This topic introduces the service configuration parameters available in the Output Actions tab of the Services Config view for the Reporting Engine. Output action is the action configured for a report or an alert execution. The output action can be configured from the Output Actions tab in the Services Config view for the Reporting Engine. This tab consists of the following panels:
- SA Configuration
- Simple Mail Transfer Protocol (SMTP)
- Simple Network Management Protocol (SNMP)
- Syslog
- Simple File Transfer Protocol (SFTP)
- Uniform Resource Locator (URL)
- Network Share
Each of these output actions serve certain purposes. For instance, Syslog output action is used specifically for Reporting Engine Alerts, whereas, SFTP, URL, and Network Share output action is used specifically for Reporting Engine Reports.
The required permission to access this view is Manage Services.
To access this view:
- In the Security Analytics menu, select Administration > Services.
- In the Services Grid, select a Reporting Engine service.
- Click
> View > Config. -
Click the Output Actionstab.
The Services Config View is displayed with the Reporting Engine Output Actions tab open.
SA Configuration
The following figure shows the SA Configuration on the Output Actions Tab.
The following parameters identify the Security Analytics host that is associated with the Reporting Engine.
Host Name | IP Address or Hostname of the Security Analytics server. You must specify this parameter for all kind of deployments so that you can refer to this address to create investigation links to Security Analytics from Reports, Alerts, and so on. The Security Analytics uses this parameter to correctly generate: - SMTP Output Action
- SNMP Output Action
- Syslog Output Action
- SFTP Output Action
- URL Output Action
- Network Share Output Action
- Hyperlinks for meta values in Report PDFs
|
| Update the configuration. |
SMTP
Once an execution is completed, an email notification is sent to the user based on the SMTP configuration.
The following figure shows the SMTP Configuration on the Output Actions Tab.
The following parameters manage SMTP (email) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.
Enable | Check this box to enable SMTP as an output action for both alert and report from this Reporting Engine. Default value is Enable. |
Server Name | Specify the hostname or IP Address of the server on which the target SMTP server runs. Default value is 0.0.0.0. |
Server Port | Specify the SMTP server port number. Default value is 25. |
Username | Specify the username of your SMTP account. Default value is blank. |
Password | Specify the password of your SMTP account. |
SSL | Check this box to use Secure Socket Layer (SSL) to communicate with the SMTP server. Default value is do not use SSL. |
Enable Debug | Check this box to enable debugging. Default value is do not enable debug. |
Enable Compression | Check this box to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension. |
Max Size | Specify the maximum size of attachments that can be sent. Default value is 100. |
From | Specify the email address from which Security Analytics sends all messages. Default value is do-not-reply@rsa.com. |
| Update the configuration. |
SNMP
Once an execution is completed, a trap notification is sent to the user based on the SNMP configuration.
The following figure shows the SNMP Configuration on the Output Actions Tab.
The following parameters manage SNMP (messages to network-attached services) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, default values are in effect. You must modify the Config Values of these parameters according to the requirements of your enterprise.
Enable | Check this box to enable SNMP output action as an output for alert messages from this Reporting Engine. Default value is Disable. |
Server Name | Specify the hostname or IP Address of the server on which the target SNMP server runs. Default value is 0.0.0.0. |
Server Port | Specify the port number of the server on which the target SNMP server listens for faults and exceptions. Default value is 1610. |
SNMP Version | Specify the version number of the SNMP protocol Security Analytics uses to send SNMP traps. |
Trap OID | Specify the object identification number that identifies the type of trap to send. Default value is 0.0.0.0.0.1. |
Community | Specify the SNMP group to which Security Analytics belongs. The default value is public. |
Number Of Retries | Specify the maximum number of times Security Analytics tries to resend the alert message through SNMP. Default value is 2. |
Timeout | Specify the number of seconds after which Security Analytics times out (stops trying to send SNMP alerts). Default value is 1500. |
| Update the configuration. |
Syslog
Once an execution is completed, all notifications are sent via Syslog messages to a particular host based on the Syslog configuration. Multiple Syslog servers can be configured on the Syslog Configuration panel.
Note: After upgrade to 10.4, the Syslog configuration available from previous versions would be migrated and saved as "DEFAULT_SYSLOG".
The following figure shows the Syslog Configuration on the Output Actions Tab.
The following table lists the operations in the Syslog Configuration section.
| Create a Syslog configuration. |
| Delete a Syslog configuration. |
| Edit a Syslog configuration. |
The following parameters manage syslog output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.
