Troubleshoot TA-Exchange-ClientAccess
The TA-Exchange-ClientAccess add-on should install on your Exchange Server hosts without problems as long as you configure it for the version of the Exchange Server you run before you deploy it.
If you do not configure the add-on for your version of the Exchange Server before you deploy it, then the add-on only collects data inputs that are common to all supported versions of the Exchange Server. This results in missing data that is specific to your version of the Exchange Server. See Configure TA-Exchange-ClientAccess for the procedure to configure the add-on and distribute it to your Exchange Server hosts.
If you upgrade from an earlier version of the Splunk App for Microsoft Exchange, complete the upgrade instructions in the Splunk App for Microsoft Exchange manual to ensure that the add-on collects all Exchange Server data for the version of Exchange Server that you run.
See the release notes for fixed and known issues.
Problem: Admin Audit Data is not collected
See the following solution:
- Ensure that the SplunkForwarder service is running, and the Domain User Account has Records Management and Organization Management roles.
- Ensure that records are generated by the Exchange Server by running the following command in the Exchange Management Shell with the user account configured in the SplunkForwarder service. If records are not generated, please reach out to your internal team for the required configuration:
## To check if any admin audit log is generated in last 1 month ## Search-AdminAuditLog -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date)
Configure TA-Exchange-ClientAccess | Overview of TA-Exchange-Mailbox |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!