Troubleshoot TA-Exchange-Mailbox
The TA-Exchange-Mailbox add-on should install on your Exchange Server hosts without problems as long as you configure it for the version of Exchange Server you run before you deploy it. If you do not configure the add-on for your version of Exchange Server before you deploy it, then the add-on only collects data inputs that are common to all supported versions of the Exchange Server. This results in missing data that is specific to your version of the Exchange Server. See Configure TA-Exchange-Mailbox for the procedure to configure the add-on and distribute it to your Exchange Server hosts.
In DAG, the read-audit-logs
script will index the data of the mailbox server only where this script is running. So, it is required to enable this script on all servers in DAG.
Problem: Mailbox Audit Data is not collected
See the following solution:
- Ensure that the SplunkForwarder service is running, and that the Domain User Account has Records Management and Organization Management roles.
- Ensure that records are generated by the Exchange Server by running the following command in the Exchange Management Shell with the user account configured in the SplunkForwarder service. If records are not generated, please reach out to your internal team for the required configuration:
## To check if any mailboxAudit log genereated for partuciar user(Identity) in last 1 month. Replace <identity> with actual value ## Search-MailboxAuditLog -Identity <identity> -LogonTypes Owner,Delegate,Admin -ShowDetails -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date)
Problem: Admin Audit Data is not collected
See the following solution:
- Ensure that the SplunkForwarder service is running, and that the Domain User Account has Records Management and Organization Management roles.
- Ensure that records are generated by the Exchange Server by running the following command in the Exchange Management Shell with the user account configured in the SplunkForwarder service. If records are not generated, please reach out to your internal team for the required configuration:
## To check if any admin audit log is generated in last 1 month ## Search-AdminAuditLog -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date)
Configure TA-Exchange-Mailbox | Overview of TA-Windows-Exchange-IIS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!