Skip to content
  • There are no suggestions because the search field is empty.

Reporting Engine Output Actions in RSA NetWitness Logs and Network - How to Configure Network Share

Issue

Under Administration > Services > Reporting engine > Config > Output Actions > NetworkShare configuration, I've created the following entry: Network Share name: tmp Mounted Path: \\PE72B\tmp . Also, I gave everyone writing permissions, is there something wrong?

Seeing an error in /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log as below:
 
ERROR
Copying file from /home/rsasoc/rsa/soc/reporting-engine/outputactions/nwshare/EXEC_RUNDEF_43_20160113212355/
RULE_1_20151120140159.csv to network share \\PE72B\tmp/20160113/DI - IPS critique/212355_222 failed.

Resolution

You will need to create manually the mount point first:
  1. Make the necessary shared folder permissions on your network share, e.g., on your windows machine
  2. Note the username and account credentials needed to access the windows shared folder
  3. ssh onto your SA server or Nw Admin server where the Reporting Engine service runs
  4. mkdir -p /mnt/win
  5. mount -t cifs -o username= ,password= ,dir_mode=0777,file_mode=0777 //WIN_PC_IP/   /
    -sample: mount -t cifs -o username=shareuser,password=Password01-,dir_mode=0777,file_mode=0777 //192.168.2.2/Users/Administrator/Documents /mnt/win
     
  6. df -h to confirm your mount point for the windows folder is mounted, on the example above, I used /mnt/win as my windows share mount point.
     
  7. You may now configure the mount point on your Reporting Engine Output Actions Network Share.
  8. To make the mount point persistent across reboots, you will need to add the below entry to your /etc/fstab:
Please make a backup of the /etc/fstab before making changes.

//WIN_PC_IP/   /   cifs username= ,password= ,uid=rsasoc,gid=rsasoc 0 0

-sample: //192.168.2.2/Users/Administrator/Documents /mnt/win cifs username=shareuser,password=Password01-,uid=rsasoc,gid=rsasoc 0 0

Note: We removed the 'dir_mode=0755,file_mode=0755' parameters and included instead 'uid=rsasoc,gid=rsasoc'. This will prevent others from writing to the mounted share, only root and Reporting Engine (rsasoc) will be able to write.

Product Details

RSA Product Set: NetWitness Logs and Network (Security Analytics)
RSA Product/Service Type: RSA NetWitness Reporting Engine
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue