Non-admin user with list_settings capability faile...

daniel_splunk · ‎01-17-2019

Have defined a new non-admin user and already add list_settings capability as instructed by the Splunk document here.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/Emailnotification

But still failed to send alert when mail server is using SMTL auth.

Here is the python.log

2018-09-17 15:21:51,268 +0800 DEBUG ssl_context:444 - createSSLContext sslVersions [16] commonNameList [None] altNameList [None] validatePeerCert [0] rootCAPath [None] isClientContext [True] cipherSuite [ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256]
2018-09-17 15:21:51,295 +0800 ERROR sendemail:137 - Sending email. subject="Splunk testing", results_link="None", recipients="[u'user1@abc.com.hk']", server="172.21.184.4"

2018-09-17 15:21:51,295 +0800 ERROR sendemail:452 - {u'user1@abc.com.hk': (530, 'SMTP authentication is required.')} while sending mail to: user1@abc.com.hk

leeraym · ‎09-29-2020

@daniel_splunk Is there no other way to allow non-admin users to send alert emails when SMTP authentication is required? Are there any other capabilities from the "admin" role that I can assign to the "user" role in order to allow regular users to send email?

I just upgraded from Splunk Enterprise 7.3.3 to 8.05, and one of my non-admin users said that his saved alerts used to be able to send him emails when we were on 7.3.3. Nothing has changed with his Splunk role or the SMTP authentication requirement between our pre- and post-Splunk upgrade.

daniel_splunk · ‎09-30-2020

If your email account is SMTP auth enabled, you need to have admin role in order to read the email auth details such as password.

kscher · ‎11-18-2020

So, if I understand how sendemail works when SMTP auth is required, a user needs the "admin_all_objects" capability" in order to read auth_username and auth_password from alert_actions.

This means regular users can't send email, as the credentials get passed to SMTP server with null values. These users generally see something like this:

command="sendemail", Connection unexpectedly closed while sending mail to: somebody@something.com.

Is this a feature or a bug?

scorrie_splunk · ‎12-18-2019

In my testing, you only needed to have the "list_settings" capability with a "user" role in order for this to work. (Using Splunk Cloud 7.2.9).

See this link: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/Emailnotification

This section: "Define an email notification for an alert or scheduled report"

daniel_splunk · ‎01-17-2019

You need to have admin role together with list_settings capability in order to send alert email when SMTP auth is used.

Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation