Reporting

Sendemail command only works with capacility 'admin_all_objects'

apietersen
Path Finder

Hi,

Since some version (now using 8.1.2) I have trouble to use the 'sendemail' command in a search (dashboard/form) for user that have the standard user-roles. This issue is troubling me for almost  1.5 year now.  Of course I am aware of the need to select 'list_settings' but had never a results. When selecting 'admin_all_objects' in the standard user-role is succesful. 

But using the 'admin_all_objects' for standard user is nothing but a security breach. That can not be the solution , so what do I miss here?

An why does Splunk not create a special and straightforward capability for this 'sendemail' command?

Ashley Pietersen

Labels (1)
0 Karma

apietersen
Path Finder

This issue was reported by support to be solved in v8.1.3 . Unfortunately this issue is still there in v8.1.3

0 Karma

apietersen
Path Finder

Hi Ashley,

Message frome Splunk Support:

.. According to the engineering department, the fix will be released in Splunk 8.1.3. Let me know if it worked for you...

Regards

0 Karma

apietersen
Path Finder

Hi,

It seems to be an issue with a long history in known issues - even from version 6.6  so I understand. What should I do next? Any tips?

0 Karma

apietersen
Path Finder

update from support:

-==-=-=-=-
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information.  https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues

Let me know if it worked for you.

-==-==-==-

What I did :

On our none-production instance/machine (rather a fresh installation), I did:

 

  • Changed my “alert_action.conf” file to this (see below) : (as explained in the document and is less secure as I understand from that document) – named: Workaround
  • Removed the “Admin_All_Ojects” capability from the Test user-role
  • No success ☹

[email]

Auth_password = xx

auth_username =xx

from =xx

mailserver = smtp.office365.com:587

sslVersions = *,-ssl2

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Unfortunately no success

 

0 Karma

apietersen
Path Finder

Thanks maraman_splunk, 

Unfortunately Splunk support does not respond ! They advised me earlier to select 'admin_all_objects' to use the command anyway. Because I really need the sendemail for some customer. Since v8.0 the other alternative was the option 'sendresults'  but that was also not wokring anymore. Hoped this would solved in next version, but after 8.1.2 I am till struggling with this issue and have my 'door wide open' since because of this.

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

Hi,

it is a known issue that affect some versions and should be fixed as of now

see https://docs.splunk.com/Documentation/Splunk/7.3.7/ReleaseNotes/Fixedissues#Splunk_Enterprise_7.3.7....

8.1.2 should have the fix I think.

If not the case, please open a support case and have the support investigate with you.

 

0 Karma

apietersen
Path Finder

last update Wednesday from Splunk support:

"... just want to give you an update about the case, we are still working to find a solution, I engaged additional support to assist us with the issue, as soon as we have more information we will let you know. Please feel free to contact us if you have any questions."

Keep you posted...

 

0 Karma

apietersen
Path Finder

update from splunk support:

-=-=-=-=
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information.

https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues

Let me know if it worked for you.

-=-=-=-=

unfortunately no success yet

0 Karma

apietersen
Path Finder

Just installed a complete fresh Splunk instance v8.1.2 from scratch on w2019 - no adjustments made. Only configured the smtp server setting. Tested it with admin account: sendemail works (but this has 'admin_all_objects' as a default capability.

created a test account with standard user-role. (defaults without the 'admin_all_objects' capability). Sendemail does not werk without any visible error, although the search itself results in a timestamp

search in serach&reporting used:

| makeresults
| sendemail to="x.yyyy@aaaaa.bb", from="y.yxxxx@bbbbb.aa"" ,
subject="test-message", sendresults=false inline=true format=raw content_type=html

results in python.log:

Traceback (most recent call last):
File ""D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py"", line 1593, in <module>
results = sendEmail(results, settings, keywords, argvals)
File ""D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py"", line 376, in sendEmail
if ssContent['action.email.sendresults'] or ssContent['action.email.sendpdf'] or ssContent['action.email.sendcsv']:
KeyError: 'action.email.sendpdf'



0 Karma