×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
mattwh
Engager
Member since: ‎05-28-2014
‎06-05-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 2
Karma Received 6
Member Since ‎05-28-2014
Activity Feed
View All

Splunk Add-on for Amazon Web Services: Why am I ge...

by in All Apps and Add-ons
‎04-28-2015 10:43 AM
‎04-28-2015 10:43 AM
Hi, I'm hoping this issue is a simple oversight on my part. I've gotten the Splunk Add-on for Amazon Web Services configured and I'm now trying to set up my first cloudtrail input. I go through all the selection boxes and the app populates the list of SQS queues in each region fine, but when I go to click Next, it throws the following error: Encountered the following error while trying to save: In handler 'aws_cloudtrail': Invalid SQS Queue Name: myQueue I checked the logs and the only entry is in splunkd.log: 04-28-2015 17:18:52.219 +0000 WARN ModularInputs - Validation for scheme=aws_cloudtrail failed: Invalid SQS Queue Name: myQueue 04-28-2015 17:18:52.219 +0000 INFO ModularInputs - Invalid SQS Queue Name: myQueue What's confusing me is that the Add-on is the one pulling the info from SQS, so there shouldn't be an issue regarding the name. I've double checked all the SQS permissions mentioned in the documentation and they're all there. Any ideas? ... View more

Re: sendemail does not issue STARTTLS properly wit...

by in Reporting
‎02-04-2015 03:53 PM
4 Karma
‎02-04-2015 03:53 PM
4 Karma
EDIT: This only appears to work with in-line email commands, Alert e-mails still do not seem to work with this fix. Alright folks, here's what I did to fix this. Remember I'm using AWS as my SMTP server so things might not be the same for you. First the STARTTLS issue. It appears that Splunk is not properly reading or setting the variable from the config file, and thus is failing to trip an if startment. You'll need to edit ${SPLUNKHOME}/etc/apps/search/bin/sendemail.py. Our problems is the following bit of code: if use_tls: smtp.starttls() All that's needed is to change the variable at the beginning of the function, like so: #use_tls = normalizeBoolean(ssContent.get('action.email.use_tls', False)) use_tls = normalizeBoolean(ssContent.get('action.email.use_tls', True)) With that done, TLS should be functional. However I ran into a second error: command="sendemail", (554, "Transaction failed: User name is missing: 'splunk'.") while sending mail to: [email protected] This is basically is AWS telling me the From address is not on the verified senders list. I knew the senders address in the config file was verified, so after some more digging I found the final piece to the puzzle: def buildHeaders(argvals, ssContent, email, sid, serverInfoContent): sender = ssContent.get("action.email.from", "splunk") Find that chunk of code and replace "splunk" with your actual from address and you should be good to go! Example for extra clarification: def buildHeaders(argvals, ssContent, email, sid, serverInfoContent): sender = ssContent.get("action.email.from", "[email protected]") I hope this helps! ... View more

sendemail does not issue STARTTLS properly with th...

by in Reporting
‎02-03-2015 10:29 AM
2 Karma
‎02-03-2015 10:29 AM
2 Karma
Hi Splunk, My company recently purchased the enterprise edition after using free for year or two, and so I've been digging into the various features unlocked to us. Currently I've been working with alerting and trying to configure Splunk to send e-mails, however I've run into some issues. To start, I'm using the command below to test the e-mail configuration: index=main | head 5 | sendemail [email protected] server="email-smtp.us-west-2.amazonaws.com:587" subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true I was originally trying to use alerts to test, however the error reporting with that method is abysmal, as it only ever gave me a 'ERROR:root:[Errno 111] Connection refused while sending mail' in the splunkd.log. By using the command mentioned above, I was finally able to get a better error message: 'command="sendemail", (530, 'Must issue a STARTTLS command first') while sending mail to:' This is the ${SPLUNKHOME}/etc/system/local/alert_actions.conf [email] auth_password = PASSHERE auth_username = USERHERE from = [email protected] mailserver = email-smtp.us-west-2.amazonaws.com:587 use_tls = 1 use_ssl = 0 hostname = 127.0.0.1 I've tried switching it over to SSL and using port 443 but it generates the same error. Is this something I can specify in the search string, or will I need to mess around with the python script? Also, the e-mail settings page in the Splunk web GUI will clear out the SMTP password every time you save, unless one is entered. This means every time I make a change to the config using the GUI, I need to enter the password. I don't know if this is the intended functionality, just thought I'd give you guys a heads up. EDIT: Thank you for the code block, and I forgot to mention we're on the latest version of Splunk, 6.2.1. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All