Documentation > Splunk App for Microsoft Exchange > Deploy and Use the Splunk App for Microsoft Exchange > Additional tasks for the Exchange server roles

Deploy and Use the Splunk App for Microsoft Exchange

 


Introduction
Before you deploy
Deploy the Splunk App for Microsoft Exchange
Upgrade the Splunk App for Microsoft Exchange
Use the Splunk App for Microsoft Exchange
Troubleshoot the Splunk App for Microsoft Exchange
Release notes

Additional tasks for the Exchange server roles

This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.

Contents

Additional tasks for the Exchange server roles

This topic discusses additional steps that you should complete on the Exchange servers in your network in order to prepare the Splunk for Exchange app for complete Exchange data analysis. Some of these steps may already be completed. This is a checklist to ensure that the Splunk for Exchange app gets the data it needs.

Additional tasks for servers running any Exchange server role

Adjust the settings for the PowerShell Event log

The Splunk App for Microsoft Exchange makes extensive use of PowerShell to gather information about Exchange services. Although not strictly required, we recommend you adjust the settings for the PowerShell Event log as follows:

  1. Open Event Viewer.
  2. Right click on Powershell Log and select Properties.
  3. Set the maximum size to 10,240 KB.
  4. Set 'Overwrite events as needed under Log size -> When maximum log size is reached.
  5. Click OK.
  6. Right click on the Windows PowerShell Log and select Properties.
  7. Set Overwrite events as needed under Log size -> When maximum log size is reached
  8. Click OK.

If you need long term storage of the logs, we recommend that you index the PowerShell log in Splunk.

Additional tasks for servers running the Hub and Edge Transport roles

  1. Turn on Message Tracking from within Exchange System Manager.
  2. If you have installed Microsoft Forefront Security Suite for Exchange 2007 or Exchange 2010, also deploy the TA-Forefront-Security-for-Exchange add-on.
  3. If you have moved the message tracking logs, ensure you also update the data input to reflect the new location.

Additional tasks for servers running the Mailbox Server role

Enable Exchange Administrator audit logging (Exchange 2010 only)

If you want to track changes made to Exchange 2010 services by Exchange administrators, enable Exchange Administrator audit logging by following the instructions at "Configure Administrator Audit Logging" (http://technet.microsoft.com/en-us/library/dd335109.aspx) on MS TechNet.

Note: On Exchange 2010 SP1 and later, administrative audit logging is enabled by default.

Retrieved from "http://docs.splunk.com/Documentation/MSExchange/1.1/DeployMSX/AdditionaltasksfortheExchangeserverroles"

This documentation applies to the following versions of MSExchange: 1.1 , 1.1.1 , 1.1.4 , 1.1.5 , 1.1.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!