Alerting

sendemail stopped working all of a sudden

sylim_splunk
Splunk Employee
Splunk Employee

Sendemail apparently stopped working and python.log  has the log messages as below repeating whenever I test "sendemail" or email alert was triggered. But then the email appears to be discarded silently. The mail server doesn't have any logs from the SH which means, according to Email admin, there's no connection attempted from the SH.

Symptoms: no accounds including admin are able to send email alert.

Log message in python.log

2020-08-05 09:10:42,196 -0700 ERROR     sendemail:1421 - Only absolute URIs are allowed. uri = No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_adm.m.11905a0d206502752431c8c204542692^M
No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_adm.m.11905a0d206502752431c8c204542692^M
<SNIP>
No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_vik.b.69565216b720a1546ffc9ae8d5aa120b^M
No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_wil.p.1294be4f866029819ac22bdc54e1695b^M
No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_xao.c.6f1004219c3b1ceb9a5cee5f5dea227d^M
https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/_new?output_mode=json

 

Labels (1)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

The file, users.ini is there to map the user account and its directory in $SPLUNK_HOME/etc/users - it is created if the file system is case insensitve, has upper chars in user account or user account name has characters that are not allowed as a file name. Splunk creates _reserved and users.ini to map the user account and the directory. The file, users.ini is dynamically updated over time - whenever users logs in to Search heads  the entry gets populated as well as the user directory under _reserved. But it's not replicated accross the SHCluster.

* Why then it just stopped working with the messages?

Even if it's changing the contents dynamically it is also tracked by the "File Integrity Checker" by mistake. - Ver8.0.1+ have excluded the users.ini from the integrity checker.  For the versions prior to 8.0.1, Integrity Checker warns users with "it did not match the system-provided manifest. Review the list of problems reported by the Installed FileHashChecker in splunkd.log..."

It is suspected that the users.ini might have been truncated or restored in the production as reportely some admins decided to truncate the file due to the annoying message from the integrity checker. Then the mismatch between _reserved/userDirectories and the content of users.ini happens.

* Why this is a problem?

Then the symptom of no email alerting happens - Splunk sendemail will stop working any more due to the mismatch of how it handles errors between splunkd and the open source lib around users.ini. As you have already noticed in the log message -

uri = No mapping .... https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/_new?output_mode=json

The error in a library broke the uri that sendemail needs.

* Fix version: 7.3.8+ , 8.0.7+

* Workaround before upgrade:

Update the users.ini with the user information in etc/users/_reserved.

1. cd _reserved and run the script below to create list of users not found in users.ini.

for i in `ls -1` 
do
echo "== reserved : $i"
user=$( grep "$i" ../users.ini |cut -d"=" -f 2 )
if [ "X$user" = "X" ]; then echo $i >> /tmp/notfound
echo "NOT FOUND $i"
continue
fi
echo "FOUND $i = $user"
done

2. Based on the notfound users add them into users.ini.

 

 

1858376

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

The file, users.ini is there to map the user account and its directory in $SPLUNK_HOME/etc/users - it is created if the file system is case insensitve, has upper chars in user account or user account name has characters that are not allowed as a file name. Splunk creates _reserved and users.ini to map the user account and the directory. The file, users.ini is dynamically updated over time - whenever users logs in to Search heads  the entry gets populated as well as the user directory under _reserved. But it's not replicated accross the SHCluster.

* Why then it just stopped working with the messages?

Even if it's changing the contents dynamically it is also tracked by the "File Integrity Checker" by mistake. - Ver8.0.1+ have excluded the users.ini from the integrity checker.  For the versions prior to 8.0.1, Integrity Checker warns users with "it did not match the system-provided manifest. Review the list of problems reported by the Installed FileHashChecker in splunkd.log..."

It is suspected that the users.ini might have been truncated or restored in the production as reportely some admins decided to truncate the file due to the annoying message from the integrity checker. Then the mismatch between _reserved/userDirectories and the content of users.ini happens.

* Why this is a problem?

Then the symptom of no email alerting happens - Splunk sendemail will stop working any more due to the mismatch of how it handles errors between splunkd and the open source lib around users.ini. As you have already noticed in the log message -

uri = No mapping .... https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/_new?output_mode=json

The error in a library broke the uri that sendemail needs.

* Fix version: 7.3.8+ , 8.0.7+

* Workaround before upgrade:

Update the users.ini with the user information in etc/users/_reserved.

1. cd _reserved and run the script below to create list of users not found in users.ini.

for i in `ls -1` 
do
echo "== reserved : $i"
user=$( grep "$i" ../users.ini |cut -d"=" -f 2 )
if [ "X$user" = "X" ]; then echo $i >> /tmp/notfound
echo "NOT FOUND $i"
continue
fi
echo "FOUND $i = $user"
done

2. Based on the notfound users add them into users.ini.

 

 

1858376

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...