Following upgrade to Splunk Enterprise 6.6, some of my users' scheduled e-mail reports are no longer working. Admins seem fine, but others not so. Seeing errors like this in python.log:
2017-05-16 09:22:43,543 +0100 ERROR ssl_context:638 - SSLHelper.getServerSettings Could not access or parse sslConfig stanza of server.conf. Error=[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/services/configs/conf-server/sslConfig
2017-05-16 09:22:43,543 +0100 ERROR sendemail:137 - Sending email. subject=“#######”, server="127.0.0.1:25"
2017-05-16 09:22:43,543 +0100 ERROR sendemail:443 - 'rootCAPath' while sending mail to: ########
You need to give your users the 'list_settings' capability; that was introduced in Splunk 6.6 part of Common Criteria (ISO/IEC 15408) compliance, so alert-sending has access to SSL configurations.
I have followed the suggested resolution with no success. Is there any other suggestions for restoring Emailing alerts (using TLS) after upgrade to 6.6.2? Email isn't working for Admin, Power users, or Users.
Works. Thanks for the info.
(Not really happy, though, to give our normal users a capability which, by default, is admin-only...)
It seems like mafisher has posted the resolution for this issue. We upgraded to version 7 and had the same issue with failed email alerts. Splunk should have documented this change to capabilities in the README.
According to the roles/capabilities definition of "list_settings" this gives users 'Lets the user list and view server and introspection settings such as the server name, log levels, etc'. Since this is default an admin capability, how much of a vulnerability is this if a user is allowed the same capability?