Splunk Enterprise

Allow Usergroups to send Email

florianhh
Explorer

Hello Splunkys 

i Face some challanges right now.

We run a Splunk Installation with about 50 Active Users with 10Different Roles.

Now we have the need for allowing them to send them selfs alert Messages via EMAIL.

First Problem: 

According to to the Docs its not possible to send a email if your not a Admin and the SMTP server needs authentication. 

Secound Problem,

you can not set up per role or per user sender info only system wide via GUI.

 

I found out that you can supply username= and Password= parameters via SPL search but this do not apply to alerts. And the Creds then show up in plaintext in the logs. 

I found that you can supply creds via alert_action.conf file per app. But then the creds would show up in the git_repo where we version our apps. 

 

Some .conf files honor ENV variables but i did not find if alert_action.conf would do so?

And then they would be still accessable by CLI.

 

Can it be so hard for Splunk to implement something so basic as per User email sending?

 

Has somebody accived something similar ?

  

0 Karma

PickleRick
Champion

Yes, it is hard to implement it in a way that would not be easily abuseable (intentionally or not).

Unfortunately, due to its history SMTP has many built-in insecurities that allow for easy abusing the email-sending functionality if you're not careful enough. And it's usually not a good idea to allow your users to send email freely, especially using any server they want.

0 Karma

florianhh
Explorer

Your absolute right about that.

BUT i'm realy suppriced that splunk, what is a expensive pice of software only used by Security and Admin staff would have figured this out by now. 

 

0 Karma

PickleRick
Champion

And here's where you're absolutely wrong 🙂

Firstly, the console is used very often not just by admins and security (Splunk can and often does ingest and analyze many types of data - for example, I'm using it to track my car using GPS data :D).

Secondly - there is a legitimate way to send the emails - the proper alert action. And it's more or less the only way you really should need (and I'm not saying it as a splunk user or admin but as a 20+ years experienced email servers administrator).

And if you really, really need the functionality of sending any email to any recipient through any server, you can always write your own alertaction script. But I would strongly advise against it.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!