Alerting

E-mail alerts stopped working since 6.6 upgrade for some users

tin_fish
Explorer

Following upgrade to Splunk Enterprise 6.6, some of my users' scheduled e-mail reports are no longer working. Admins seem fine, but others not so. Seeing errors like this in python.log:

2017-05-16 09:22:43,543 +0100 ERROR ssl_context:638 - SSLHelper.getServerSettings Could not access or parse sslConfig stanza of server.conf. Error=[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/services/configs/conf-server/sslConfig
2017-05-16 09:22:43,543 +0100 ERROR sendemail:137 - Sending email. subject=“#######”, server="127.0.0.1:25"
2017-05-16 09:22:43,543 +0100 ERROR sendemail:443 - 'rootCAPath' while sending mail to: ########

Tags (2)
1 Solution

mafisher_splunk
Splunk Employee
Splunk Employee

You need to give your users the 'list_settings' capability; that was introduced in Splunk 6.6 part of Common Criteria  (ISO/IEC 15408) compliance, so alert-sending has access to SSL configurations.

View solution in original post

the_wolverine
Champion

It seems like mafisher has posted the resolution for this issue. We upgraded to version 7 and had the same issue with failed email alerts. Splunk should have documented this change to capabilities in the README.

gstultz_splunk
Splunk Employee
Splunk Employee

According to the roles/capabilities definition of "list_settings" this gives users 'Lets the user list and view server and introspection settings such as the server name, log levels, etc'.  Since this is default an admin capability, how much of a vulnerability is this if a user is allowed the same capability?

 

mafisher_splunk
Splunk Employee
Splunk Employee

You need to give your users the 'list_settings' capability; that was introduced in Splunk 6.6 part of Common Criteria  (ISO/IEC 15408) compliance, so alert-sending has access to SSL configurations.

andygerberkp
Explorer
0 Karma

usd0872
Path Finder

Works. Thanks for the info.

(Not really happy, though, to give our normal users a capability which, by default, is admin-only...)

hharris
New Member

I have followed the suggested resolution with no success. Is there any other suggestions for restoring Emailing alerts (using TLS) after upgrade to 6.6.2? Email isn't working for Admin, Power users, or Users.

0 Karma

mugundanava
New Member

where to give "users the 'list_settings' capability"

0 Karma

mafisher_splunk
Splunk Employee
Splunk Employee

You can add capabilities under Roles.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...