Reporting

Splunk sendemail works but alerting doesn't with similar config

lglopes
Explorer

Hi everyone,

We are trying to configure emails sending from Splunk through our SMTP server.

When i run

index=test sourcetype="_json" ERROR "message": "ORA*" | sendemail to="xx@xx.com" subject="Testing Email from Splunk" use_ssl=false use_tls=true server=xxx.mail.xxx:25

This works as expected and email is sent.

I then checked my email settings under Settings -> Server Settings -> Email Settings
and I had
mailserver: xxx.mail.xxx
TLS Enabled
Username and password filled
Leaving the settings like this will cause the error message:

ERROR   sendemail:470 - SMTP AUTH extension not supported by server. while sending mail to:xxx@xxx.com

If I change the mail server to include port :25 I still get the same error

ERROR   sendemail:470 - SMTP AUTH extension not supported by server. while sending mail to:xxx@xxx.com

Nevertheless, the sendemail directly from the search app will stop working with the settings including the port :25, i.e., now the same command we ran the in the beggining fails and produces the same error message:

    ERROR   sendemail:470 - SMTP AUTH extension not supported by server. while sending mail to:xxx@xxx.com

I am just trying to understand how can I test with sendemail command in splunk search and then mirror the correct settings to the Settings so that email triggers work. I am confused with how Settings configurations change the behaviour of sendemail command.

Could someone please help?

Labels (1)
1 Solution

codebuilder
SplunkTrust
SplunkTrust

From you mail settings, remove the username and password, leave everything else.
With the settings you have in place, Splunk is trying to log in to your mail server, causing the "auth failure".

Try removing those and re-test.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma

lglopes
Explorer

Dear codebuilder, very much appreciate your answer!!! I almost lost hope to get a reply on this.

So, I did remove the username and password and this seemed to have worked for most of our emails and distribuition lists. For a couple of them that still didnt work, it was just becase sender authentication and other settings were misconfigured.

I tried port 465 or 587 but seemed that this didnt work for me as it timed out. on Port 25 still seemed to work and this is the port used by our mail server.

so to summarize what has worked for me:
Removed username and password from mail settings. left mailserver:25 in the host with TLS enabled

Many thanks!

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Glad to help!

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

codebuilder
SplunkTrust
SplunkTrust

From you mail settings, remove the username and password, leave everything else.
With the settings you have in place, Splunk is trying to log in to your mail server, causing the "auth failure".

Try removing those and re-test.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

codebuilder
SplunkTrust
SplunkTrust

Also, for SSL/TLS be sure that you are using port 465 or 587, not port 25. Port 25 is deprecated/unsupported/unsecure.

Your username/password may actually work with the correct port the more I think about it. I would test both methods.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

aromanauskas
Path Finder

Just checking but are you using the same user for both operations? The SMTP authentication requires the user have admin_all_objects as a capability.

0 Karma

lglopes
Explorer

Thank you for answering me!

Yes at the moment there is only my user cause we are in the starting phase of setting this up.

Seeing that there are not many answers to this, I’m considering going for some workarounds and maybe create a custom config that would call sendemail somehow instead of using the predefined email alert...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...