Alerting

Please help: Alerts with cron schedule. Triggers matched but no e-mail.....

soniquella
Path Finder

Good morning.

I can't quite get my head around this...I am trying to create an e-mailed alert for whenever one of my admin priv accounts attempt log on (interactive or remote) to a tagged set of servers.

tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=user1 OR user=user2 OR user=user3 OR user=user4) (Logon_Type=2 OR Logon_Type=10)| lookup LogonTypeLookups.csv Logon_Type OUTPUT Logon_Desc | table _time src src_ip user host EventCodeDescription - The search is set to run looking at the last 15 minutes events.

Initially I set the search to stats count within a 15 minutes time frame and to trigger if the returned results were greater than zero. This was fine and worked but only showed count = * in e-mail to intended recipients. I need to be able to show the tabled information above in the alerting e-mail so I removed the stats count and added | table etc etc...

The alert triggers and actions are set as:

Alert type: Scheduled Run on Cron Schedule Earliest -15m Latest now Cron Expression /15*** - Trigger when number of results is greater than 0

Action is to e-mail selected recipients.

I feel like I am missing something quite simple - but just can't get this to work.

In the schedule.log it looks like the alert IS being triggered but still no e-mails.

Any help would be appreciated.

Kind regards, Rob.

0 Karma
1 Solution

lyndac
Contributor

If you haven't already, I would set the alert up to also "Add To Triggered Alerts", then you should be able to verify for sure that an alert was generated.

Also, verify your email settings on the splunk server.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...

You can check the python log to see if there are any errors sending the email.

index=_internal source=*python.log* email

View solution in original post

0 Karma

gcusello
Esteemed Legend

Maybe you're wrong writing question but the cron rule to execute alert every 15 minutes is */15 * * * *
In addition you could use stats Command inserting values to show the other fields.
Bye.
Giuseppe

0 Karma

soniquella
Path Finder

Thanks Giuseppe. My cron rule is correct /15***.
I think my issue is in the alert settings.
I appreciate your time though.

0 Karma

soniquella
Path Finder

To be clear it DOES have the first asterisk before the /15. This is just not showing in our responses or in my initial question.

0 Karma

gcusello
Esteemed Legend

sorry but the answers site editor modified my message.
The correct cron is

*/15 * * * *

bye.
Giuseppe

0 Karma

lyndac
Contributor

If you haven't already, I would set the alert up to also "Add To Triggered Alerts", then you should be able to verify for sure that an alert was generated.

Also, verify your email settings on the splunk server.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...

You can check the python log to see if there are any errors sending the email.

index=_internal source=*python.log* email
0 Karma

soniquella
Path Finder

Thank you.

I'll add now to triggered alerts. This should at least give me an indication of where the issue lies.

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...