Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Configure Exchange servers

This topic discusses configuring the Microsoft Exchange servers in your environment to send Exchange data to the Splunk App for Microsoft Exchange indexer.

Enable local PowerShell script execution

The add-ons included in the Splunk App for Microsoft Exchange installation package contain PowerShell scripts that must run on all Active Directory, DNS, and Exchange servers in your environment. Like you did previously for AD and Windows DNS, you must configure the Exchange servers to allow local execution of PowerShell scripts.

Note: This procedure tells you how to create a single Group Policy object (GPO) for local PowerShell execution on the Exchange servers. If you want, you can add the Exchange servers to an existing GPO that allows for local PowerShell script execution (by adding the Exchange server objects to the GPO you created earlier.)

To enable local execution of PowerShell scripts on your domain controllers:

1. If required, download Windows Management Framework (http://support.microsoft.com/kb/968929) from Microsoft's Support site and install it.

Note: All versions of Windows Server 2008 SP2 (except Core) and Windows Server 2008 R2 have PowerShell installed by default. All versions of Windows Server 2012 have PowerShell 3.0 installed by default. You might need to install Windows Management Framework on Windows Server 2003 family computers.

2. If required, download the Administrative Templates for Microsoft PowerShell (http://www.microsoft.com/en-us/download/details.aspx?id=25119) from Microsoft and install them.

Note: All versions of Windows Server 2008 (except Core) and later have the required templates for PowerShell installed.

3. Start the Active Directory Users and Computers snap-in.

4. Create a new Active Directory GPO. Learn how.

5. Open the GPO for editing.

6. In the GPO editor, select Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.

7. Right-click "Turn on script execution", then select "Edit".

8. In the window that appears, click the "Enabled" radio button.

9. In the "Execution Policy" drop-down, select Allow local scripts and remote signed scripts.

10. Click "OK" to accept the changes.

11. Close the Group Policy Object editor to save your changes.

12. Deploy the GPO.

GPO updates

Once you have deployed the GPOs, it can take up to 120 minutes before Active Directory applies the GPOs to the domain. If you want to deploy the GPOs faster, you must run the GPUPDATE /force command on every computer that you want to update Group Policy.

Adjust the settings for the PowerShell Event log

To ensure that the Splunk App for Microsoft Exchange gets all of the data it needs, adjust the settings for the PowerShell Event log on each Exchange server:

1. Open Event Viewer.

2. Right click on PowerShell Log and select Properties.

3. Set the maximum size to 10,240 kilobytes (kB).

4. Set Overwrite events as needed under Log size to "When maximum log size is reached".

5. Click OK to close the dialog.

6. Right click on the Windows PowerShell Log and select Properties.

7. Set Overwrite events as needed under Log size to "When maximum log size is reached".

8. Click OK to close the dialog.

If you need long term storage of the logs, configure a Windows Event log input that indexes the PowerShell event log.

Additional tasks for servers that run the Hub and Edge Transport roles

1. Turn on Message Tracking from within Exchange System Manager.

Enable Exchange Administrator audit logging on Exchange Mailbox Server

If you want to track changes made to Exchange 2010 or 2013 services by Exchange administrators, enable Exchange Administrator audit logging:

1. Open a PowerShell window.

2. In the window, execute the following commands:

> Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
> Set-AdminAuditLogConfig -AdminAuditLogParameters *
> Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

Learn more at "Configure Administrator Audit Logging" (http://technet.microsoft.com/en-us/library/dd335109.aspx) on MS TechNet.

Note: Exchange Server 2010 Service Pack 1 and later versions enable administrative audit logging by default.

What's next?

You have deployed a Group Policy object to enable local PowerShell script execution on your Exchange servers. You have also increased the PowerShell log file size, turned on Message Tracking for Hub and Edge Transport Exchange servers, and turned on Audit Logging for Exchange Mailbox Servers (in Exchange 2010 or 2013 environments.)

The next step involves downloading and configuring the Splunk Add-ons for Microsoft Exchange.

Last modified on 07 March, 2015
Sample DNS searches and dashboards   Download and configure the Splunk Add-ons for Exchange

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters