Deploy and Use the Splunk App for Microsoft Exchange

 


Plan your Splunk App for Microsoft Exchange deployment
Upgrade the Splunk App for Microsoft Exchange
Troubleshoot the Splunk App for Microsoft Exchange
Best practices

What data the Splunk App for Microsoft Exchange collects

What data the Splunk App for Microsoft Exchange collects

The add-ons included with the Splunk App for Microsoft Exchange collect data from your Windows, Active Directory, and Exchange servers. They then send the data to an indexer, which the app uses in its dashboards, charts, and reports. This topic discusses the specifics of the data that the app collects and displays.

The Splunk App for Microsoft Exchange collects the following data using file inputs:

  • Internet Information Server (IIS) logs for the Exchange servers whose designated roles require IIS
  • Performance monitoring data.
  • Active Directory logs (via the Splunk Add-on for Windows and the Active Directory add-ons included with the Splunk App for Microsoft Exchange.)
  • Windows network, host, and printer monitoring information (via the Splunk Add-on for Windows.)
  • Windows Event logs (via the Splunk Add-on for Windows):
    • Security Logs
    • Exchange audit logs
    • Application logs, such as Forefront Protection Services (FPS) security logs

The Splunk App for Microsoft Exchange collects the following data using scripted inputs:

  • Senderbase/reputation data. This feature needs internet access to function, as it looks up the reputation score for your email users.
  • Topology and Health information
  • Mailbox Server health and usage information


Where the Splunk App for Microsoft Exchange sends its data

The Splunk App for Microsoft Exchange puts the data it indexes into several indexes:

  • The Exchange, IIS, and application logs get indexed into the msexchange index.
  • The performance monitor logs get indexed into the perfmon index.

These indexes must be present on the indexer.

This documentation applies to the following versions of MSExchange: 3.1.0 , 3.1.1 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!