Alerting

Cannot send email alerts

shakti
Loves-to-Learn Everything

Hello,

 

I am facing same issue as you ...I am not receiving email alerts from splunk ....Instead of localhost what name should I kept for  mail server host name?  Could you please suggest

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Let me jump in with some organizational stuff.

1. The Answers forum is not a free support service. It's a platform for users to exchange knowledge and help each other. So it's very useful if the threads are appropriately named - it makes searching in the future way easier.

2. When you're creating a new thread and writing "I'm facing the same issue as you" what are you refering to? What issue? Who's facing? If you're refering to other issue reported elsewhere, post a link for reference.

3. Please provide as much info as you can to help people help you - for example, the information that your alerting used to work OK and suddenly stopped is a very important knowledge. You also posted the first - less important - line from the sendemail log - the next line should contain the actual error.

And more to the point - if something used to work and doesn't do that anymore, something must have changed. If you're absolutely sure (and double-checked it) that nothing changed on your side - something must have changed in the environment your Splunk is located in. Maybe the mail server's settings have changed, maybe your organization's firewall policies changed. Maybe you need to authenticate when sending outgoing email and the user/password you're using is  no longer valid. Have you verify if you have connectivity to your configured email server from your search head? Did you try to manually connect to the server and initiate SMTP transaction? Did you get any errors?

0 Karma

marnall
Builder

Which email provider are you planning to use? Do you have your own email server, or are you using gmail or another online email service?

0 Karma

shakti
Loves-to-Learn Everything

I am using outlook as the external mail server ..Do you have any idea what value should I use in that mail server hostname?

0 Karma

marnall
Builder

As in outlook.com ? If so, there is an article here describing how to connect to it via SMTP: https://support.microsoft.com/en-us/office/pop-imap-and-smtp-settings-for-outlook-com-d088b986-291d-...

Enter the required credentials to your Splunk email settings, and it should work.

0 Karma

shakti
Loves-to-Learn Everything

Hello ,

 

I have put the smtp server name in my email settings in splunk...but the issue is a bit complex , all the previous alerts/reports are coming on time which are created on splunk but only the one created by me lately are not coming ..

 

Any suggestions?

0 Karma

marnall
Builder

So you have previous alerts which send email successfully, but when you make new alerts, they do not send email?

0 Karma

shakti
Loves-to-Learn Everything

Also , i have the following error which is generated for only one previous alert , if you could please look and see what other steps I can take , if that helps

 

2024-04-18 05:18:47,938 +0000 ERROR sendemail:187 - Sending email. subject="Splunk Alert: ITSEC_Backup_Change_Alert", encoded_subject="Splunk Alert: ITSEC_Backup_Change_Alert", results_link="*****", recipients="['it-security@durr.com']", server="********"

@marnall 

0 Karma

marnall
Builder

What happens if you manually use the sendemail command?

| makeresults
| sendemail to="it-security@durr.com" subject="Test mail" message="Test mail message"

 

0 Karma

shakti
Loves-to-Learn Everything

I am getting the following error :

 

command="sendemail", (*****SMTP; Client was not authenticated to send anonymous mail during MAIL FROM', '*****.com') while sending mail to: it-security@durr.com

0 Karma

marnall
Builder

This error would indicate an authentication problem. You should double-check your SMTP settings to ensure that they contain authentication settings for a valid account that can send email through your email provider.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

This is a message saying that the server you're trying to send your emails with doesn't let you do so (at least not without proper authentication first). It's something you have work with your email server provider (or configure proper settings on your Splunk server).

0 Karma

shakti
Loves-to-Learn Everything

Yes absolutely , the new alerts or reports that I am creating is unable to get notified through emails...If you have any suggestion kindly help

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...