Deploy and Use the Splunk App for Microsoft Exchange

 


Before you deploy
Upgrade the Splunk App for Microsoft Exchange
Windows Help: Applications and Updates
Active Directory Help: Domain Controllers
Active Directory Help: Computers
Active Directory Help: Groups
Active Directory Help: Group Policy
Active Directory Help: Organizational Units
Troubleshoot the Splunk App for Microsoft Exchange
Best practices

What data the Splunk App for Microsoft Exchange collects

What data the Splunk App for Microsoft Exchange collects

The Splunk App for Microsoft Exchange's associated add-ons collect data from your Exchange servers. They then send the data to an index, which the app uses in its dashboards, charts, and reports. This topic discusses the specifics of the data that the app collects and displays.

The Splunk App for Microsoft Exchange collects the following data using file inputs:

  • Internet Information Server (IIS) logs for the Exchange servers whose designated roles require IIS
  • Performance monitoring data.
  • Active Directory logs (via the Splunk Add-on for Windows and the Active Directory add-ons included with the Splunk App for Microsoft Exchange.)
  • Windows network, host, and printer monitoring information (via the Splunk Add-on for Windows.)
  • Windows Event logs (via the Splunk Add-on for Windows):
    • Security Logs
    • Exchange audit logs
    • Application logs, such as Forefront Protection Services (FPS) security logs

The Splunk App for Microsoft Exchange collects the following data using scripted inputs:

  • Senderbase/reputation data. This feature needs internet access to function, as it looks up the reputation score for your email users.
  • Topology and Health information
  • Mailbox Server health and usage information

Important: The Splunk App for Microsoft Exchange puts the data it indexes into several indexes:

  • The Exchange, IIS, and application logs get indexed into the msexchange index.
  • The performance monitor logs get indexed into the perfmon index.


Where and how the Splunk App for Microsoft Exchange expects to find your logs

The Splunk App for Microsoft Exchange assumes that all your Exchange servers send log data to their default locations. If this is not true, then you must configure the relevant add-ons to tell the Splunk App for Microsoft Exchange to look in the right place for your Exchange, Windows, and Active Directory data.

To make edits to add-ons within the Splunk App for Microsoft Exchange directory store:

1. Using Explorer, a command prompt, or a PowerShell instance, navigate to %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons.

2. Find the add-on that you want to edit:

  • If you are using a deployment server, you can locate the add-on in %SPLUNK_HOME%\etc\deployment-apps\<Addon-Name> on the deployment server.
  • If you are not using a deployment server, you can locate the add-on in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-Name> on the universal forwarder.

3. In the relevant add-on directory, make a copy of default\inputs.conf and place it in local\.

Note: If you've already deployed the app, make a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-Name>\default\inputs.conf and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-Name>\local\.

4. Edit the inputs.conf you copied to %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-Name>\local and change the file paths for the relevant input stanzas to the desired locations.

5. Save the file.

6. If you have already deployed, restart the Splunk forwarder.

Log format

The Splunk App for Microsoft Exchange also assumes you haven't changed the format of the logs. If you have changed the log format in any way then you must configure both the app on the central Splunk instance and the relevant TA-Windows-2003-Exchange-IIS add-on on the servers that produce the logs to tell the Splunk App for Microsoft Exchange how to process those logs.

To reconfigure the add-on to understand the changed log format:

1. In the %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\TA-Windows-2003-Exchange-IIS directory, make a copy of default\inputs.conf.

2. Put this file in local\.

Note: If you've already deployed the app, make a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\TA-Windows-2003-Exchange-IIS\default\transforms.conf and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\TA-Windows-2003-Exchange-IIS\local\.

3. Edit the <code>local\transforms.conf file to modify the field extractions to match the log format you use.

  • In the TA-Windows-2003-Exchange-IIS add-on, the [mswin_2003_iis_fields] stanza defines the field extractions.
  • In the TA-Windows-2008R2-Exchange-IIS add-on, the [mswin_2008r2_iis_fields] stanza defines the field extractions.

Note: Refer to "Create and maintain search-time field extractions through configuration files" in the core Splunk Enterprise documentation for information on how to edit transforms.conf.

4. Save the file.

5. If you have already deployed, restart the Splunk forwarder.

To configure the Splunk App for Microsoft Exchange to understand the changed log format:

1. In the %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange directory, make a copy of default\inputs.conf.

2. Put this file in local\.

Note: If you've already deployed the app, make a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\transforms.conf and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local\.

3. Edit the local\transforms.conf to modify the field extractions to match the log format you're using.

Note: Refer to "Create and maintain search-time field extractions through configuration files" in the core Splunk product documentation for information on how to edit transforms.conf.

4. Save the file.

5. If you have already deployed, restart all servers in the central Splunk instance.

This documentation applies to the following versions of MSExchange: 3.0 , 3.0.1 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!