Reporting

Problem with sending email

CI2az
New Member

ERROR SMTP AUTH extension

I am trying to change the email extension Splunk uses to authenticate to an exchange server.

For example: Splunk uses something like splunk@server1

I need the domain of the From: address must be in DNS; mail with a From: address like root@192.168.1.1 or root@server1 will not work

I need to have the extension resolve to a domain.com address. Been trying to look through the code to identify where the input of information is located, but am not quiet sure.

We plan on using this in a large environment, but it must work before and send out email alerts before hand using the environment we currently have in place.

Regards,

Tags (1)
0 Karma

adamw
Communicator

In $SPLUNK_HOME/etc/system/local/alert_actions.conf, you can configure the from address to be anything you want:

[email]
from = splunk@domain.com

You can also set this value in Manager->System Settings->Email Alert Settings

Thanks,
--adam

0 Karma

adamw
Communicator

We don't use SMTP auth in our environment, so I can't speak to the specifics regarding that, but I can say that we use an FQDN (splunk@mydomain.com) here, and it works without issue.

It does look like some have had success configuring the email server stuff in the actual search query itself, but I'm not sure if that helps...

http://splunk-base.splunk.com/answers/38624/how-to-configure-email-alert-using-gmail-smtp

0 Karma

CI2az
New Member

Adam,
I do appreciate the thought of placing this information in the Email Alert Settings of the gui, but understand, I HAVE done this, and this is NOT the problem.

Also, to follow along with your first suggestion seems more probable to my problem, and has been attempted. The one thing I am concerned with is the comment contained within the code,

[email]
"from email address (name only, host will be appended automatically from mailserver)"

It specifically states to use the NAME to auth ONLY. Even still I have tried both, but still same problem with how Splunk tries to auth with the server.

0 Karma

yannK
Splunk Employee
Splunk Employee

The email server configuration is in
$SPLUNK_HOME/etc/system/local/alert_actions.conf

see http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Alertactionsconf

I never tested that, but If the UI complains about the format or the server,
but you can try to add the server in it directly.

CI2az
New Member

I located this by reading the code a bit. It does seem to be the right area to modify, but when changes are completed, it still uses the other format. I am still looking around to where ever else its calling this information, but haven't been too successful yet.

Any other thoughts?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...