Syslog Name | The name of the Syslog configuration. Note: You cannot create a Syslog configuration with a name that already exists in the Reporting Engine Syslog configuration list. |
Encoding | Specify the internationalization encoding for Syslog messages. Default value is UTF8. |
Server Name | Specify the hostname or IP Address of the server on which the target Syslog process runs. Default value is blank. |
Server Port | Specify the port number of the server on which the target Syslog server listens for faults and exceptions. Default value is 514. |
Max Length | Specify the maximum size (in bytes) of each Syslog alert message. Default value is 2048. If UDP is the transport type and the Syslog message size is greater than 1024 bytes, you must configure a Syslog server that supports message sizes greater than 1024 bytes. |
Identity String | Specify the string Security Analytics inserts as a prefix in all Syslog alert messages. Default value is blank. |
Include Local Hostname | Check this box to include the local hostname in all Syslog alert messages. Default value is do not include local hostname. |
Truncate Message | Check this box to truncate all Syslog alert messages. Default value is do not truncate Syslog messages. |
Use Identity | Check this box to use the IDENT protocol. Default value is does not use this protocol. |
Include Local Timestamp | Check this box to include the local timestamp in all Syslog alert messages. Default value is do not include local timestamp. |
Transport Protocol | Specify the transport type for Syslog message delivery. There are three parts to the Syslog transport type: UDP, TCP, and SECURE_TCP. Default value is UDP. |
Syslog Message Delimiter | Specify the delimiter for the Syslog message. There are three delimiters: CR, LF, CRLF. Default value is CR. Note: This field populates when you select TCP or SECURE_TCP as the transport protocol. |
Trust Store Password | Specify the password for the Trust store. Note: This field populates when you select SECURE_TCP as the transport protocol. |
Key Store Password | Specify the password for the Key store. Note: This field populates when you select SECURE_TCP as the transport protocol. |
| Save the configuration. |
SFTP
Once an execution is completed, you can send or transfer files to a remote location based on the SFTP configuration.
The following figure shows the SFTP Configuration on the Output Actions Tab.
The following table lists the operations in the SFTP Configuration section.
| Create an SFTP configuration. |
| Delete an SFTP configuration. |
| Edit an SFTP configuration. |
The following parameters manage SFTP (file transfer to a local drive) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.
SFTP Name | The name of the SFTP configuration. Note: You cannot create an SFTP configuration with a name that already exists in the Reporting Engine SFTP configuration list. |
Host | The IP Address or Hostname of the Reporting Engine server associated with the file transfer. |
Port | If you want to use a different port than the default port, enter a port number. Default value is 22. |
Username | Specify the username for the SFTP configuration. |
Password | Specify the password for the SFTP configuration. |
Custom Folder | Select an SFTP location where you want to transfer the file to. You can use the pre-defined Windows or Linux directory structure in the custom folder path. For example, /root/Downloaded_Files. Note: If the directory does not exist, RE will create the directory in the custom folder path and copy files to this directory. |
Enable Compression | Select this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension. |
URL
Once an execution is completed, the output files are published to a URL based on the URL configuration.
The following figure shows the URL Configuration on the Output Actions Tab.
The following table lists the operations in the URL Configuration section.
| Create a URL configuration. |
| Delete a URL configuration. |
| Edit a URL configuration. |
The following parameters manage URL (file transfer to a URL) output action configuration for a Reporting Engine service. When you add an Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.
URL Name | The name of the URL configuration. Note: You cannot create a URL configuration with a name that already exists in the Reporting Engine URL configuration list. |
URL | The URL address associated with the file transfer. |
Username | Specify the username for the URL configuration. |
Password | Specify the password for the URL configuration. |
Enable Compression | Select this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension. |
After the URL is configured, the files will be copied under the "URL_OUTPUT_ACTION" directory and the following parameters are sent to the server along with the compressed file.
filename | The name of the file. |
filesize | The file size in bytes. |
filetype | The file type associated with the file. |
filechecksum | The number computed from a file that can be used to confirm that this is the one you expect and has been downloaded and stored properly. |
hashingalgorithm | The hashing algorithm used to calculate the file checksum. |
reportname | The name of the downloaded report. |
executionid | The execution id associated with the report execution. |
reportexecutionstarttime | The start time the report was executed. |
status | The report creation status. |
status description | The status description. |
Network Share
Once an execution is completed, you can transfer the output files to a mounted path or shared location based on the Network Share configuration.
The following figure shows the Network Share Configuration on the Output Actions Tab.
The following table lists the operations in the Network Share Configuration section.
| Create a Network Share configuration. |
| Delete a Network Share configuration. |
| Edit a Network Share configuration. |
The following parameters manage Network Share (file transfer to a shared location on the network) output action configuration for a Reporting Engine service. When you add a Reporting Engine service, you can define values for this output configuration, as no default values are available for this configuration. You must modify the Config Values of these parameters according to the requirements of your enterprise.
Network Share Name | The name of the Network Share. Note: You cannot create a Network Share configuration with a name that already exists in the Reporting Engine Network Share configuration list. |
Mounted Path | The path (location) associated with the file transfer. You can use the pre-defined Linux directory structure in the mounted path. For example, /mnt/win. Note: The ‘rsasoc’ user must have read-write access to the specified Network Share mounted path. |
| Click to view how the mounted path is created. This pop-up notifies that you must manually create the mounted path. |
Enable Compression | Select this checkbox to enable compression. Default value is enable compression. If this value is enabled, the output files will have ".zip" extension. |