Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Upgrade the Splunk App for Microsoft Exchange

If you are using version 1.x of the Splunk App for Microsoft Exchange and wish to upgrade to version 2.0, you must understand the changes between the previous version and this one. You must also follow some procedures to ensure that the new version of the app sees the existing data.

If your Splunk App for Microsoft Exchange deployment is large or complex, you might want to consult Splunk's Professional Services team for assistance.

Major differences between versions 1.x and 2.0

The major differences between version 1.x and 2.0 of the Splunk App for Microsoft Exchange are:

  • The app provides new PowerShell-based scripted data inputs for the following features:
    • Mailbox Audit (Provides information on user activities in a mailbox, such as delegation, access by someone other than the owner, and so on. The user that runs Splunk must have the ability to read mailbox audit logs to use this feature.)
    • Distribution Lists
    • Inbox Rules (Provides data on what rules users add to mail that arrives in their inbox)
    • Client Access Server (CAS) throttling rules (Provides data on how the CAS limits logon attempts into Exchange.)
  • The app provides a new dashboard: The Internal Spamming Reports view provides information on users that send large quantities of messages to large numbers of users in a short period of time. The Distribution List Expansions dashboard gives you additional information on the distribution lists within your organization.
  • The app provides several new macros which help you gain insight on message tracking operations.
  • The app no longer includes the TA_bes5 and TA_Forefront-Security-for-Exchange technology add-ons.
  • The app no longer provides data visualization for Blackberry Enterprise Server (BES) and Forefront Security for Exchange. If you already collect BES data, you will not lose it, but you must install the Add-on for Blackberry Enterprise Server 5 onto the central Splunk instance to see it.

Upgrade version 1.x to version 2.0

If you are doing an in-place upgrade of the Splunk App for Microsoft Exchange from version 1.x to 2.0, following are the steps you need to take to ensure that the updated version of the app is able to read data generated by the older version. There are several steps to this process:

Download and install the SA-ldapsearch supporting add-on

Before you upgrade the Splunk App for Microsoft Exchange, you must download and install the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) on all servers in your central Splunk instance.

Upgrade the technology add-ons on your Exchange servers

Once you have installed SA-ldapsearch into the central Splunk instance, you must then upgrade the technology add-ons on the universal forwarders on your Exchange servers.

  • The upgraded TAs are inside the Splunk App for Microsoft Exchange installation package, at Splunk_for_Exchange\etc\appserver\addons.
  • If you use a deployment server, read "Deploy configurations for all server roles" in this manual for instructions on how to use the deployment server to distribute the upgraded TAs to your Splunk App for Microsoft Exchange environment.
  • If you have deployed either the TA_bes5 (Blackberry Enterprise Server v5) or the TA_Forefront-Security-for-Exchange (Forefront-Security for Exchange) TAs, note that there is no upgrade for these TAs.

Configure message tracking macros (if required)

Version 2.0 of the Splunk App for Microsoft Exchange includes two new message tracking macros:

  • msgtrack-inbound-senderip: This macro gets a list of IP addresses that have successfully sent email to your Exchange servers.
  • msgtrack-outbound-clientip: This macro gets a list of IP addresses that your Exchange servers have successfully sent email to.

If you currently use the msgtrack-inbound-messages and msgtrack-inbound-messages macros by making changes to %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local\macros.conf, then you must also configure these additional macros. If you have not configured either of these older macros, then you do not need to configure the new ones.

Upgrade the Splunk App for Microsoft Exchange

Next, install the new Splunk App for Microsoft Exchange on all servers in the central Splunk instance.

You can install the updated app in one of three ways:

  • By using the Apps screen in Manager.
  • By unpacking the app into %SPLUNK_HOME%\etc\apps on all servers in your central Splunk instance.
  • By using a deployment server to distribute the app across your central Splunk instance.

Important: Do not install the app on the universal forwarders on your Exchange servers.

For specifics on what the central Splunk instance is, read "What a Splunk App for Microsoft Exchange deployment looks like" in this manual.

Last modified on 07 November, 2012
PREVIOUS
Install the central Splunk for Microsoft Exchange app instance 		  NEXT
Log in and get started

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters