Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure an alert to email me results of failed authentications per user in an active day?

aanic
Path Finder
‎01-19-2017 04:03 AM

Hi,

i'm trying to set an alert that will notify me through mail with the name of accounts which have failed authentications more than some number.
The result of search must be only for active day, not for 24 hour period. I think that the search is all right but i have problem with scheduling mail alert.

Search looks like this...

index=windows_ad source="wineventlog:security" earliest=@d latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | sort - count

Can you please help me with scheduling mail step by step? I tried with real-time triggering, schedule triggering, throttle but i didn't receive any mail.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-19-2017 10:12 PM

Make sure that you click on + Add Actions and select Add to Triggered Alerts. If you see an alert in the Activity -> Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with | loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.

View solution in original post

Reply
Solved! Jump to solution

aanic
Path Finder
‎01-20-2017 06:54 AM

Now it works. I just clone that qouerry in new one and now it works well.

Thank you all for support!

Augustin

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-22-2017 07:19 PM

@aanic - To add to rich's comment, please don't forget to click "Accept" below the best answer to resolve this post so it can be easily found by other users. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2017 08:33 AM

Please accept one of the offered solutions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-19-2017 10:12 PM

Make sure that you click on + Add Actions and select Add to Triggered Alerts. If you see an alert in the Activity -> Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with | loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.

Reply
Solved! Jump to solution

aanic
Path Finder
‎01-20-2017 01:48 AM

I set all that, but i didn't recive any mail.
Here is configuration of my alert. Can somebody send me photo with correct configuration i would be grateful.

Thx!

Augustin

alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-23-2017 08:59 AM

Run this search:

index=_internal sourcetype=splunk_python

You are looking for errors like this:

ERROR   sendemail:417 - [Errno 111] Connection refused while sending mail to: woodcock@splunxter.com host = YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python
ERROR   sendemail:131 - Sending email. subject="Splunk Alert: AntiHack: Block IPs with 10 auth failures in 5 minutes", results_link="http://YourSearchHead.com:8000/app/AntiHack/@go?sid=scheduler__nobody__AntiHack__RMD5e3bf059b79d736d6_at_1485189540_73", recipients="[u'woodcock@splunxter.com']", server="localhost" host =   YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python

This tells you that your email settings are bad.

Have you configured Settings -> Server settings -> Email settings ?

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-19-2017 07:01 AM

Hi aanic,

You need to configure email alert notifications. Please refer to step-by-step instructions in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification
http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Setupalertactions

Hope this helps. Thanks!
Hunter

Reply
Solved! Jump to solution

aanic
Path Finder
‎01-19-2017 07:08 AM

I read that instructions, set email notificatin, schedule triger but it didnt works. Here is some of my attempts...

alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2017 05:20 AM

The query looks fine. What is the specific problem you are having with scheduling the alert?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

aanic
Path Finder
‎01-19-2017 06:35 AM

I want to recive mail notification whith every new line of resultat (name of account) of that querry . I was trying with few schedule methods but it didnt work fine. Can you please help me about this, i cant find correct configuration of "Alert type and Trigger condition" in Alert section.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...