i'm trying to set an alert that will notify me through mail with the name of accounts which have failed authentications more than some number.
The result of search must be only for active day, not for 24 hour period. I think that the search is all right but i have problem with scheduling mail alert.
Search looks like this...
index=windows_ad source="wineventlog:security" earliest=@d latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | sort - count
Can you please help me with scheduling mail step by step? I tried with real-time triggering, schedule triggering, throttle but i didn't receive any mail.
The query looks fine. What is the specific problem you are having with scheduling the alert?
I want to recive mail notification whith every new line of resultat (name of account) of that querry . I was trying with few schedule methods but it didnt work fine. Can you please help me about this, i cant find correct configuration of "Alert type and Trigger condition" in Alert section.
You need to configure email alert notifications. Please refer to step-by-step instructions in the documentation:
Hope this helps. Thanks!
Make sure that you click on
+ Add Actions and select
Add to Triggered Alerts. If you see an alert in the
Triggered Alerts area, then you know the problem is that email settings are not right so email is the problem. If you do not see a triggered alert, then turn off throttling. If you still do not see a triggered alert, then try to pull up the search output of the last scheduled run to see if your search is finding what it should with
| loadjob savedsearch="YourUser:YourApp:YourSavedSearch". Somewhere in that quest you will find the problem.
Run this search:
You are looking for errors like this:
ERROR sendemail:417 - [Errno 111] Connection refused while sending mail to: firstname.lastname@example.org host = YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype = splunk_python ERROR sendemail:131 - Sending email. subject="Splunk Alert: AntiHack: Block IPs with 10 auth failures in 5 minutes", results_link="http://YourSearchHead.com:8000/app/AntiHack/@go?sid=scheduler__nobody__AntiHack__RMD5e3bf059b79d736d6_at_1485189540_73", recipients="[email@example.com']", server="localhost" host = YourSearchHead source = /opt/splunk/var/log/splunk/python.log sourcetype = splunk_python
This tells you that your email settings are bad.
Have you configured
Server settings ->
Email settings ?
Now it works. I just clone that qouerry in new one and now it works well.
Thank you all for support!
Please accept one of the offered solutions.