Reporting Engine: Step 4. Configure Output Actions

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 5Show Document
  • View in full screen mode
  

Output Actions Tab

You can configure output actions for a Reporting Engine to determine the format you want the data to be presented to you based on your requirements. The service configuration parameters are available in the Output Actions tab of the Services Config view configured for a report or an alert execution. This tab consists of the following panels:

  • NetWitness Suite Configuration
  • Simple Mail Transfer Protocol (SMTP)
  • Simple Network Management Protocol (SNMP)
  • Syslog
  • Simple File Transfer Protocol (SFTP)
  • Uniform Resource Locator (URL)
  • Network Share

For instance, Syslog output action is used specifically for Reporting Engine Alerts, whereas, SFTP, URL, and Network Share output action is used specifically for Reporting Engine Reports.

You can configure the required permission to access this view in Manage Services. 

You must ensure that the Reporting Engine is up and running and the data source from which you want to generate a report is configured in the NetWitness Suite.

Workflow

Workflow to explain the additional Reporting Engine settings

What do you want to do?

                                                                         
RoleI want to...Refer to...
AdministratorConfigure Data Source to Reporting EngineConfigure the Data Sources
AdministratorConfigure Data Source Permissions for Reporting EngineConfigure Data Source Permissions
AdministratorConfigure Data Privacy for Reporting EngineConfigure Data Privacy for the Reporting Engine
AdministratorDefine Reports, Charts, and AlertsDefine Reports, Charts, and Alerts
AdministratorConfigure Reporting Engine SettingsConfigure Reporting Engine Settings
Administrator Configure Netwitness Suite Configuration * Configure Reporting Engine General Settings

Administrator

Configure SMTP Configuration*

Configure Reporting Engine General Settings

Administrator Configure SNMP Configuration* Configure Reporting Engine General Settings
Administrator

Configure Syslog Configuration*

Configure Reporting Engine General Settings

Administrator

Configure SFTP Configuration*

Configure Reporting Engine General Settings

AdministratorConfigure URL Configuration* Configure Reporting Engine General Settings

Administrator

Configure Network Share Configuration*

Configure Reporting Engine General Settings

*You can complete these tasks here.

Related Topics

Quick Look

Quick look of the Output Actions tab

                 
1Displays all the available configurable tabs.
2Displays the Netwitness Suite configuration host.
3Displays all the types of output action that can be configured.

NetWitness Suite Configuration

The following figure shows the NetWitness Suite Configuration on the Output Actions Tab.

Configure Netwitness Suite settings

The following parameters identify the NetWitness Suite host that is associated with the Reporting Engine.

                   
NameConfig Value
Host NameIP Address or Hostname of the NetWitness Suite server.  You must specify this parameter for all kind of deployments so that you can refer to this address to create investigation links to NetWitness Suite from Reports, Alerts, and so on. The NetWitness Suite uses this parameter to correctly generate:
  • SMTP Output Action
  • SNMP Output Action
  • Syslog Output Action
  • SFTP Output Action
  • URL Output Action
  • Network Share Output Action
  • Hyperlinks for meta values in Report PDFs
ApplyUpdate the configuration.

SMTP

After an execution is completed, an email notification is sent to the user based on the SMTP configuration. 

The following figure shows the SMTP Configuration on the Output Actions Tab.

Configure SMTP settings

The following parameters manage SMTP (email) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                                       
NameConfig Value
EnableCheck this box to enable SMTP as an output action for both alert and report from this Reporting Engine. By default, this value is enabled.
Server NameSpecify the hostname or IP Address of the server on which the target SMTP server runs. Default value is 0.0.0.0.
Server PortSpecify the SMTP server port number. Default value is 25.
UsernameSpecify the username of your SMTP account. Default value is blank. Password Specify
PasswordSpecify the password of your SMTP account.
SSLCheck this box to use Secure Socket Layer (SSL) to communicate with the SMTP server. Default value is do not use SSL.
Enable Debug Check this box to enable debugging. Default value is do not enable debug.
Enable CompressionCheck this box to enable compression. Default value is enable compression. If this value is enabled, the output files will have .zip extension.
Max SizeSpecify the maximum size of attachments that can be sent. Default value is 100.
FromSpecify the email address from which Security Analytics sends all messages. Default value is do-not-reply@rsa.com.
ApplyUpdate the configuration.

SNMP

After an execution is completed, a trap notification is sent to the user based on the SNMP configuration.  

The following figure shows the SNMP Configuration on the Output Actions Tab.

Configure SNMP settings

The following parameters manage SNMP (messages to network-attached services) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                               
NameConfig Value
EnableCheck this box to enable SNMP output action as an output  for alert messages from this Reporting Engine. Default value is Disable.
Server NameSpecify the hostname or IP Address of the server on which the target SNMP server runs. Default value is 0.0.0.0.
Server PortSpecify the port number of the server on which the target SNMP server listens for faults and exceptions. Default value is 1610.
SNMP VersionSpecify the version number of the SNMP protocol NetWitness Suite uses to send SNMP traps.
Trap OIDSpecify the object identification number that identifies the type of trap to send. Default value is 0.0.0.0.0.1.
CommunitySpecify the SNMP group to which NetWitness Suite belongs.  The default value is public.
Number Of RetriesSpecify the maximum number of times NetWitness Suite tries to resend the alert message through SNMP. Default value is 2.
TimeoutSpecify the number of seconds after which NetWitness Suite times out (stops trying to send SNMP alerts). Default value is 1500.
ApplyUpdate the configuration.

Syslog

After an execution is completed, all notifications are sent via Syslog messages to a particular host based on the Syslog configuration. Multiple Syslog servers can be configured on the Syslog Configuration panel.

