How to deploy the Splunk App for Microsoft Exchange

This topic details the deployment procedure for the Splunk App for Microsoft Exchange.

There are several steps to installing the Splunk App for Microsoft Exchange:

• First, you prepare your Active Directory environment so that it generates and formats the data that the Splunk App for Microsoft Exchange needs.
• Next, you set up the central Splunk App for Microsoft Exchange instance.
• Next, you configure the Splunk App for Microsoft Exchange on your central Splunk instance to receive and search the incoming data.
• Then, you install universal forwarders on the Exchange servers in your environment.
  • Optionally, you can install them on any Active Directory and/or Windows Server machines in the same environment.
• After that, you configure the universal forwarders with add-ons that come with the Splunk App for Microsoft Exchange installation package. You can also download the Splunk Add-on for Windows and install it on systems from which you want Windows data.
• Then, you confirm that the universal forwarders are sending data to the central Splunk instance.
• Then, you install a valid license for the Splunk App for Microsoft Exchange.
• Finally, you generate lookup tables for the app to use.

To deploy the Splunk App for Microsoft Exchange into your environment, perform the following steps:

Step 1. Prepare your Active Directory environment

Before you can use the Active Directory modules in the Splunk App for Microsoft Exchange, you must prepare your AD environment to generate the required data for the app. If you do not perform this step, then no Active Directory data gets collected, and the app does not display Active Directory data.

Important: You must have administrator-level privileges to complete the following steps. If you do not have these credentials, then find someone in your organization who does, as you cannot finish the procedure without this access.

To prepare your AD environment for the Splunk App for Microsoft Exchange:

1. Verify that all of the domain controllers and DNS servers in your environment have the latest service packs and hot fixes installed.

Important: The Splunk App for Microsoft Exchange does not support computers that run Windows Server 2008 Core because that version of Windows does not support PowerShell. You must upgrade or reinstall those systems with a version of Windows that the app supports. Review the platform and hardware requirements for additional information.

2. Confirm that PowerShell v2.0 or later is installed. Versions of PowerShell earlier than v2.0 are not compatible with the Splunk App for Microsoft Exchange.

3. Set your AD environment's forest and domain functional levels to "Windows Server 2003" or higher.

• For additional information on forest and domain functional levels, review "What are Active Directory functional levels?" (http://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx) on MS TechNet.

4. Enable Security event log auditing and local PowerShell script execution on every domain controller in your AD environment.

Caution: When you enable Security event log auditing on your domain controllers, the DCs generate a large number of events. These events significantly impact indexing volume and might cause indexing license violations. You might also see decreased performance on your domain controllers. Read this topic carefully to understand what events the Splunk App for Microsoft Exchange must collect to function properly and which events you can choose not to include.

5. If you want detailed DNS server statistics, enable debug logging on your DNS servers by following the instructions at "Select and enable debug logging options on the DNS server" (http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx) on MS TechNet.

Caution: When you enable debug logging on your DNS servers, you must consider the following caveats:

• If you enable DNS server debug logging, individual DNS server performance will decrease significantly.

• Debug logging generates significant amounts of data that might exhaust disk space on your DNS servers, which can potentially cause downtime. You must watch and rotate your DNS server logs to prevent disk capacity issues from occurring.

• Debug logging also greatly increases the overall amount of data indexed by the Splunk App for Microsoft Exchange. Ensure that you have a Splunk license that can accommodate the additional indexing volume.

Important: When installing a universal forwarder on an Active Directory domain controller, you must specify the "Local System" user.

Step 2. Install the central Splunk App for Microsoft Exchange instance

Configure the central Splunk instance to receive the incoming data and host the app.

1. Install two full instances of Splunk, or designate an existing installation of two Splunk machines as your "central" Splunk instance.

2. Configure one of the machines in the central Splunk instance to be a receiving indexer.

3. Write down the host name or IP address and port that you use when you configure the receiving indexer as you need this information later in the deployment process.

4. Configure the other machine to be a search head and search across the indexer for data.

Step 3. Install and configure the Splunk App for Microsoft Exchange on the central Splunk instance

1. Download the Splunk App for Microsoft Exchange installation package and place it into an accessible location.

2. Download the Supporting Add-on for Active Directory and place it into the same location.

3. Install the Splunk App for Microsoft Exchange onto all search heads in the central Splunk instance.

4. Install the Splunk Supporting Add-on for Active Directory onto all search heads in the central Splunk instance.

5. Configure the Splunk Supporting Add-on for Active Directory by editing %SPLUNK_HOME%\etc\apps\SA-ldapsearch\local\ldap.conf. An example follows:

[mydomain.com]
server = 192.168.50.1;192.168.50.2
port = 636
ssl = true
basedn = dc=spl,dc=com
binddn = cn=Splunk Searcher,cn=Users,dc=spl,dc=com
password = {64}u9435tr8ujtgfnkjscc
alternatedomain = MYDOMAIN

Note: For more information on editing ldap.conf, see "Configure the Splunk Supporting Add-on for Active Directory" in the Splunk Supporting Add-on for Active Directory documentation.

