Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Additional tasks to be performed on Exchange servers

This topic discusses additional steps that you should complete on the Exchange servers in your network in order to prepare the Splunk App for Microsoft Exchange for complete Exchange data analysis.

Note: This topic is a checklist to ensure that the Splunk App for Microsoft Exchange gets the data it needs. You might have already completed these steps.

Additional tasks for servers that run any Exchange server role

Adjust the settings for the PowerShell Event log

The Splunk App for Microsoft Exchange makes extensive use of PowerShell to gather information about Exchange services. We strongly recommend you adjust the settings for the PowerShell Event log on each Exchange server as follows:

  1. Open Event Viewer.
  2. Right click on Powershell Log and select Properties.
  3. Set the maximum size to 10,240 kilobytes (kB).
  4. Set Overwrite events as needed under Log size to "When maximum log size is reached".
  5. Click OK to close the dialog.
  6. Right click on the Windows PowerShell Log and select Properties.
  7. Set Overwrite events as needed under Log size to "When maximum log size is reached".
  8. Click OK to close the dialog.

If you need long term storage of the logs, we recommend that you index the PowerShell log in Splunk.

Additional tasks for servers that run the Hub and Edge Transport roles

  1. Turn on Message Tracking from within Exchange System Manager.
  2. If you have installed Microsoft Forefront Security Suite for Exchange 2007 or Exchange 2010, also deploy the TA-Forefront-Security-for-Exchange add-on.
  3. If you have moved the message tracking logs, ensure you also update the data input to reflect the new location.

Additional tasks for servers that run the Mailbox Server role

Enable Exchange Administrator audit logging (Exchange 2010 or 2013 only)

If you want to track changes made to Exchange 2010 or 2012 services by Exchange administrators, enable Exchange Administrator audit logging by following the instructions at "Configure Administrator Audit Logging" (http://technet.microsoft.com/en-us/library/dd335109.aspx) on MS TechNet.

Note: Exchange Server 2010 Service Pack 1 and later versions enable administrative audit logging by default.

Last modified on 06 December, 2013
PREVIOUS
Deploy configurations for all server roles 		  NEXT
Install a license

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters