Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Make configuration changes to match your existing environment

As discussed in "Other deployment considerations", if you have an existing Splunk deployment, you should edit some of the configurations in the Splunk App for Microsoft Exchange before deploying it. This topic provides examples of the kind of edits you should make.

  • For information about how Splunk configuration files work, refer to "About configuration files" in the core Splunk product documentation.

Change the index that the indexed data is sent to

1. Unpack the full Splunk-for-Exchange-vX.XX.zip package.

Note: If you're planning to use a deployment server to deploy the forwarder components, unpack the Splunk-for-Exchange\appserver\static\fwd-apps.zip sub-package into $SPLUNK_HOME\etc\deployment-apps on your central Splunk instance.

2. In each fwd_*\local directory, create an inputs.conf.

3. Copy the relevant input stanza from fwd_* app\default\inputs.conf into the newly-created inputs.conf.

4. Add the new index to that stanza by specifying the appropriate index= attribute/value pair.

  • For example, if you want your Message Tracking logs to go into an index called "msexchange", make a copy of the stanza for that particular input, put it in the new inputs.conf in fwd-exchange2007-hub\local\, and add the attribute/value pair index=msexchange to it so that it looks like this:
	[monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking]
	whitelist=\.log$|\.LOG$
	sourcetype=MSExchange:2007:MessageTracking
	index=msexchange
	queue=parsingQueue
	disabled=false

5. In the Splunk-for-Exchange\local directory, create an eventtypes.conf.

6. Copy the relevant input stanza from Splunk-for-Exchange\default\eventtypes.conf into this file.

7. Add the new index to that stanza.

  • Continuing from the previous example, the [msexchange-msgtrack] stanza searches the Message Tracking logs. Copy that stanza into Splunk-for-Exchange\local\eventtypes.conf and add index=msexchange like this:
     [msexchange-msgtrack]
     search = index=msexchange ((sourcetype=MSExchange:*:MessageTracking) OR (sourcetype=WinEventLog:Application SourceName=FSCTransportScanner))

8. Repeat steps 2 through 7 for every input that you want to send to a specific index.

Configure the reputation checking component to use your outbound mail servers when it is deployed

This procedure assumes you've already unpacked the app package as described in the previous section.

1. In the fwd_reputation\local directory, create a reputation.conf.

2. Add a [mailservers] stanza to this file. Within the stanza, list the IP addresses of your outbound mail servers, like this: 

	[mailservers]
	iplist = 64.127.105.57; 64.127.105.59

Note: IP addresses are separated by semicolons within stanzas in reputation.conf.

Last modified on 13 September, 2011
Install a universal forwarder on each Exchange server   Deploy configurations for all server roles

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters