Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

daniel_splunk
Splunk Employee
Splunk Employee
‎01-17-2019 11:53 PM

Have defined a new non-admin user and already add list_settings capability as instructed by the Splunk document here.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/Emailnotification

But still failed to send alert when mail server is using SMTL auth.

Here is the python.log

2018-09-17 15:21:51,268 +0800 DEBUG ssl_context:444 - createSSLContext sslVersions [16] commonNameList [None] altNameList [None] validatePeerCert [0] rootCAPath [None] isClientContext [True] cipherSuite [ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256]
2018-09-17 15:21:51,295 +0800 ERROR sendemail:137 - Sending email. subject="Splunk testing", results_link="None", recipients="[u'user1@abc.com.hk']", server="172.21.184.4"

2018-09-17 15:21:51,295 +0800 ERROR sendemail:452 - {u'user1@abc.com.hk': (530, 'SMTP authentication is required.')} while sending mail to: user1@abc.com.hk
Tags (1)
0 Karma
Reply

leeraym
Path Finder
‎09-29-2020 03:50 AM

@daniel_splunk  Is there no other way to allow non-admin users to send alert emails when SMTP authentication is required?  Are there any other capabilities from the "admin" role that I can assign to the "user" role in order to allow regular users to send email?

I just upgraded from Splunk Enterprise 7.3.3 to 8.05, and one of my non-admin users said that his saved alerts used to be able to send him emails when we were on 7.3.3.  Nothing has changed with his Splunk role or the SMTP authentication requirement between our pre- and post-Splunk upgrade.

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎09-30-2020 08:36 PM

If your email account is SMTP auth enabled, you need to have admin role in order to read the email auth details such as password.

0 Karma
Reply

kscher
Path Finder
‎11-18-2020 06:31 AM

So, if I understand how sendemail works when SMTP auth is required, a user needs the "admin_all_objects" capability" in order to read auth_username and auth_password from alert_actions.

This means regular users can't send email, as the credentials get passed to SMTP server with null values. These users generally see something like this:

command="sendemail", Connection unexpectedly closed while sending mail to: somebody@something.com.

Is this a feature or a bug? 

 

0 Karma
Reply

scorrie_splunk
Splunk Employee
Splunk Employee
‎12-18-2019 12:42 PM

In my testing, you only needed to have the "list_settings" capability with a "user" role in order for this to work. (Using Splunk Cloud 7.2.9).

See this link: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/Emailnotification

This section: "Define an email notification for an alert or scheduled report"

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎01-17-2019 11:58 PM

You need to have admin role together with list_settings capability in order to send alert email when SMTP auth is used.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...