Deploy and Use the Splunk App for Microsoft Exchange

 


Upgrade the Splunk App for Microsoft Exchange
Windows Help: Applications and Updates
Active Directory Help: Domain Controllers
Active Directory Help: Computers
Active Directory Help: Groups
Active Directory Help: Group Policy
Active Directory Help: Organizational Units
Troubleshoot the Splunk App for Microsoft Exchange
Best practices

Deploy configurations for all server roles

Deploy configurations for all server roles

This procedure describes using the Splunk deployment server to deploy the Splunk App for Microsoft Exchange configurations to Splunk universal forwarders that you have installed on each of the Exchange server systems in your environment.

If you haven't installed universal forwarders yet, follow the instructions in "Install a universal forwarder on each Exchange server" to complete that task before continuing.

Note: You do not have to use a deployment server to deploy the Splunk App for Microsoft Exchange--you can copy the appropriate components to the universal forwarders and search heads by hand if you like. A benefit to using deployment server is that you can update the components very easily later, when a new version of the app becomes available.

You can configure your central Splunk instance to be a deployment server, or install full Splunk on another server and configure it as the deployment server.

Caution: The Splunk App for Microsoft Exchange puts all the data it indexes into the msexchange and perfmon indexes. If you don't want to use these indexes for the data, you must change the app's configuration as described in "Other deployment considerations" and "Make configuration changes to match your existing environment" in this manual, before you deploy it to the forwarders.

Prepare the deployment on the deployment server

To configure your deployment server:

1. Edit %SPLUNK_HOME%\etc\system\local\serverclass.conf on your deployment server to specify a server class for each server role and Windows Server version and optionally one for the server running the reputation service (which must have Internet access). The recommended naming convention is:

  • Exchange-<version>-<role>
  • Exchange-Windows-<version>
  • Exchange-Reputation

Note: There is an example serverclass.conf located in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons. You can copy this file to %SPLUNK_HOME%\etc\system\local on your deployment server and edit it to suit your needs.

2. Make sure that you have made all necessary edits to the add-ons you want to deploy into %SPLUNK_HOME%\etc\deployment-apps, as described in "Make configuration changes to match your existing environment".

3. In %SPLUNK_HOME%\etc\system\local\serverclass.conf ensure that the components you want to deploy are configured to be pushed to the right servers:

  • Each universal forwarder gets the appropriate add-ons for the Exchange Server roles running on that system.
  • Indexers in the central Splunk App for Microsoft Exchange instance get all of the add-ons.
  • Search heads in the central instance get the app and all of the add-ons.

Push the components to their respective locations

Once you've completed all desired configuration changes, push the prepared components to their respective locations in your infrastructure:

1. On the deployment server, run the following command to reload the deployment server and update the various Splunk instances:

%SPLUNK_HOME%\bin\splunk reload deploy-server

2. After a few minutes, check that the deployment was pushed correctly with the following command:

%SPLUNK_HOME%\bin\splunk list deploy-clients

3. Wait 10 minutes, then follow the instructions in "Log in and get started" in this manual to view the Splunk App for Microsoft Exchange overview dashboard and confirm that data is coming into the app.

This documentation applies to the following versions of MSExchange: 3.0 , 3.0.1 , 3.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!