Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Download manual as PDF

Download topic as PDF

What data the Splunk App for Microsoft Exchange collects

The Splunk Add-ons for Microsoft Exchange, Microsoft Active Directory, and Windows DNS collect data from your Windows, Active Directory, and Exchange servers. They then send the data to an indexer, which the app uses in its dashboards, charts, and reports. This topic discusses the specifics of the data that the app collects and displays.

The Splunk Add-ons for Microsoft Exchange collects the following data using file inputs:

  • Internet Information Server (IIS) logs for the Exchange servers whose designated roles require IIS
  • Performance monitoring data.
  • Active Directory logs (via the Splunk Add-ons for Windows, Microsoft Active Directory, and Windows DNS)
  • Windows network, host, and printer monitoring information (via the Splunk Add-on for Windows.)
  • Windows Event logs (via the Splunk Add-on for Windows):
    • Security Logs
    • Exchange audit logs
    • Application logs, such as Forefront Protection Services (FPS) security logs

The Splunk Add-ons for Microsoft Exchange collects the following data using scripted inputs:

  • Senderbase/reputation data. This feature needs internet access to function, as it looks up the reputation score for your email users.
  • Topology and Health information
  • Mailbox Server health and usage information


Where the Splunk App for Microsoft Exchange sends its data

The Splunk App for Microsoft Exchange puts the data it indexes into several indexes:

  • The Exchange, IIS, and application logs get indexed into the msexchange index.
  • The performance monitor logs get indexed into the perfmon index.

These indexes must be present on the indexer.

PREVIOUS
Permissions checklist
  NEXT
What a Splunk App for Microsoft Exchange deployment looks like

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters