Configure TA-Windows-Exchange-IIS
The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server and Windows Server that you run.
Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an inputs.conf
file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.
Download and unpack the TA-Windows-Exchange-IIS add-on
- Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
- Unpack the add-on bundle to an accessible location.
Create and edit inputs.conf
- Open a PowerShell window, command prompt, or Explorer window.
- Create a
local
directory within theTA-Windows-Exchange-IIS
add-on. - Copy
inputs.conf
from theTA-Windows-Exchange-IIS\default
directory to theTA-Windows-Exchange-IIS\local
directory. - Use a text editor such as Notepad to open the
TA-Windows-Exchange-IIS\local\inputs.conf
file for editing. - Modify the
inputs.conf
file so that the common data inputs and the inputs that are for the version of Windows Server and Exchange Server that you run are enabled. Do this by changingdisabled = true
todisabled = false
for all input stanzas that are associated with your version of Windows Server and Exchange Server. See the example inputs.conf later in this topic. - After you update the
inputs.conf
file, save it and close it.
Distribute the add-ons
If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.
- Copy the TA-Windows-Exchange-IIS add-on to the
%SPLUNK_HOME%\etc\deployment-apps
directory on the deployment server. - Create a server class for all hosts that run Exchange Server and hold the Client Access role.
- Add all Exchange Server hosts that hold the Mailbox Server role to this server class.
- Push the add-on to all hosts in this server class.
Example inputs.conf
The following inputs.conf
listing is an example of how you should configure the TA-Windows-Exchange-IIS add-on for installation on a Windows Server 2016 host that runs Exchange Server 2016 and holds the Client Access role. In this example, the Windows Server 2016 block has had its input stanza changed from disabled = true
to disabled = false
. All other data input blocks have not been changed.
Remember to save the inputs.conf file after editing it, as changes do not take effect until the file has been saved and the add-on has been pushed to Exchange Server hosts.
################################################################################################## #User should enable the stanza specific to the exchange server version by setting disabled=false # ################################################################################################## ####Common Stanzas - Start#### [WinHostMon://Processes] index = windows interval = 10 disabled = false type = process [WinHostMon://Services] index = windows interval = 10 disabled = false type = service [perfmon://Total_Processor_Time] index=perfmon object=Processor counters=% Processor Time instances=_Total interval=10 disabled=false useEnglishOnly=true [perfmon://Processor] index=perfmon object=Processor counters=% User Time; % Privileged Time instances=_Total interval=10 disabled=false useEnglishOnly=true [perfmon://System] index=perfmon object=System counters=Processor Queue Length instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://Available_Memory] index=perfmon object=Memory counters=Available MBytes instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://Memory] index=perfmon object=Memory counters=Pool Nonpaged bytes; Pool Paged bytes; Cache Bytes; Committed Bytes; %Committed Bytes in Use; Transition Pages Repurposed/sec; Pages/sec; Pages Input/sec; Pages Output/sec interval=10 disabled=false useEnglishOnly=true [perfmon://DotNET_CLR_Memory] index=perfmon object=.NET CLR Memory counters=% Time in GC; # Bytes in all Heaps instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://Network_Utilization] index=perfmon object=Network Interface counters=Bytes Total/sec; Packets Outbound Errors instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://TCPv4] index=perfmon object=TCPv4 counters=Connections Established; Connections Reset interval=10 disabled=false useEnglishOnly=true [perfmon://TCPv6] index=perfmon object=TCPv6 counters=Connection Failures interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchange_Control_Panel] index=perfmon object=MSExchange Control Panel counters=Outbound Proxy Requests - Average Response Time; Requests - Average Response Time; ASP.Net Request Failures/sec; Explicit Sign-On Inbound Proxy Requests/sec; Explicit Sign-On Inbound Proxy Sessions/sec; Explicit Sign-On Outbound Proxy Requests/sec; Explicit Sign-On Outbound Session Requests/sec; Explicit Sign-On Standard RBAC Requests/sec; Explicit Sign-On Standard RBAC Sessions/sec; Inbound Proxy Requests/sec; Inbound Proxy Sessions/sec; Outbound Proxy Requests - Average Response Time; Outbound Proxy Requests/sec; Outbound Proxy Sessions/sec; PowerShell Runspaces - Activations/sec; PowerShell Runspaces - Average Active Time; PowerShell Runspaces/sec; RBAC Sessions/sec; Requests - Activations/sec; Requests - Average Response Time interval=10 disabled=false useEnglishOnly=true [perfmon://ASP_NET] index=perfmon object=ASP.NET counters=Requests Current; Request Wait Time; Application Restarts; Worker Process Restarts instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://ASP_NET_Applications] index=perfmon object=ASP.NET Applications counters=Requests in Application Queue instances=* interval=10 disabled=false useEnglishOnly=true [perfmon://RPC_HTTP_Proxy] index=perfmon object=RPC/HTTP Proxy counters=Number of Failed Back-End Connection attempts per Second; Current Number of Incoming RPC over HTTP Connections; Current Number of Unique Users; \RPC/HTTP Requests per Second interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchange_RpcClientAccess] index=perfmon object=MSExchange RpcClientAccess counters=RPC Averaged Latency; RPC Operations/sec; RPC Requests; Active User Count; Connection Count; User Count interval=10 disabled=false useEnglishOnly=true [perfmon://MSExchangeAB] index=perfmon object=MSExchangeAB counters=NSPI RPC Browse Requests Average Latency; NSPI RPC Requests Average Latency; Referral RPC Requests Average Latency; NSPI Connections Current; NSPI Connections/sec; Referral RPC Requests/sec interval=10 disabled=false useEnglishOnly=true ####Common Stanzas - End#### ###From Exchange app/add-on version 3.5.2,support for Windows Server 2003 has ended.### ####Windows Server Version 2003 - Start#### [monitor://C:\WINDOWS\system32\LogFiles\W3SVC1\W3SVC1\*.log] sourcetype=MSWindows:2003:IIS queue=parsingQueue index=msexchange disabled=true ####Windows Server Version 2003 - End#### ####Windows Server Version 2008R2 - Start#### [monitor://C:\inetpub\logs\...\W3SVC1\*.log] sourcetype=MSWindows:2008R2:IIS queue=parsingQueue index=msexchange disabled=true ####Windows Server Version 2008R2 - End#### ####Windows Server Version 2012 - Start#### [monitor://C:\inetpub\logs\LogFiles\W3SVC1\*.log] sourcetype=MSWindows:2012:IIS queue=parsingQueue index=msexchange disabled=false ####Windows Server Version 2012 - End#### ####Exchange Server Version 2010 - Start#### [monitor://C:\Program Files\Microsoft\Exchange Server\V14\Logging\Ews] whitelist=\.log$|\.LOG$ sourcetype=MSWindows:2010EWS:IIS queue=parsingQueue index=msexchange disabled=true initCrcLength=8192 ####Exchange Server Version 2010 - End#### ####Exchange Server Version 2013/2016/2019 - Start#### [monitor://C:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews] whitelist=\.log$|\.LOG$ sourcetype=MSWindows:2013EWS:IIS queue=parsingQueue index=msexchange disabled=false initCrcLength=8192 ####Exchange Server Version 2013/2016/2019 - End####
TA-Windows-Exchange-IIS inputs | Troubleshoot TA-Windows-Exchange-IIS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!