Solved: Permission Trouble with using Scheduled Export of ...

ferdbiffle · ‎03-30-2018

I'm trying to use the Scheduled Export of Indexed Data (SEND) to File modular alert to send a file to a specified folder on a Windows share. We are running Splunk on CentOS 7 running on the same V-Lan as the target domain of the share.

In the config for the modular alert:

Output Directory //hostname/sharename
Output Filename TestSchedExport.csv

When the alert runs I get the following results:

WARN sendmodalert - action=sendfile - Alert action script returned error code=2
INFO sendmodalert - action=sendfile - Alert action script completed in duration=45 ms with exit code=2
FATAL sendmodalert - action=sendfile STDERR - Failed trying to send file
ERROR sendmodalert - action=sendfile STDERR - [Errno 2] No such file or directory: u'/hostname/sharename/TestSchedExport1.csv'

My inkling is that I need to somehow modify the Python script that runs the modular alert to include authentication, but I am not Python conversant so I'm not sure where to start... Any takers out there?

Thanks,

Eric

ferdbiffle · ‎04-23-2018

We solved this issue by creating a CIFS mount to the Windows Share. We mount this at Splunk startup and utilize an AD service account/password to authenticate for the connection. All subsequent "send_file" actions write to the share flawlessly!

View solution in original post

ferdbiffle · ‎04-23-2018

We solved this issue by creating a CIFS mount to the Windows Share. We mount this at Splunk startup and utilize an AD service account/password to authenticate for the connection. All subsequent "send_file" actions write to the share flawlessly!

Permission Trouble with using Scheduled Export of Indexed Data (SEND) to File

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases