Alerting

Please help: Alerts with cron schedule. Triggers matched but no e-mail.....

soniquella
Path Finder

Good morning.

I can't quite get my head around this...I am trying to create an e-mailed alert for whenever one of my admin priv accounts attempt log on (interactive or remote) to a tagged set of servers.

tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=user1 OR user=user2 OR user=user3 OR user=user4) (Logon_Type=2 OR Logon_Type=10)| lookup LogonTypeLookups.csv Logon_Type OUTPUT Logon_Desc | table _time src src_ip user host EventCodeDescription - The search is set to run looking at the last 15 minutes events.

Initially I set the search to stats count within a 15 minutes time frame and to trigger if the returned results were greater than zero. This was fine and worked but only showed count = * in e-mail to intended recipients. I need to be able to show the tabled information above in the alerting e-mail so I removed the stats count and added | table etc etc...

The alert triggers and actions are set as:

Alert type: Scheduled Run on Cron Schedule Earliest -15m Latest now Cron Expression /15*** - Trigger when number of results is greater than 0

Action is to e-mail selected recipients.

I feel like I am missing something quite simple - but just can't get this to work.

In the schedule.log it looks like the alert IS being triggered but still no e-mails.

Any help would be appreciated.

Kind regards, Rob.

0 Karma
1 Solution

lyndac
Contributor

If you haven't already, I would set the alert up to also "Add To Triggered Alerts", then you should be able to verify for sure that an alert was generated.

Also, verify your email settings on the splunk server.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...

You can check the python log to see if there are any errors sending the email.

index=_internal source=*python.log* email

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Maybe you're wrong writing question but the cron rule to execute alert every 15 minutes is */15 * * * *
In addition you could use stats Command inserting values to show the other fields.
Bye.
Giuseppe

0 Karma

soniquella
Path Finder

Thanks Giuseppe. My cron rule is correct /15***.
I think my issue is in the alert settings.
I appreciate your time though.

0 Karma

soniquella
Path Finder

To be clear it DOES have the first asterisk before the /15. This is just not showing in our responses or in my initial question.

0 Karma

gcusello
SplunkTrust
SplunkTrust

sorry but the answers site editor modified my message.
The correct cron is

*/15 * * * *

bye.
Giuseppe

0 Karma

lyndac
Contributor

If you haven't already, I would set the alert up to also "Add To Triggered Alerts", then you should be able to verify for sure that an alert was generated.

Also, verify your email settings on the splunk server.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...

You can check the python log to see if there are any errors sending the email.

index=_internal source=*python.log* email
0 Karma

soniquella
Path Finder

Thank you.

I'll add now to triggered alerts. This should at least give me an indication of where the issue lies.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...