Alerting

How to configure an alert to email me results of failed authentications per user in an active day?

aanic
Path Finder

Hi,

i'm trying to set an alert that will notify me through mail with the name of accounts which have failed authentications more than some number.
The result of search must be only for active day, not for 24 hour period. I think that the search is all right but i have problem with scheduling mail alert.

Search looks like this...

index=windows_ad source="wineventlog:security" earliest=@d latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | sort - count

Can you please help me with scheduling mail step by step? I tried with real-time triggering, schedule triggering, throttle but i didn't receive any mail.

Thank you!

0 Karma
1 Solution

woodcock
Esteemed Legend

Make sure that you click on + Add Actions and select Add to Triggered Alerts. If you see an alert in the Activity -> Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with | loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.

View solution in original post

aanic
Path Finder

Now it works. I just clone that qouerry in new one and now it works well.

Thank you all for support!

Augustin

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@aanic - To add to rich's comment, please don't forget to click "Accept" below the best answer to resolve this post so it can be easily found by other users. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept one of the offered solutions.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Make sure that you click on + Add Actions and select Add to Triggered Alerts. If you see an alert in the Activity -> Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with | loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.

aanic
Path Finder

I set all that, but i didn't recive any mail.
Here is configuration of my alert. Can somebody send me photo with correct configuration i would be grateful.

Thx!

Augustin

alt text

alt text

0 Karma

woodcock
Esteemed Legend

Run this search:

index=_internal sourcetype=splunk_python

You are looking for errors like this:

ERROR   sendemail:417 - [Errno 111] Connection refused while sending mail to: woodcock@splunxter.com host = YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python
ERROR   sendemail:131 - Sending email. subject="Splunk Alert: AntiHack: Block IPs with 10 auth failures in 5 minutes", results_link="http://YourSearchHead.com:8000/app/AntiHack/@go?sid=scheduler__nobody__AntiHack__RMD5e3bf059b79d736d6_at_1485189540_73", recipients="[u'woodcock@splunxter.com']", server="localhost" host =   YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python

This tells you that your email settings are bad.

Have you configured Settings -> Server settings -> Email settings ?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi aanic,

You need to configure email alert notifications. Please refer to step-by-step instructions in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification
http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Setupalertactions

Hope this helps. Thanks!
Hunter

aanic
Path Finder

I read that instructions, set email notificatin, schedule triger but it didnt works. Here is some of my attempts...

alt text

alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The query looks fine. What is the specific problem you are having with scheduling the alert?

---
If this reply helps you, Karma would be appreciated.

aanic
Path Finder

I want to recive mail notification whith every new line of resultat (name of account) of that querry . I was trying with few schedule methods but it didnt work fine. Can you please help me about this, i cant find correct configuration of "Alert type and Trigger condition" in Alert section.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...