Reporting

Can i use sendemail without SMTP?

DontStopNowBaby
Explorer

Hi all,

Im a new user and I've set SPLUNK to send some email alerts using sendemail from SPLUNK search head directly to a destination server. However i don't have an smtp server setup, nor a smtp relay host.

Is it possible for SPLUNK to send email alerts, without SMTP?

I am currently trying but am receiving a connection error [Errno 110]

I've been testing the sendemail alert using the below :
index="main" | head 1| sendemail to="alert@security.com" server=10.200.300.400:25 subject="test"

10.200.300.400 is the destination server.
in my mail settings, i've set the mail host as 10.200.300.400:25

0 Karma

jkat54
SplunkTrust
SplunkTrust

SMTP is Simple Mail Transport Protocol. It’s the only protocol for sending email. Receiving can happen on POP or IMAP but sending is always SMTP unless you’re in a Novell network or something.

If you do not specify change the default server in the settings, then splunk will use localhost’s sendmail (if on Linux) to send email as the local server. If you do specify a mail server, then it uses the server you give as a mail gateway but requires SMTP to make the connection to the mail gateway.

100.200.300.400 is not a valid IP address. I assume you’re just giving any example, but wanted to mention that.

Run this search to find the errors, and then tell us what error you’re getting.

index=_internal sendmail

So to answer your question, SMTP is required to send any email from any software.

DontStopNowBaby
Explorer

Yeap the IP 100.200.300.400 is just a fake IP i gave as an example.

im running the splunk on linux instance, and have left the mail server as blank.
Do i need to configure anything on splunk to enable sending mail? or would it be enabled by default?
Apologies if the questions seem rather noobish, but i've inherited a splunk setup without prior knowledge.

Running the command index=_internal sendmail you gave showed no errors.
However i'm not sure what the logs are deciphering :

07-31-2018 09:37:34.928 +0800 INFO StreamedSearch - Streamed search search starting: search_id=remote_server_1533001054.153589, server=SearchHead, active_searches=2, search='litsearch ( index=_internal sendmail ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1532912400.000000 lt=1533001054.000000 remove=true max_count=1000 max_prefetch=100', remote_ttl=600, apiStartTime='Mon Jul 30 09:00:00 2018', apiEndTime='Tue Jul 31 09:37:34 2018', savedsearch_name=""
`

By the way is is possible to use the sendemail without SMTP?
Like can i refer the mailhost to the splunk indexer?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The log message you clipped is the result of your own search for index=_internal sendmail. I usually ignore those unless I'm debugging a search problem. Add sourcetype!=splunkd_remote_searches to your query.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jkat54
SplunkTrust
SplunkTrust

It defaults to localhost correct
@richgalloway ? I updated my answer as such. Thanks!

0 Karma

DontStopNowBaby
Explorer

I added the sourcetype!=splunkd_remote_searches. But its not showing anything helpful
I'll try to set the mailserver to a SMTP gateway, and test.

0 Karma

jkat54
SplunkTrust
SplunkTrust
mailserver = <host>[:<port>]
* You must have a Simple Mail Transfer Protocol (SMTP) server available
  to send email. This is not included with Splunk.
* Specifies the SMTP mail server to use when sending emails.
* <host> can be either the hostname or the IP address.
* Optionally, specify the SMTP <port> that Splunk should connect to.
* When the "use_ssl" attribute (see below) is set to 1 (true), you
  must specify both <host> and <port>.
  (Example: "example.com:465")
* Defaults to $LOCALHOST:25.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

SMTP is required to send mail from Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...