Solved: Alert not Emailing

kholleran · ‎07-28-2010

Hello,

I have an SMTP server that is unauthenticated. I have the server IP set up in Splunk Manager. I used this on a test splunk server within the same subnet (windows 2003 32 bit box) just fine.

However, my production box is not emailing (64 bit Win 2008 server - firewall opened for SMTP). I see the server connect to the mail server, then it disconnects without sending a message. My alert search criteria is returning results and should be emailing.

From mail Server:

07/28/2010 10:23:02 AM SMTP Server: SPLUNK_SERVER connected 07/28/2010 10:23:02 AM SMTP Server: SPLUNK_SERVER disconnected. 0 message[s] received

Is there anywhere else i can look? Is there a log file from Splunk that would clue me into what is happening when it is connecting to my mail server?

Thanks.

Kevin

the_wolverine · ‎07-28-2010

Check the $SPLUNK_HOME/var/lib/splunk/python.log for errors related to email/smtp.

View solution in original post

kholleran · ‎07-28-2010

Thanks! That had what I needed and found that the messages were being rejected as SPAM.... funny that the mail server log didn't say that....

Thanks again!

the_wolverine · ‎07-28-2010

Check the $SPLUNK_HOME/var/lib/splunk/python.log for errors related to email/smtp.

kholleran · ‎07-28-2010

Note: the Splunk server and the mail server are on different subnets where as the test server that worked was on the same subnet. Not sure if that will make a difference.

Thanks for any help.

Alert not Emailing

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?