Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install the central Splunk for Microsoft Exchange app instance

The central component of a Splunk App for Microsoft Exchange deployment is the Splunk indexer (and, optionally, any search heads that search against it). You install the following components on the central instance:

  • If you have a Splunk installation with both the indexer and Splunk Web running on the same instance, install the entire contents of the app on that instance.
  • If you have indexer(s) and search head(s) on separate systems:
    • Indexers get all of the technology add-ons (TAs).
    • Search-heads get the full package (all the TAs and the Splunk_for_Exchange component).

As discussed in "Platform and hardware requirements" and "Other deployment considerations" in this manual, your Splunk instance(s) must be provisioned to support the level of indexing and interaction with the Splunk Web interface you anticipate for your deployment.

Any Splunk instance that includes an indexer will be acting as a receiver. It will receive data from the Exchange servers, which will in turn be configured as forwarders.

Install Splunk

If you're not using an existing Splunk installation, download the full Splunk package for your platform, and follow the installation instructions in the core Splunk documentation.

Install the Sideview Utils app

Download and install Sideview Utils 1.2.5 or later.

Install the Google Maps app

Download and install Google Maps 1.1 or later.

Install the central instance of Splunk App for Microsoft Exchange

This procedure assumes you have already installed Splunk on the host you intend to use as the indexer for your Exchange data.

1. Download the Splunk App for Microsoft Exchange from Splunkbase.

2. Install the Splunk_for_Exchange-vX.XX.spl file into your Splunk instance.

3. Restart Splunk.

4. Log back in to Splunk.

Configure the central instance of Splunk App for Microsoft Exchange

Once you have installed the Splunk App for Microsoft Exchange on your designated central Splunk instance, you must configure the instance so that it collects all of the relevant Exchange data you want to monitor.

Configure NetBIOS to DNS domain name translation

To make sure that all connections into Exchange are monitored by the Splunk App for Microsoft Exchange, you must edit the NetBIOS to DNS domain name alias file. This file is located at %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local\domain_aliases.csv. Edit this file to add aliases for your NetBIOS domain names to your DNS-based domain names.

The file contains entries like the following: 

	UNKNOWN,spl.com
	SPL,spl.com

Each line contains two comma-separated strings. The first string is the NetBIOS name that you want to translate, and the second string is the DNS domain name that you want to translate the first string to. In the example above:

SPL,spl.com means "Treat connections from the NetBIOS domain SPL as if they came from the DNS domain spl.com.

Important: When editing this file, make sure to always retain the UNKNOWN entry, as any unqualified user names will be set to UNKNOWN.

Configure logon name normalization lookups

You can also tell the Splunk App for Microsoft Exchange to translate logon usernames to normalized logon names. To do so, edit %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local\active_directory.csv.

Each line in active_directory.csv contains three comma-separated strings. For example: 

	spl.com,jdoe,john.doe

This example says "translate john.doe to jdoe@spl.com".

You can have any number of lines in this file. The contents of the file will vary depending on how your users log into Exchange - whether it's through Outlook Web Access, Exchange Web Services or some other web-based mail agent. You can generate a list from Active Directory, if needed

Configure base searches and indexes used to gather data

Before starting the Splunk App for Microsoft Exchange, review %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\default\eventtypes.conf to make sure that all of the app's base searches are using the correct indexes.

If you need to make changes to this file, copy it to %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local before making the changes.

Configure display options and searches that gather data

Finally, review %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\default\macros.conf to ensure that the app properly uses the defined searches to gather data from your Exchange servers. You will also need to review this file to ensure that the Messages Per Hour gauge on the front page of the app displays appropriate values for your organization.

Configure Splunk to receive the data from the forwarders on your Exchange servers

You can enable receiving on a Splunk instance through Splunk Web or the CLI.

Important: By default, the Splunk App for Microsoft Exchange configures your instance of Splunk to receive data over TCP port 9997. If you need this to be a different port, you can change this value. You will also need to change it in a copy of the outputs.conf files on the instances configured to forward data to this one.

Set up receiving with Splunk Web

Use Splunk Manager to set up a receiver:

1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder.

2. Click Manager in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Receive data section.

5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

6. Click Save. You must restart Splunk to complete the process.

Set up receiving with Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME\bin\. This is unnecessary if you have added Splunk to your path.

To enable receiving, enter: 

./splunk enable listen <port> -auth <username>:<password>

You'll be prompted for your Splunk username (by default admin) and password.

For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By default, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

To disable receiving, enter: 

./splunk disable listen -port <port> -auth <username>:<password>

You'll be prompted for your Splunk username (by default admin) and password.

Last modified on 03 May, 2012
PREVIOUS
Additional tasks for the Exchange server roles 		  NEXT
Upgrade the Splunk App for Microsoft Exchange

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.1, 1.1.1, 1.1.4, 1.1.5, 1.1.6

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters