Splunk® Supported Add-ons

Splunk Add-on for Microsoft Exchange

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Troubleshoot TA-Exchange-Mailbox

The TA-Exchange-Mailbox add-on should install on your Exchange Server hosts without problems as long as you configure it for the version of Exchange Server you run before you deploy it.

If you do not configure the add-on for your version of Exchange Server before you deploy it, then the add-on only collects data inputs that are common to all supported versions of Exchange Server. This results in missing data that is specific to your version of Exchange Server. See Configure TA-Exchange-Mailbox for the procedure to configure the add-on and distribute it to your Exchange Server hosts.

If you upgrade from an earlier version of the Splunk App for Microsoft Exchange, complete the upgrade instructions in the Splunk App for Microsoft Exchange manual to ensure that the add-on collects all Exchange Server data for the version of Exchange Server that you run.

In DAG, read-audit-logs_2010_2013.ps1 script will index the data of the mailbox server only where this script is running. So it is required to enable this script on all servers in DAG.

Mailbox audit log collection failure

Mailbox audit log collection failure produces the below error log.

Search-MailboxAuditLog : The requesting account doesn't have permission to access the audit log.
At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-Mailbox\bin\powershell\read-mailbox-audit-logs_2010_2013.ps1:49char:2
+     Search-MailboxAuditLog -Identity $Identity -LogonTypes Owner,Delegate,Admin -Sh ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogAccessDeniedException
    + FullyQualifiedErrorId : [Server=SRRZ2EXC01,RequestId=a61a5900-6e29-4b12-b703-680246db44d4,TimeStamp=16.11.2016 0
   7:25:13] [FailureCategory=Cmdlet-AuditLogAccessDeniedException] 55A06F96,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog


There are two workarounds for this error.

Run Splunk as a local system account

This error might occur when the Splunk Forwarder Service isn't running as a local sytem account. Complete the following steps on the forwarder machine to run Splunk as a local system account:

  1. Navigate to Services.
  2. Right click on SplunkForwarder Service.
  3. Click on Properties.
  4. Navigate to the Log On tab.
  5. Select Local System Account.
  6. Click Apply.
  7. Restart the Splunkforwarder service.

Ensure the mailbox audit log script is able to read the timestamp of each mailbox

This error might also occur when the mailbox audit log script is unable to read the timestamp of each mailbox. Complete the following steps to fix this issue:

  1. Navigate to C:/Windows/Temp on your Forwarder/Exchange Server machine.
  2. Delete splunk-msexchange-auditfile.clixml and splunk-msexchange-mailboxauditlogs.clixml.
Last modified on 28 July, 2022
Configure TA-Exchange-Mailbox
Overview of TA-Exchange-HubTransport

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters