Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Additional tasks for the Exchange server roles

This topic discusses additional steps that you should complete on the Exchange servers in your network in order to prepare the Splunk for Exchange app for complete Exchange data analysis. Some of these steps may already be completed. This is a checklist to ensure that the Splunk for Exchange app gets the data it needs.

Additional tasks for servers running the Hub and Edge Transport roles

  1. Turn on Message Tracking from within Exchange System Manager.
  2. If you have installed Microsoft Forefront Security Suite for Exchange 2007, also deploy the fwd_exchange2007_forefront component.
  3. If you have moved the message tracking logs, ensure you also update the data input to reflect the new location.

Additional tasks for servers running the Client Access Server role

If you are running Post Office Protocol version 3 (POP3) or Internet Mail Access Protocol version 4rev1 (IMAP4), you must enable the POP3 and/or IMAP4 Transport Logs.

Note: Remember that you must restart either the POP3 or IMAP4 services after making changes to logging preferences.

Additional tasks for servers running the Mailbox Server role

Enable Exchange Audit logging

If you want to track Microsoft Outlook usage, enable Exchange Audit logging by executing the following PowerShell script:

powershell -File fwd_exchangeXXXX_store\bin\powershell\enable-audit-logs.ps1

This script enables the Exchange Audit log and sets the Diagnostic logging level to Medium. You must run this script on every Mailbox Server.

Note: By default, members of the Domain Admins and select other groups are exempt from auditing. You can change this in a few different ways (primarily by revoking the "Bypass Auditing" right in the schema) - consult your Exchange documentation.

Adjust the settings for the PowerShell Event log

The Splunk App for Microsoft Exchange makes extensive use of PowerShell to gather information about the Mailbox Server. Although not strictly required, we recommend you adjust the settings for the PowerShell Event log as follows:

  1. Open Event Viewer.
  2. Right click on Powershell Log and select Properties.
  3. Set the maximum size to 10,240 KB.
  4. Set 'Overwrite events as needed under Log size -> When maximum log size is reached.
  5. Click OK.
  6. Right click on the Windows PowerShell Log and select Properties.
  7. Set Overwrite events as needed under Log size -> When maximum log size is reached
  8. Click OK.

If you need long term storage of the logs, we recommend you index the PowerShell log in Splunk.

Last modified on 14 September, 2011
Deploy configurations for all server roles   Install the central Splunk for Microsoft Exchange app instance

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters