Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk Add-ons for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Configure TA-Windows-Exchange-IIS

The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server and Windows Server that you run.

Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an inputs.conf file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.

Download and unpack the TA-Windows-Exchange-IIS add-on

  1. Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
  2. Unpack the add-on bundle to an accessible location.

Create and edit inputs.conf

  1. Open a PowerShell window, command prompt, or Explorer window.
  2. Create a local directory within the TA-Windows-Exchange-IIS add-on.
  3. Copy inputs.conf from the TA-Windows-Exchange-IIS\default directory to the TA-Windows-Exchange-IIS\local directory.
  4. Use a text editor such as Notepad to open the TA-Windows-Exchange-IIS\local\inputs.conf file for editing.
  5. Modify the inputs.conf file so that the common data inputs and the inputs that are for the version of Windows Server and Exchange Server that you run are enabled. Do this by changing disabled = true to disabled = false for all input stanzas that are associated with your version of Windows Server and Exchange Server. See the example inputs.conf later in this topic.
  6. After you update the inputs.conf file, save it and close it.

Distribute the add-ons

If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.

  1. Copy the TA-Windows-Exchange-IIS add-on to the %SPLUNK_HOME%\etc\deployment-apps directory on the deployment server.
  2. Create a server class for all hosts that run Exchange Server and hold the Client Access role.
  3. Add all Exchange Server hosts that hold the Mailbox Server role to this server class.
  4. Push the add-on to all hosts in this server class.

Example inputs.conf

The following inputs.conf listing is an example of how you should configure the TA-Windows-Exchange-IIS add-on for installation on a Windows Server 2008 R2 host that runs Exchange Server 2010 and holds the Client Access role. In this example, the Windows Server 2008 R2 block has had its input stanza changed from disabled = true to disabled = false. All other data input blocks have not been changed.

Remember to save the inputs.conf file after editing it, as changes do not take effect until the file has been saved and the add-on has been pushed to Exchange Server hosts.

##################################################################################################
#User should enable the stanza specific to the exchange server version by setting disabled=false #
##################################################################################################

####Common Stanzas - Start####

[WinHostMon://Processes]
index = windows
interval = 10
disabled = false
type = process

[WinHostMon://Services]
index = windows
interval = 10
disabled = false
type = service

[perfmon://Total_Processor_Time]
index=perfmon
object=Processor
counters=% Processor Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Processor]
index=perfmon
object=Processor
counters=% User Time; % Privileged Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://System]
index=perfmon
object=System
counters=Processor Queue Length
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Available_Memory]
index=perfmon
object=Memory
counters=Available MBytes
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Memory]
index=perfmon
object=Memory
counters=Pool Nonpaged bytes; Pool Paged bytes; Cache Bytes; Committed Bytes; %Committed Bytes in Use; Transition Pages Repurposed/sec; Pages/sec; Pages Input/sec; Pages Output/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://DotNET_CLR_Memory]
index=perfmon
object=.NET CLR Memory
counters=% Time in GC; # Bytes in all Heaps
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Network_Utilization]
index=perfmon
object=Network Interface
counters=Bytes Total/sec; Packets Outbound Errors
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv4]
index=perfmon
object=TCPv4
counters=Connections Established; Connections Reset
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv6]
index=perfmon
object=TCPv6
counters=Connection Failures
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Control_Panel]
index=perfmon
object=MSExchange Control Panel
counters=Outbound Proxy Requests - Average Response Time; Requests - Average Response Time; ASP.Net Request Failures/sec; Explicit Sign-On Inbound Proxy Requests/sec; Explicit Sign-On Inbound Proxy Sessions/sec; Explicit Sign-On Outbound Proxy Requests/sec; Explicit Sign-On Outbound Session Requests/sec; Explicit Sign-On Standard RBAC Requests/sec; Explicit Sign-On Standard RBAC Sessions/sec; Inbound Proxy Requests/sec; Inbound Proxy Sessions/sec; Outbound Proxy Requests - Average Response Time; Outbound Proxy Requests/sec; Outbound Proxy Sessions/sec; PowerShell Runspaces - Activations/sec; PowerShell Runspaces - Average Active Time; PowerShell Runspaces/sec; RBAC Sessions/sec; Requests - Activations/sec; Requests - Average Response Time
interval=10
disabled=false
useEnglishOnly=true

[perfmon://ASP_NET]
index=perfmon
object=ASP.NET
counters=Requests Current; Request Wait Time; Application Restarts; Worker Process Restarts
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://ASP_NET_Applications]
index=perfmon
object=ASP.NET Applications
counters=Requests in Application Queue
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://RPC_HTTP_Proxy]
index=perfmon
object=RPC/HTTP Proxy
counters=Number of Failed Back-End Connection attempts per Second; Current Number of Incoming RPC over HTTP Connections; Current Number of Unique Users; \RPC/HTTP Requests per Second
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_RpcClientAccess]
index=perfmon
object=MSExchange RpcClientAccess
counters=RPC Averaged Latency; RPC Operations/sec; RPC Requests; Active User Count; Connection Count; User Count
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchangeAB]
index=perfmon
object=MSExchangeAB
counters=NSPI RPC Browse Requests Average Latency; NSPI RPC Requests Average Latency; Referral RPC Requests Average Latency; NSPI Connections Current; NSPI Connections/sec; Referral RPC Requests/sec
interval=10
disabled=false
useEnglishOnly=true

####Common Stanzas - End####

####Windows Server Version 2003 - Start####

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC1\W3SVC1\*.log]
sourcetype=MSWindows:2003:IIS
queue=parsingQueue
index=msexchange
disabled=true

####Windows Server Version 2003 - End####

####Windows Server Version 2008R2 - Start####

[monitor://C:\inetpub\logs\...\W3SVC1\*.log]
sourcetype=MSWindows:2008R2:IIS
queue=parsingQueue
index=msexchange
disabled=false

####Windows Server Version 2008R2 - End####

####Windows Server Version 2012 - Start####

[monitor://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
sourcetype=MSWindows:2012:IIS
queue=parsingQueue
index=msexchange
disabled=true

####Windows Server Version 2012 - End####

####Exchange Server Version 2010 - Start####
[monitor://C:\Program Files\Microsoft\Exchange Server\V14\Logging\Ews]
whitelist=\.log$|\.LOG$
sourcetype=MSWindows:2010EWS:IIS
queue=parsingQueue
index=msexchange
disabled=false
initCrcLength=8192
####Exchange Server Version 2010 - End####

####Exchange Server Version 2013/2016 - Start####
[monitor://C:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
whitelist=\.log$|\.LOG$
sourcetype=MSWindows:2013EWS:IIS
queue=parsingQueue
index=msexchange
disabled=true
initCrcLength=8192
####Exchange Server Version 2013/2016 - End####
Last modified on 11 April, 2019
TA-Windows-Exchange-IIS inputs   Troubleshoot TA-Windows-Exchange-IIS

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.4, 3.5.0, 3.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters