Configure TA-Exchange-ClientAccess
The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server that you run.
Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an inputs.conf
file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.
Download and unpack the TA-Exchange-ClientAccess add-on
- Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
- Unpack the add-on bundle to an accessible location.
Create and edit inputs.conf
- Open a PowerShell window, command prompt, or Explorer window.
- Create a
local
directory within theTA-Exchange-ClientAccess
add-on. - Copy
inputs.conf
from theTA-Exchange-ClientAccess\default
directory to theTA-Exchange-ClientAccess\local
directory. - Use a text editor such as Notepad to open the
TA-Exchange-ClientAccess\local\inputs.conf
file for editing. - Modify the
inputs.conf
file so that the common data inputs and the inputs that are for the version of Exchange Server that you run are enabled. Do this by changingdisabled = true
todisabled = false
for all input stanzas that are associated with your version of Exchange Server. See the example inputs.conf later in this topic. - After you update the
inputs.conf
file, save it and close it.
Distribute the add-ons
If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.
If you run more than one version of Exchange Server in your environment, set up a deployment server for each version of Exchange. This is because the Splunk Add-ons for Microsoft Exchange include data inputs for all versions of Exchange Server.
- Copy the TA-Exchange-ClientAccess add-on to the
%SPLUNK_HOME%\etc\deployment-apps
directory on the deployment server. - Create a server class for all hosts that run Exchange Server and hold the Client Access Server role.
- Add all Exchange Server hosts that hold the Client Access Server role to this server class.
- Push the add-on to all hosts in this server class.
Example inputs.conf
The following inputs.conf
listing is an example of how you should configure the TA-Exchange-ClientAccess add-on for installation on an Exchange Server 2016 host that holds the Client Access Server role. In this example, the Exchange Server 2016 block has had its input stanzas changed from disabled = true
to disabled = false
. All other data input blocks have not been changed.
Remember to save the inputs.conf file after editing it, as changes do not take effect until the file has been saved and the add-on has been pushed to Exchange Server hosts.
################################################################################################## #User should enable the stanza specific to the exchange server version by setting disabled=false # ################################################################################################## ####Common Stanzas - Start#### [WinHostMon://Processes] index = windows interval = 10 disabled = false type = process [WinHostMon://Services] index = windows interval = 10 disabled = false type = service [perfmon://Total_Processor_Time] index=perfmon object=Processor counters=% Processor Time instances=_Total interval=10 disabled=false useEnglishOnly=true [perfmon://Processor] index=perfmon object=Processor counters=% User Time; % Privileged Time instances=_Total interval=10 disabled=false useEnglishOnly=true [perfmon://System] index=perfmon object=System counters=Processor Queue Length instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://Available_Memory] index=perfmon object=Memory counters=Available MBytes; Page Reads/sec interval=10 disabled=false useEnglishOnly=true [perfmon://Memory] index=perfmon object=Memory counters=Pool Nonpaged bytes; Pool Paged bytes; Cache Bytes; Committed Bytes; %Committed Bytes in Use; Transition Pages Repurposed/sec; Pages/sec; Pages Input/sec; Pages Output/sec interval=10 disabled=false useEnglishOnly=true [perfmon://DotNET_CLR_Memory] index=perfmon object=.NET CLR Memory counters=% Time in GC; # Bytes in all Heaps instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://Network_Utilization] index=perfmon object=Network Interface counters=Bytes Total/sec; Packets Outbound Errors instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://TCPv4] index=perfmon object=TCPv4 counters=Connections Established; Connections Reset interval=10 disabled=false useEnglishOnly=true [perfmon://TCPv6] index=perfmon object=TCPv6 counters=Connection Failures interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchange_Control_Panel] index=perfmon object=MSExchange Control Panel counters=Outbound Proxy Requests - Average Response Time; Requests - Average Response Time; ASP.Net Request Failures/sec; Explicit Sign-On Inbound Proxy Requests/sec; Explicit Sign-On Inbound Proxy Sessions/sec; Explicit Sign-On Outbound Proxy Requests/sec; Explicit Sign-On Outbound Session Requests/sec; Explicit Sign-On Standard RBAC Requests/sec; Explicit Sign-On Standard RBAC Sessions/sec; Inbound Proxy Requests/sec; Inbound Proxy Sessions/sec; Outbound Proxy Requests - Average