Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

How to deploy the Splunk App for Microsoft Exchange

This topic details the deployment procedure for the Splunk App for Microsoft Exchange.

There are two main steps to installing the Splunk App for Microsoft Exchange:

  • First, you install and configure universal forwarders and technology add-ons on your Exchange servers.
  • Finally, you configure the Splunk App for Microsoft Exchange on your central Splunk instance to receive and search the data.

To deploy the Splunk App for Microsoft Exchange into your environment, perform the following steps:

Install and configure universal forwarders on your Exchange servers

1. Install a universal forwarder on each Exchange server in your environment.

2. Review, and if needed, edit the configurations of the Splunk App for Microsoft Exchange technology add-ons (TAs) that must be installed on the universal forwarders running on each Exchange server included in your deployment.

Note: The TAs are located in Splunk_for_Exchange\appserver\addons. Review the configuration files within each TA to ensure that it is sending data to the proper index(es) on the central Splunk instance. If you need to make changes, then follow the instructions in "Make configuration changes to match your existing environment".

3. Install or deploy the appropriate TA(s) for each Exchange server role into the universal forwarders on each Exchange server. The table below shows you which TAs should be installed onto each Exchange server in your environment.

If your Exchange server runs: and it holds this Exchange role: then install or deploy these TA(s):
Exchange 2007 Client Access Server TA-Exchange-2007-CAS
TA-Windows-2003-Exchange-IIS
Edge Transport TA-Exchange-2007-HubTransport
Forefront Protection Services TA-Forefront-Security-for-Exchange
Hub Transport TA-Exchange-2007-HubTransport
Mailbox Server TA-Exchange-2007-MailboxStore
Exchange 2010 Client Access Server TA-Exchange-2010-CAS
TA-Windows-2008R2-Exchange-IIS
Edge Transport TA-Exchange-2010-HubTransport
Forefront Protection Services TA-Forefront-Security-for-Exchange
Hub Transport TA-Exchange-2010-HubTransport
Mailbox Server TA-Exchange-2010-MailboxStore

Important:

  • If you use a Splunk deployment server to deploy the app, then copy the TA folders into %SPLUNK_HOME%\etc\deployment-apps on your deployment server.
  • If you do not have a deployment server, or do not want to use one to deploy the app, then the TA(s) must be manually copied to %SPLUNK_HOME%\etc\apps on the Exchange server(s) from which you want to get Exchange logs. See the table above for information on which servers the TAs need to go.

4. Next, deploy the TA-SMTP-Reputation TA on a full Splunk instance (heavy forwarder) that has an outbound Internet connection.

Important: Be sure to edit the reputation.conf file within the TA so that it contains the IP addresses of all of your outbound mail servers.

5. Confirm that all of the Exchange servers that you want to include in the deployment are logging to their usual places, in their usual formats. If they are not, review "Where and how the Splunk App for Microsoft Exchange expects to find your logs" in this manual for instructions on configuring the app to account for the changes in logging locations.

Install and configure the central Splunk instance

1. Install a full copy of Splunk or designate an existing installation as your "central" Splunk instance.

Note: If you're using an existing installation, be sure to review "Other deployment considerations" in this manual and make any configuration changes to the Splunk App for Microsoft Exchange before proceeding.

2. Download the Splunk App for Microsoft Exchange package.

3. Install the Splunk App for Microsoft Exchange onto your central Splunk instance.

4. Download and install Sideview Utils 1.2.5 or later on the central Splunk instance.

5. Download and install Google Maps 1.1 or later on the central Splunk instance.

6. Download and install a copy of the Splunk universal forwarder on each of the Exchange server hosts.

7. Restart your central Splunk instance to ensure that all changes take effect.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.

Last modified on 22 August, 2012
PREVIOUS
What a Splunk App for Microsoft Exchange deployment looks like 		  NEXT
Install a universal forwarder on each Exchange server

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.1, 1.1.1, 1.1.4, 1.1.5, 1.1.6

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters