topic Re: How to configure an alert to email me results of failed authentications per user in an active day? in Alerting

How to configure an alert to email me results of failed authentications per user in an active day?

aanic — Thu, 19 Jan 2017 12:03:01 GMT

Hi,

i'm trying to set an alert that will notify me through mail with the name of accounts which have failed authentications more than some number.
The result of search must be only for active day, not for 24 hour period. I think that the search is all right but i have problem with scheduling mail alert.

Search looks like this...

index=windows_ad source="wineventlog:security" earliest=@d latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | sort - count

Can you please help me with scheduling mail step by step? I tried with real-time triggering, schedule triggering, throttle but i didn't receive any mail.

Thank you!

Re: How to configure an alert to email me results of failed authentications per user in an active day?

richgalloway — Thu, 19 Jan 2017 13:20:36 GMT

The query looks fine. What is the specific problem you are having with scheduling the alert?

Re: How to configure an alert to email me results of failed authentications per user in an active day?

aanic — Thu, 19 Jan 2017 14:35:48 GMT

I want to recive mail notification whith every new line of resultat (name of account) of that querry . I was trying with few schedule methods but it didnt work fine. Can you please help me about this, i cant find correct configuration of "Alert type and Trigger condition" in Alert section.

Re: How to configure an alert to email me results of failed authentications per user in an active day?

hunters_splunk — Thu, 19 Jan 2017 15:01:16 GMT

Hi aanic,

You need to configure email alert notifications. Please refer to step-by-step instructions in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification
http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Setupalertactions

Hope this helps. Thanks!
Hunter

Re: How to configure an alert to email me results of failed authentications per user in an active day?

aanic — Thu, 19 Jan 2017 15:08:25 GMT

I read that instructions, set email notificatin, schedule triger but it didnt works. Here is some of my attempts...

Re: How to configure an alert to email me results of failed authentications per user in an active day?

woodcock — Fri, 20 Jan 2017 06:12:33 GMT

Make sure that you click on + Add Actions and select Add to Triggered Alerts. If you see an alert in the Activity -> Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with | loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.

Re: How to configure an alert to email me results of failed authentications per user in an active day?

aanic — Fri, 20 Jan 2017 09:48:44 GMT

I set all that, but i didn't recive any mail.
Here is configuration of my alert. Can somebody send me photo with correct configuration i would be grateful.

Thx!

Augustin

Re: How to configure an alert to email me results of failed authentications per user in an active day?

aanic — Fri, 20 Jan 2017 14:54:27 GMT

Now it works. I just clone that qouerry in new one and now it works well.

Thank you all for support!

Augustin

Re: How to configure an alert to email me results of failed authentications per user in an active day?

richgalloway — Fri, 20 Jan 2017 16:33:42 GMT

Please accept one of the offered solutions.

Re: How to configure an alert to email me results of failed authentications per user in an active day?

aaraneta_splunk — Mon, 23 Jan 2017 03:19:27 GMT

@aanic - To add to rich's comment, please don't forget to click "Accept" below the best answer to resolve this post so it can be easily found by other users. Don’t forget to upvote anything that was helpful too. Thanks!

Re: How to configure an alert to email me results of failed authentications per user in an active day?

woodcock — Mon, 23 Jan 2017 16:59:40 GMT

Run this search:

index=_internal sourcetype=splunk_python

You are looking for errors like this:

ERROR   sendemail:417 - [Errno 111] Connection refused while sending mail to: woodcock@splunxter.com host = YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python
ERROR   sendemail:131 - Sending email. subject="Splunk Alert: AntiHack: Block IPs with 10 auth failures in 5 minutes", results_link="http://YourSearchHead.com:8000/app/AntiHack/@go?sid=scheduler__nobody__AntiHack__RMD5e3bf059b79d736d6_at_1485189540_73", recipients="[u'woodcock@splunxter.com']", server="localhost" host =   YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python

This tells you that your email settings are bad.

Have you configured Settings -> Server settings -> Email settings ?