Response Time; Outbound Proxy Requests/sec; Outbound Proxy Sessions/sec; PowerShell Runspaces - Activations/sec; PowerShell Runspaces - Average Active Time; PowerShell Runspaces/sec; RBAC Sessions/sec; Requests - Activations/sec; Requests - Average Response Time interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchangePop3] index=perfmon object=MSExchangePop3 instances=_total counters=Connections Current; Connections Failed; Connections Rejected; Connections Total; Current Unauthenticated Connections; Unauthenticated Connections/sec; Proxy Current Connections; Proxy Connections Failed; Proxy Total Connections; Active SSL Connections; SSL Connections; Invalid Commands; Invalid Commands Rate; AUTH Failures; AUTH Rate; AUTH Total; CAPA Failures; CAPA Rate; CAPA Total; DELE Failures; DELE Rate; DELE Total; LIST Failures; LIST Rate; LIST Total; NOOP Failures; NOOP Rate; NOOP Total; PASS Failures; PASS Rate; PASS Total; QUIT Failures; QUIT Rate; QUIT Total; Request Failures; Request Rate; Request Total; RETR Failures; RETR Rate; RETR Total; RSET Failures; RSET Rate; RSET Total; STAT Failures; STAT Rate; STAT Total; STLS Failures; STLS Rate; STLS Total; TOP Failures; TOP Rate; TOP Total; UIDL Failures; UIDL Rate; UIDL Total; USER Failures; USER Rate; USER Total; XPRX Failures; XPRX Rate; XPRX Total; Average Command Processing Time (milliseconds); Connections Rate; Transient Mailbox Connection Failures/minute; Mailbox Offline Errors/minute; Transient Storage Errors/minute; Permanent Storage Errors/minute; Transient Active Directory Errors/minute; Permanent Active Directory Errors/minute; Transient Errors/minute; Average RPC Latency; Average LDAP Latency interval=30 disabled=false useEnglishOnly=true [perfmon://MSExchangeImap4] index=perfmon object=MSExchangeImap4 instances=_total counters=Current Connections; Connections Failed; Connections Rejected; Connections Total; Current Unauthenticated Connections; Unauthenticated Connections/sec; Proxy Current Connections; Proxy Connections Failed; Proxy Total Connections; Active SSL Connections; SSL Connections; Invalid Commands; Invalid Commands Rate; Append Failures; Append Rate; Append Total; Authenticate Failures; Authenticate Rate; Authenticate Total; Capability Failures; Capability Rate; Capability Total; Check Failures; Check Rate; Check Total; Close Failures; Close Rate; Close Total; Copy Failures; Copy Rate; Copy Total; Create Failures; Create Rate; Create Total; Delete Failures; Delete Rate; Delete Total; Examine Failures; Examine Rate; Examine Total; Expunge Failures; Expunge Rate; Expunge Total; Fetch Failures; Fetch Rate; Fetch Total; Idle Failures; Idle Rate; Idle Total; List Failures; List Rate; List Total; Login Failures; Login Rate; Login Total; Logout Failures; Logout Rate; Logout Total; LSUB Failures; LSUB Rate; LSUB Total; Namespace Failures; Namespace Rate; Namespace Total; NOOP Failures; NOOP Rate; NOOP Total; Rename Failures; Rename Rate; Rename Total; Request Failures; Request Rate; Request Total; Search Failures; Search Rate; Search Total; Select Failures; Select Rate; Select Total; STARTTLS Failures; STARTTLS Rate; STARTTLS Total; Status Failures; Status Rate; Status Total; Store Failures; Store Rate; Store Total; Subscribe Failures; Subscribe Rate; Subscribe Total; Unsubscribe Failures; Unsubscribe Rate; Unsubscribe Total; XPROXY Failures; XPROXY Rate; XPROXY Total; Average Command Processing Time (milliseconds); Connections Rate; SearchFolder Creation Rate; SearchFolder Creation Total; Folder View Reload Rate; Folder View Reload Total; Transient Mailbox Connection Failures/minute; Mailbox Offline Errors/minute; Transient Storage Errors/minute; Permanent Storage Errors/minute; Transient Active Directory Errors/minute; Permanent Active Directory Errors/minute; Transient Errors/minute; Average RPC Latency; Average LDAP Latency; Total IMAP UID Fixes; Current IMAP UID Fixes; Total IMAP UID Items Fixed interval=30 disabled=false useEnglishOnly=true [perfmon://MSExchange_Availability_Service] index=perfmon object=MSExchange Availability Service counters=Average Time to Process a Free Busy Request; Availability Requests (sec) interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchange_FDS_OAB] index=perfmon object=MSExchangeFDS:OAB counters=Download Task Queued; Download Tasks Completed instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchangeAutodiscover] index=perfmon object=MSExchangeAutodiscover counters=Requests/sec interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchangeWS] index=perfmon object=MSExchangeWS counters=Requests/sec interval=10 disabled=false useEnglishOnly=true [perfmon://Web_Service] index=perfmon object=Web Service counters=Current Connections; Connection Attempts/sec; ISAPI Extension Requests/sec; Other Request Methods/sec instances=_Total interval=10 disabled=false useEnglishOnly=true ####Common Stanzas - End#### ###From Exchange app/add-on version 3.5.2,support for Exchange Server 2007 has ended.