Splunk® Supported Add-ons

Splunk Add-on for Microsoft Exchange

Troubleshoot TA-Exchange-Mailbox

The TA-Exchange-Mailbox add-on should install on your Exchange Server hosts without problems as long as you configure it for the version of Exchange Server you run before you deploy it. If you do not configure the add-on for your version of Exchange Server before you deploy it, then the add-on only collects data inputs that are common to all supported versions of the Exchange Server. This results in missing data that is specific to your version of the Exchange Server. See Configure TA-Exchange-Mailbox for the procedure to configure the add-on and distribute it to your Exchange Server hosts.

In DAG, the read-audit-logs script will index the data of the mailbox server only where this script is running. So, it is required to enable this script on all servers in DAG.

Problem: Mailbox Audit Data is not collected

See the following solution:

  1. Ensure that the SplunkForwarder service is running, and that the Domain User Account has Records Management and Organization Management roles.
  2. Ensure that records are generated by the Exchange Server by running the following command in the Exchange Management Shell with the user account configured in the SplunkForwarder service. If records are not generated, please reach out to your internal team for the required configuration:
  3. ## To check if any mailboxAudit log genereated for partuciar user(Identity) in last 1 month. Replace <identity> with actual value ##
    Search-MailboxAuditLog -Identity <identity> -LogonTypes Owner,Delegate,Admin -ShowDetails -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date)
    

Problem: Admin Audit Data is not collected

See the following solution:

  1. Ensure that the SplunkForwarder service is running, and that the Domain User Account has Records Management and Organization Management roles.
  2. Ensure that records are generated by the Exchange Server by running the following command in the Exchange Management Shell with the user account configured in the SplunkForwarder service. If records are not generated, please reach out to your internal team for the required configuration:
    ## To check if any admin audit log is generated in last 1 month ##
    Search-AdminAuditLog -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date)
    
Last modified on 16 July, 2024
Configure TA-Exchange-Mailbox   Overview of TA-Windows-Exchange-IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters