Hi all,
Im a new user and I've set SPLUNK to send some email alerts using sendemail from SPLUNK search head directly to a destination server. However i don't have an smtp server setup, nor a smtp relay host.
Is it possible for SPLUNK to send email alerts, without SMTP?
I am currently trying but am receiving a connection error [Errno 110]
I've been testing the sendemail alert using the below :
index="main" | head 1| sendemail to="alert@security.com" server=10.200.300.400:25 subject="test"
10.200.300.400 is the destination server.
in my mail settings, i've set the mail host as 10.200.300.400:25
SMTP is Simple Mail Transport Protocol. It’s the only protocol for sending email. Receiving can happen on POP or IMAP but sending is always SMTP unless you’re in a Novell network or something.
If you do not specify change the default server in the settings, then splunk will use localhost’s sendmail (if on Linux) to send email as the local server. If you do specify a mail server, then it uses the server you give as a mail gateway but requires SMTP to make the connection to the mail gateway.
100.200.300.400 is not a valid IP address. I assume you’re just giving any example, but wanted to mention that.
Run this search to find the errors, and then tell us what error you’re getting.
index=_internal sendmail
So to answer your question, SMTP is required to send any email from any software.
Yeap the IP 100.200.300.400 is just a fake IP i gave as an example.
im running the splunk on linux instance, and have left the mail server as blank.
Do i need to configure anything on splunk to enable sending mail? or would it be enabled by default?
Apologies if the questions seem rather noobish, but i've inherited a splunk setup without prior knowledge.
Running the command index=_internal sendmail you gave showed no errors.
However i'm not sure what the logs are deciphering :
07-31-2018 09:37:34.928 +0800 INFO StreamedSearch - Streamed search search starting: search_id=remote_server_1533001054.153589, server=SearchHead, active_searches=2, search='litsearch ( index=_internal sendmail ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1532912400.000000 lt=1533001054.000000 remove=true max_count=1000 max_prefetch=100', remote_ttl=600, apiStartTime='Mon Jul 30 09:00:00 2018', apiEndTime='Tue Jul 31 09:37:34 2018', savedsearch_name=""
`
By the way is is possible to use the sendemail without SMTP?
Like can i refer the mailhost to the splunk indexer?
The log message you clipped is the result of your own search for index=_internal sendmail
. I usually ignore those unless I'm debugging a search problem. Add sourcetype!=splunkd_remote_searches
to your query.
It defaults to localhost correct
@richgalloway ? I updated my answer as such. Thanks!
I added the sourcetype!=splunkd_remote_searches
. But its not showing anything helpful
I'll try to set the mailserver to a SMTP gateway, and test.
mailserver = <host>[:<port>]
* You must have a Simple Mail Transfer Protocol (SMTP) server available
to send email. This is not included with Splunk.
* Specifies the SMTP mail server to use when sending emails.
* <host> can be either the hostname or the IP address.
* Optionally, specify the SMTP <port> that Splunk should connect to.
* When the "use_ssl" attribute (see below) is set to 1 (true), you
must specify both <host> and <port>.
(Example: "example.com:465")
* Defaults to $LOCALHOST:25.
SMTP is required to send mail from Splunk.