### ####Exchange Server 2007 - Start#### [perfmon://OWA_2007] index=perfmon object=MSExchange OWA counters=Average Response Time; Average Search Time; Requests/sec; Current Unique Users interval=10 disabled=true useEnglishOnly=true [perfmon://ActiveSync_2007] index=perfmon object=MSExchange ActiveSync counters=Average Request Time; Requests/sec; Ping Commands Pending; Sync Commands/sec; Sync Commands Pending; Current Requests interval=10 disabled=true useEnglishOnly=true [monitor://C:\Program Files\Microsoft\Exchange Server\Logging\RPC Client Access] whitelist=\.log$|\.LOG$ sourcetype=MSExchange:2007:RPCClientAccess queue=parsingQueue index=msexchange disabled=true [script://.\bin\exchangepowershell.cmd v8.0 get-hoststats_2007_2010.ps1] source=Powershell sourcetype=MSExchange:2007:Topology interval=300 index=msexchange disabled=true ####Exchange Server 2007 - End#### ####Exchange Server 2010 - Start#### [perfmon://OWA_2010] index=perfmon object=MSExchange OWA counters=Average Response Time; Average Search Time; Requests/sec; Current Unique Users interval=10 disabled=true useEnglishOnly=true [perfmon://ActiveSync_2010] index=perfmon object=MSExchange ActiveSync counters=Average Request Time; Requests/sec; Ping Commands Pending; Sync Commands/sec; Sync Commands Pending; Current Requests interval=10 disabled=true useEnglishOnly=true [perfmon://MSExchange_Throttling_2010] index=perfmon object=MSExchange Throttling instances=* counters=Average Thread Sleep Time; Active PowerShell Runspaces; Active PowerShell Runspaces/Sec; Exchange Executing Cmdlets; Exchange Executing Cmdlets/Sec; Organization Throttling Policy Cache Hit Count; Organization Throttling Policy Cache Miss Count; Organization Throttling Policy Cache Length; Organization Throttling Policy Cache Length Percentage; Throttling Policy Cache Hit Count; Throttling Policy Cache Miss Count; Throttling Policy Cache Length; Throttling Policy Cache Length Percentage interval=30 disabled=true useEnglishOnly=true [monitor://C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access] whitelist=\.log$|\.LOG$ sourcetype=MSExchange:2010:RPCClientAccess queue=parsingQueue index=msexchange disabled=true [script://.\bin\exchangepowershell.cmd v14 get-hoststats_2007_2010.ps1] source=Powershell sourcetype=MSExchange:2010:Topology interval=300 index=msexchange disabled=true [script://.\bin\exchangepowershell.cmd v14 get-throttling-policies_2010_2013.ps1] source=Powershell sourcetype=MSExchange:2010:ThrottlingPolicy interval=86400 index=msexchange disabled=true ####Exchange Server 2010 - End#### ####Exchange Server 2013/2016/2019 - Start#### [perfmon://MSExchange_Throttling_2013] index=perfmon object=MSExchange User Throttling instances=* counters=Unique Budgets OverBudget; Total Unique Budgets; Delayed Threads; Users At MaxConcurrency; Users Locked Out; Percentage Users Micro Delayed; Percentage Users At Maximum Delay; Number Of Users At Maximum Delay; Number Of Users Micro Delayed; Budget Usage Five Minute Window 99.9%; Budget Usage Five Minute Window 99%; Budget Usage Five Minute Window 75%; Average Budget Usage Five Minute Window; Budget Usage One Hour Window 99.9%; Budget Usage One Hour Window 99%; Budget Usage One Hour Window 75%; Average Budget Usage One Hour Window interval=30 disabled=false useEnglishOnly=true [perfmon://MSExchange_Authentication] index=perfmon object=MSExchange Authentication instances=_Total counters=Outstanding Authentication Requests; Total Authentication Requests; Rejected Authentication Requests; Authentication Latency interval=30 disabled=false useEnglishOnly=true [perfmon://MSExchange_SmtpReceive] index=perfmon object=MSExchangeFrontEndTransport SmtpReceive counters=Average bytes/inbound message; Inbound Messages Received/sec instances=_total interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchange_SmtpSend] index=perfmon object=MSExchangeFrontEndTransport SmtpSend counters=Average message bytes/message; Messages Sent/sec instances=_total interval=10 disabled=false useEnglishOnly=true [monitor://C:\Program Files\Microsoft\Exchange Server\V15\Logging\RPC Client Access] whitelist=\.log$|\.LOG$ sourcetype=MSExchange:2013:RPCClientAccess queue=parsingQueue index=msexchange disabled=false [script://.\bin\exchangepowershell.cmd v15 get-hoststats_2013.ps1] source=Powershell sourcetype=MSExchange:2013:Topology interval=300 index=msexchange disabled=false [script://.\bin\exchangepowershell.cmd v15 get-throttling-policies_2010_2013.ps1] source=Powershell sourcetype=MSExchange:2013:ThrottlingPolicy interval=86400 index=msexchange disabled=false [script://.\bin\exchangepowershell_clientaccess2016.cmd v15 read-audit-logs_2016.ps1] source=Powershell sourcetype=MSExchange:2013:AdminAudit interval=300 index=msexchange disabled=false ####Exchange Server 2013/2016/2019 - End####
TA-Exchange-ClientAccess inputs | Troubleshoot TA-Exchange-ClientAccess |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!