The following figure displays the Syslog Configuration on the Output Actions Tab.

Configure syslog settings

The following parameters manage syslog output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                                                     
NameConfig Value
Syslog NameThe name of the Syslog configuration.

Note: You cannot create a Syslog configuration with a name that already exists in the Reporting Engine Syslog configuration list.

EncodingSpecify the internationalization encoding for Syslog messages. Default value is UTF8.
Server NameSpecify the hostname or IP Address of the server on which the target Syslog process runs. Default value is blank.
Server PortSpecify the port number of the server on which the target Syslog server listens for faults and exceptions. Default value is 514.
Max LengthSpecify the maximum size (in bytes) of each Syslog alert message. Default value is 2048. If UDP is the transport type and the Syslog message size is greater than 1024 bytes, you must configure a Syslog server that supports message sizes greater than 1024 bytes.
Identity StringSpecify the string NetWitness Suite inserts as a prefix in all Syslog alert messages. Default value is blank.
Include Local HostnameCheck this box to include the local hostname in all Syslog alert messages. Default value is do not include local hostname.
Truncate MessageCheck this box to truncate all Syslog alert messages. Default value is do not truncate Syslog messages.
Use IdentityCheck this box to use the IDENT protocol. Default value is does not use this protocol.
Include Local TimestampCheck this box to include the local timestamp in all Syslog alert messages. Default value is do not include local timestamp.
Transport ProtocolSpecify the transport type for Syslog message delivery. There are three parts to the Syslog transport type: UDP, TCP, and SECURE_TCP. Default value is UDP.
Syslog Message DelimiterSpecify the delimiter for the Syslog message. There are three delimiters: CR, LF, and CRLF. By default the value is CR

Note: This field  populates when you select TCP or SECURE_TCP as the transport protocol. 

Trust Store PasswordSpecify the password for the Trust store.

Note: This field  populates when you select SECURE_TCP as the transport protocol. 

Key Store PasswordSpecify the password for the Key store.

Note: This field  populates when you select SECURE_TCP as the transport protocol. 

ApplySave the configuration.

SFTP

After an execution is completed, you can send or transfer files to a remote location based on the SFTP configuration. 

The following figure displays the SFTP Configuration on the Output Actions Tab.

Configure SFTP settings

The following parameters manage SFTP (file transfer to a local drive) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                                     
NameConfig Value
SFTP NameThe name of the SFTP configuration.

Note: You cannot create an SFTP configuration with a name that already exists in the Reporting Engine SFTP configuration list.

HostThe IP Address or Hostname of the Reporting Engine server associated with the file transfer. 
PortIf you want to use a different port than the default port, enter a port number. Default value is 22.
UsernameSpecify the username for the SFTP configuration.
PasswordSpecify the password for the SFTP configuration. 
Custom FolderSelect an SFTP location where you want to transfer the file to. You can use the pre-defined Windows or Linux directory structure in the custom folder path. For example, /root/Downloaded_Files

Note: If the directory does not exist, RE will create the directory in the custom folder path and copy files to this directory.

Enable CompressionSelect this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

URL

After an execution is completed, the output files are published to a URL based on the URL configuration. 

The following figure shows the URL Configuration on the Output Actions Tab.

Configure URL settings

The following parameters manage URL (file transfer to a URL) output action configuration for a Reporting Engine service. When you add an Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                               
NameConfig Value
URL NameThe name of the URL configuration.

Note: You cannot create a URL configuration with a name that already exists in the Reporting Engine URL configuration list.

URLThe URL address associated with the file transfer. 
UsernameSpecify the username for the URL configuration.
PasswordSpecify the password for the URL configuration.
Enable CompressionSelect this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

After the URL is configured, the files will be copied under the "URL_OUTPUT_ACTION" directory and the following parameters are sent to the server along with the compressed file.

                                                   
NameConfig Value
filenameThe name of the file.
filesizeThe file size in bytes. 
filetypeThe file type associated with the file.
filechecksumThe number computed from a file that can be used to confirm that this is the one you expect and has been downloaded and stored properly.
hashingalgorithmThe hashing algorithm used to calculate the file checksum.
reportnameThe name of the downloaded report.
executionidThe execution id associated with the report execution.
reportexecutionstarttimeThe start time the report was executed.
statusThe report creation status.
status descriptionThe status description.

Network Share

After an execution is completed, you can transfer the output files to a mounted path or shared location based on the Network Share configuration. 

The following figure shows the Network Share Configuration on the Output Actions Tab.

Configure Nettwork Share configurations

The following parameters manage Network Share (file transfer to a shared location on the network) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.

                           
NameConfig Value
Network Share NameThe name of the Network Share.

Note: You cannot create a Network Share configuration with a name that already exists in the Reporting Engine Network Share configuration list.

Mounted PathThe path (location) associated with the file transfer. You can use the pre-defined Linux directory structure in the mounted path. For example, /mnt/win

Note: The ‘rsasoc’ user must have read-write access to the specified Network Share mounted path.

Click to view how the mounted path is created. This pop-up notifies that you must manually create the mounted path.
Enable CompressionSelect this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension.

The following table lists the common operations you can perform in the Syslog, SFTP, URL and Network Share sections.

                       
OperationDescription
Create a  Syslog, SFTP, URL and Network Share configuration.
Delete a  Syslog, SFTP, URL and Network Share configuration.
Edit a  Syslog, SFTP, URL and Network Share configuration.
You are here
Table of Contents > Reporting Engine Reference > Reporting Engine Output Actions Tab

Attachments

    Outcomes