faults and exceptions. Default value is 1610.
SNMP VersionSpecify the version number of the SNMP protocol Security Analytics uses to send SNMP traps.
Trap OIDSpecify the object identification number that identifies the type of trap to send. Default value is 0.0.0.0.0.1.
CommunitySpecify the SNMP group to which Security Analytics belongs.  The default value is public.
Number Of RetriesSpecify the maximum number of times Security Analytics tries to resend the alert message through SNMP. Default value is 2.
TimeoutSpecify the number of seconds after which Security Analytics times out (stops trying to send SNMP alerts). Default value is 1500.
Update the configuration.

Syslog

Once an execution is completed, all notifications are sent via Syslog messages to a particular host based on the Syslog configuration. Multiple Syslog servers can be configured on the Syslog Configuration panel.

Note: After upgrade to 10.4, the Syslog configuration available from previous versions would be migrated and saved as "DEFAULT_SYSLOG".

The following figure shows the Syslog Configuration on the Output Actions Tab.

The following table lists the operations in the Syslog Configuration section.

                       
OperationDescription
Create a Syslog configuration.
Delete a Syslog configuration.
Edit a Syslog configuration.

The following parameters manage syslog output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                                                     
NameConfig Value
Syslog NameThe name of the Syslog configuration.

Note: You cannot create a Syslog configuration with a name that already exists in the Reporting Engine Syslog configuration list.

EncodingSpecify the internationalization encoding for Syslog messages. Default value is UTF8.
Server NameSpecify the hostname or IP Address of the server on which the target Syslog process runs. Default value is blank.
Server PortSpecify the port number of the server on which the target Syslog server listens for faults and exceptions. Default value is 514.
Max LengthSpecify the maximum size (in bytes) of each Syslog alert message. Default value is 2048. If UDP is the transport type and the Syslog message size is greater than 1024 bytes, you must configure a Syslog server that supports message sizes greater than 1024 bytes.
Identity StringSpecify the string Security Analytics inserts as a prefix in all Syslog alert messages. Default value is blank.
Include Local HostnameCheck this box to include the local hostname in all Syslog alert messages. Default value is do not include local hostname.
Truncate MessageCheck this box to truncate all Syslog alert messages. Default value is do not truncate Syslog messages.
Use IdentityCheck this box to use the IDENT protocol. Default value is does not use this protocol.
Include Local TimestampCheck this box to include the local timestamp in all Syslog alert messages. Default value is do not include local timestamp.
Transport ProtocolSpecify the transport type for Syslog message delivery. There are three parts to the Syslog transport type: UDP, TCP, and SECURE_TCP. Default value is UDP.
Syslog Message DelimiterSpecify the delimiter for the Syslog message. There are three delimiters: CR, LF, CRLF. Default value is CR

Note: This field  populates when you select TCP or SECURE_TCP as the transport protocol. 

Trust Store PasswordSpecify the password for the Trust store.

Note: This field  populates when you select SECURE_TCP as the transport protocol. 

Key Store PasswordSpecify the password for the Key store.

Note: This field  populates when you select SECURE_TCP as the transport protocol. 

Save the configuration.

SFTP

Once an execution is completed, you can send or transfer files to a remote location based on the SFTP configuration. 

The following figure shows the SFTP Configuration on the Output Actions Tab.

The following table lists the operations in the SFTP Configuration section.

                       
OperationDescription
Create an SFTP configuration.
Delete an SFTP configuration.
Edit an SFTP configuration.

The following parameters manage SFTP (file transfer to a local drive) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                     
NameConfig Value
SFTP NameThe name of the SFTP configuration.

Note: You cannot create an SFTP configuration with a name that already exists in the Reporting Engine SFTP configuration list.

HostThe IP Address or Hostname of the Reporting Engine server associated with the file transfer. 
PortIf you want to use a different port than the default port, enter a port number. Default value is 22.
UsernameSpecify the username for the SFTP configuration.
PasswordSpecify the password for the SFTP configuration. 
Custom FolderSelect an SFTP location where you want to transfer the file to. You can use the pre-defined Windows or Linux directory structure in the custom folder path. For example, /root/Downloaded_Files

Note: If the directory does not exist, RE will create the directory in the custom folder path and copy files to this directory.

Enable CompressionSelect this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

URL

Once an execution is completed, the output files are published to a URL based on the URL configuration. 

The following figure shows the URL Configuration on the Output Actions Tab.

The following table lists the operations in the URL Configuration section.

                     
OperationDescription
Create a URL configuration.
Delete a URL configuration.
Edit a URL configuration.

The following parameters manage URL (file transfer to a URL) output action configuration for a Reporting Engine service. When you add an Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                               
NameConfig Value
URL NameThe name of the URL configuration.

Note: You cannot create a URL configuration with a name that already exists in the Reporting Engine URL configuration list.

URLThe URL address associated with the file transfer. 
UsernameSpecify the username for the URL configuration.
PasswordSpecify the password for the URL configuration.
Enable CompressionSelect this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

After the URL is configured, the files will be copied under the "URL_OUTPUT_ACTION" directory and the following parameters are sent to the server along with the compressed file.

                                                   
NameConfig Value
filenameThe name of the file.
filesizeThe file size in bytes. 
filetypeThe file type associated with the file.
filechecksumThe number computed from a file that can be used to confirm that this is the one you expect and has been downloaded and stored properly.
hashingalgorithmThe hashing algorithm used to calculate the file checksum.
reportnameThe name of the downloaded report.
executionidThe execution id associated with the report execution.
reportexecutionstarttimeThe start time the report was executed.
statusThe report creation status.
status descriptionThe status description.

Network Share

Once an execution is completed, you can transfer the output files to a mounted path or shared location based on the Network Share configuration. 

The following figure shows the Network Share Configuration on the Output Actions Tab.

The following table lists the operations in the Network Share Configuration section.

                       
OperationDescription
Create a Network Share configuration.
Delete a Network Share configuration.
Edit a Network Share configuration.

The following parameters manage Network Share (file transfer to a shared location on the network) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                           
NameConfig Value
Network Share NameThe name of the Network Share.

Note: You cannot create a Network Share configuration with a name that already exists in the Reporting Engine Network Share configuration list.

Mounted PathThe path (location) associated with the file transfer. You can use the pre-defined Linux directory structure in the mounted path. For example, /mnt/win

Note: The ‘rsasoc’ user must have read-write access to the specified Network Share mounted path.

Click to view how the mounted path is created. This pop-up notifies that you must manually create the mounted path.
Enable CompressionSelect this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.
You are here
Table of Contents > References > Reporting Engine Output Actions

Attachments

    Outcomes