Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Install the central Splunk for Microsoft Exchange app instance

The central component of a Splunk App for Microsoft Exchange deployment is the Splunk indexer (and, optionally, any search heads that search against it). You install the following components:

  • If you have a Splunk installation with both the indexer and Splunk Web running on the same instance, install the entire contents of the app on that instance.
  • If you have indexer(s) and search head(s) on separate systems:

As discussed in "Platform and hardware requirements" and "Other deployment considerations" in this manual, your Splunk instance(s) must be provisioned to support the level of indexing and interaction with the Splunk Web interface you anticipate for your deployment.

Any Splunk instance that includes an indexer will be acting as a receiver. It will receive data from the Exchange servers, which will in turn be configured as forwarders.

Install Splunk

If you're not using an existing Splunk installation, download the full Splunk package for your platform, and follow the installation instructions in the core Splunk documentation. Make sure you get the right package (32- or 64- bit) for your platform.

Install the Sideview Ultils app

Download and install Sideview Utils 1.15 or later.

Install the central instance of Splunk App for Microsoft Exchange

This procedure assumes you have already installed Splunk on the host you intend to use as the indexer for your Exchange data.

1. Copy the Splunk-for-Exchange-vX.XX.zip file to the $SPLUNK_HOME\etc\apps directory of your Splunk instance.

2. Unzip the file into the directory.

3. Restart Splunk.

4. Log back in to Splunk.

Install the forwarder application components

The central Splunk for Microsoft Exchange instance must have all of the forwarder application components installed. To install the components:

1. Locate the fwd_apps.zip file. It is found in %SPLUNK_HOME%\etc\apps\Splunk-for-Exchange\appserver\static.

2. Unpack this file into %SPLUNK_HOME%\etc\apps.

3. Make sure that the files are readable by the user Splunk runs as. At a minimum, on Windows systems, the files need to be readable by the SYSTEM user. On *nix systems, the files need to be readable by the splunk or root users.

4. Restart Splunk.

5. Log back in to Splunk.

Configure Splunk to receive the data from the forwarders on your Exchange servers

You can enable receiving on a Splunk instance through Splunk Web or the CLI.

Important: By default, the Splunk App for Microsoft Exchange configures your instance of Splunk to receive data over TCP port 9997. If you need this to be a different port, you can change this value, and you'll also need to change it in a copy of the outputs.conf files on the instances configured to forward to this one.

Set up receiving with Splunk Web

Use Splunk Manager to set up a receiver:

1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder.

2. Click Manager in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Receive data section.

5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

6. Click Save. You must restart Splunk to complete the process.

Set up receiving with Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME\bin\. This is unnecessary if you have added Splunk to your path.

To enable receiving, enter: 

./splunk enable listen <port> -auth <username>:<password>

You'll be prompted for your Splunk username (by default admin) and password.

For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By default, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

To disable receiving, enter: 

./splunk disable listen -port <port> -auth <username>:<password>

You'll be prompted for your Splunk username (by default admin) and password.

Last modified on 22 November, 2011
Additional tasks for the Exchange server roles   Log in and get started

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters