Alerting
Highlighted

How to configure an alert to email me results of failed authentications per user in an active day?

Path Finder

Hi,

i'm trying to set an alert that will notify me through mail with the name of accounts which have failed authentications more than some number.
The result of search must be only for active day, not for 24 hour period. I think that the search is all right but i have problem with scheduling mail alert.

Search looks like this...

index=windows_ad source="wineventlog:security" earliest=@d latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | sort - count

Can you please help me with scheduling mail step by step? I tried with real-time triggering, schedule triggering, throttle but i didn't receive any mail.

Thank you!

0 Karma
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

SplunkTrust
SplunkTrust

The query looks fine. What is the specific problem you are having with scheduling the alert?

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Path Finder

I want to recive mail notification whith every new line of resultat (name of account) of that querry . I was trying with few schedule methods but it didnt work fine. Can you please help me about this, i cant find correct configuration of "Alert type and Trigger condition" in Alert section.

0 Karma
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Splunk Employee
Splunk Employee

Hi aanic,

You need to configure email alert notifications. Please refer to step-by-step instructions in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification
http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Setupalertactions

Hope this helps. Thanks!
Hunter

Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Path Finder

I read that instructions, set email notificatin, schedule triger but it didnt works. Here is some of my attempts...

alt text

alt text

0 Karma
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Esteemed Legend

Make sure that you click on + Add Actions and select Add to Triggered Alerts. If you see an alert in the Activity -> Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with | loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.

View solution in original post

Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Path Finder

I set all that, but i didn't recive any mail.
Here is configuration of my alert. Can somebody send me photo with correct configuration i would be grateful.

Thx!

Augustin

alt text

alt text

0 Karma
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Esteemed Legend

Run this search:

index=_internal sourcetype=splunk_python

You are looking for errors like this:

ERROR   sendemail:417 - [Errno 111] Connection refused while sending mail to: woodcock@splunxter.com host = YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python
ERROR   sendemail:131 - Sending email. subject="Splunk Alert: AntiHack: Block IPs with 10 auth failures in 5 minutes", results_link="http://YourSearchHead.com:8000/app/AntiHack/@go?sid=scheduler__nobody__AntiHack__RMD5e3bf059b79d736d6_at_1485189540_73", recipients="[u'woodcock@splunxter.com']", server="localhost" host =   YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype =  splunk_python

This tells you that your email settings are bad.

Have you configured Settings -> Server settings -> Email settings ?

0 Karma
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

Path Finder

Now it works. I just clone that qouerry in new one and now it works well.

Thank you all for support!

Augustin

0 Karma
Highlighted

Re: How to configure an alert to email me results of failed authentications per user in an active day?

SplunkTrust
SplunkTrust

Please accept one of the offered solutions.

---
If this reply helps you, an upvote would be appreciated.
0 Karma