Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I receiving error "SMTP AUTH extension not supported by server" when trying to configure an alert?

fab73
Path Finder
‎01-23-2017 09:52 AM

Weekly Report fires perfectly. SMTP Authentication is correctly configured in General Settings. And it works. Now I'm configuring an Alert base on an event (search result). Log shows me the the trigger works correctly but now I have send mail problem (??).

Python.log shows : 

ERROR   sendemail:127 - Sending email. ....
ERROR   sendemail:392 - SMTP AUTH extension not supported by server. while sending mail to: ....

item in splunkd.log :

ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/search/bin/sendemail.py "results_link= .... ERROR:root:SMTP AUTH extension not supported by server. while sending mail to: ....

Any idea? it seems a permission problem.... The same SMTP is correctly authenticated at it works for the Report, but not in case of the Alert. Any Idea where to check?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fab73
Path Finder
‎01-24-2017 08:25 AM

I solved putting the port in the "Mail host" filed in general mail settings !!?? ourmailhost.foo.com:25.
Dont know why it makes difference. It is not a requested value if SSL or TLS is not used. And This is the case.

View solution in original post

Reply
Solved! Jump to solution
Solution

fab73
Path Finder
‎01-24-2017 08:25 AM

I solved putting the port in the "Mail host" filed in general mail settings !!?? ourmailhost.foo.com:25.
Dont know why it makes difference. It is not a requested value if SSL or TLS is not used. And This is the case.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-24-2017 12:32 PM

Probably because the default port for TLS and SSL is not typically 25.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-24-2017 05:09 AM

If it works with a report but not this alert then one of the ways that is possible is if the report search is using the | sendemail command and has the correct auth in line, or your alert search is using the sendemail command with the incorrect auth in line.

The error is telling you that the mail server doesn't like the authentication method you are using. Your options are basic, ssl, and ssl with tls.

Please review the report's search and the alert search to see if one of them is using the sendemail command.

Another possibility is if the report or alert is in another Splunk app, check that Splunk app's local and default directories for a file called alert_actions.conf. This file can contain custom email settings and those settings only apply in the app that contains this file.

0 Karma
Reply
Solved! Jump to solution

fab73
Path Finder
‎01-24-2017 08:26 AM

thanks anyway for your suggestions

0 Karma
Reply
Solved! Jump to solution

fab73
Path Finder
‎01-24-2017 06:42 AM

Thanx in advance....

  1. The search generating the alert does not use any "| sendmail" command. I checked the search string opening "Open in search" on the alert list (correct?):

"| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% di utilizzo"=round(used_bytes/quota*100,2) | fields Pool "% di utilizzo" | where '% di utilizzo'>64"

this query is used to fire an alert when license usage goes over 64%. No sendmail command is here.

  1. Alert is configured in the App seacrh. But there is no alert_actions.conf in App search I suppose it uses the system conf. All alert_actions.conf files are

/opt/splunk/etc/apps/alert_logevent/default/alert_actions.conf
/opt/splunk/etc/apps/alert_webhook/default/alert_actions.conf
/opt/splunk/etc/system/local/alert_actions.conf
/opt/splunk/etc/system/default/alert_actions.conf

Anyway using btool for system config, all seems o be correct as for the Report......still investigating....

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...