6. Restart all machines in your central Splunk instance to ensure that all changes take effect.

Step 4. Install and configure universal forwarders on your Exchange servers

1. Install a universal forwarder on each Exchange server in your environment.

2. Optionally, install a forwarder on any Active Directory domain controllers and other Windows machines.

Important: When installing the universal forwarder:

• Choose the "Local System" user when asked which user to run the forwarder as.

• Do not enable any of the inputs when installing the universal forwarder.

• When the installer asks you to specify the hostname or IP address for the receiving indexer, use the information that you wrote down in "Step 1. Install the central Splunk App for Microsoft Exchange instance" above.

• If you use a deployment tool such as Microsoft System Center or Group Policy, you must install the forwarders from the command line and use command-line installation flags. Read "Deploy a Windows universal forwarder via the command line" in the core Splunk Enterprise documentation for installation flags and additional information.

• While installation of forwarders on Active Directory and Windows machines is optional, if you do not install these forwarders, you will subsequently be unable to install the Splunk Add-on for Windows or the add-ons for Active Directory, and thus will not have this data available to the Splunk App for Microsoft Exchange unless you already collect it using previous versions of the Splunk App for Windows and the Splunk App for Active Directory.

Step 5. Configure and deploy the Splunk App for Microsoft Exchange add-ons

After you have installed universal forwarders on each of the Exchange servers in your deployment, you must then configure and install the Splunk App for Microsoft Exchange add-ons according to the server roles that your Exchange and Active Directory servers run.

1. Configure the Splunk App for Microsoft Exchange add-ons as needed.

2. Install or deploy the appropriate add-on(s) into the universal forwarders on each Exchange or Active Directory server according to the role it plays in your Exchange deployment. See "More information about the add-ons" for specific installation locations.

3. Confirm that all of the Exchange servers that you want to include in the deployment send Exchange log data to the usual places, in the usual formats. If they do not, review "Where and how the Splunk App for Microsoft Exchange expects to find your logs" in this manual for instructions on configuring the app to account for the changes in logging locations.

Step 6. Confirm that you see data coming in

After you configure the add-ons on the universal forwarders in your environment, confirm that the universal forwarders can connect to the central Splunk instance's receiving indexer. You can do this by logging into the indexer and confirming that you see incoming Exchange data for each host.

If you do not see a certain host, confirm:

• That the host is connected to the network and has IP connectivity to the receiving indexer.
• That a firewall is not blocking traffic.
• That the universal forwarder has been configured to send data to the correct receiving host and port.

If you do not see any data, confirm:

• That the receiving indexer is connected to the network.
• That Splunk is running on the receiving indexer.
• That the receiving indexer has been configured to receive forwarded data.
• That a firewall is not blocking traffic.

Step 7. Install a valid Splunk App for Microsoft Exchange license

Once you have confirmed that data is flowing into the app, you must now install a valid license for the Splunk App for Microsoft Exchange.

Read "Install a license" in this manual for additional details.

Step 8. Generate lookup tables

After you have installed the app and confirmed that you are receiving Exchange data from the universal forwarders into your central Splunk instance, you must then generate the lookup tables that the Splunk App for Microsoft Exchange uses.

Important: You must wait about 10 to 15 minutes after you have confirmed that the central Splunk instance correctly indexes Exchange data before you run this procedure.

To generate the lookups:

1. Log into the indexer of your central Splunk instance.

2. Once logged in, open the Splunk App for Microsoft Exchange.

3. Generate the lookups that the Splunk App for Microsoft Exchange uses to display the data it has collected. Click Tools & Settings > Build Lookups. The Splunk App for Microsoft Exchange loads the Build Lookups progress screen.

4. Once the build lookup progress screen completes, click "Finish and go back" to return to the previous screen.

Additional Steps

Deploy the sender reputation add-on

If you want your Splunk App for Microsoft Exchange central instance to display e-mail sender reputation statistics, then you must set up another full instance of Splunk and install or deploy the e-mail sender reputation add-on into it.

1. On a separate machine, install a full Splunk instance that has an outbound connection to the Internet.

Note: This machine should be separate from the central Splunk App for Microsoft Exchange instance and any Exchange servers which also run universal forwarders.

2. Configure the instance to be a heavy forwarder.

3. Configure the instance to send data to all indexers in the central Splunk App for Microsoft Exchange instance.

4. Configure the TA-SMTP-Reputation add-on. Create and edit TA-SMTP-Reputation\local\reputation.conf.

Note: The reputation.conf file has a single stanza, [mailservers]. The iplist attribute must contain the IP address(es) of all of your outbound mail servers in order for sender reputation statistics to work properly. If you have multiple outbound mail servers, separate each server in the list with a comma. For example:

[mailservers]
iplist = 

5. Deploy the TA-SMTP-Reputation add-on onto this instance.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.