What a Splunk App for Microsoft Exchange deployment looks like
This topic discusses the overall architecture of a Splunk App for Microsoft Exchange deployment.
Overview
At a minimum, the Splunk App for Microsoft Exchange is made up of a "central" Splunk instance (containing the index and running Splunk Web that users will access to view the app) and some number of universal forwarders--one for each Exchange server you want to include in the deployment.
Each of the universal forwarders is configured with a forwarder application component (FAC) to forward the data for the Exchange server role(s) performed by the Exchange server it is running on.
About Forwarder Application Components (FACs)
A forwarder application component (FAC) is a folder that contains files needed by the Splunk App for Microsoft Exchange to transform data for a specific Exchange server role. The FAC is specific to the Splunk App for Microsoft Exchange. Each FAC is named according to the Exchange version and server role that it was designed for, and all begin with fwd_.
The FACs are located in a package file called fwd_apps.zip. This file is located in the main Splunk App for Microsoft Exchange package and is accessible when you unpack the app into your Splunk instance during installation.
Example Deployment
For example, if you have the following Exchange 2007 server roles:
- Edge Transport
- Hub Transport
- Client Access Servers (CAS)
- Mailbox Server
and the Mailbox Server and CAS roles are running on the same host, the deployment process (at a high level) would be as follows:
1. Install a full copy of Splunk Enterprise or designate an existing installation. If you're using an existing installation, be sure to review "Other deployment considerations" in this manual and make any configuration changes to the Splunk for Exchange app before proceeding.
Caution: the Splunk App for Microsoft Exchange puts all the data it indexes into the default Splunk index, main. If you don't want to use this index for the data, you must change the app's configuration as described in "Other deployment considerations".
2. Download the Splunk App for Microsoft Exchange package and unpack it onto your Splunk instance.
3. Locate the package that contains the forwarder application components (FACs) - the additional components that must be installed on the universal forwarders running on each Exchange server included in your deployment.
Note: The package that contains all of the FACs is located in Splunk-for-Exchange\appserver\static\fwd-apps.zip once you unpack the main package.
4. If you are using a Splunk deployment server to deploy the app, unpack fwd-apps.zip into %SPLUNK_HOME%\etc\deployment-apps on your designated deployment server.
Note: If you do not have a deployment server, or do not want to use one to deploy the app, then each FAC must be manually unpacked into %SPLUNK_HOME%\etc\apps on each Exchange server from which you want to get Exchange logs. See the table below for additional information.
5. Download and install Sideview Utils 1.15 or later on the central Splunk instance.
6. Download and install a copy of the Splunk universal forwarder on each of the Exchange server hosts. You only need to install one forwarder on each host, even if that host plays multiple roles in Exchange.
7. Onto these universal forwarders, install or deploy the relevant FACs for the role(s) that the Exchange server is playing.
Following is a table that defines which FACs should be installed on the Exchange servers in your enterprise that will send data to the Splunk App for Microsoft Exchange:
| If your Exchange server is running: | and it holds this Exchange role: | then install or deploy these FAC(s): |
|---|---|---|
| Exchange 2007 | Client Access Server | fwd_exchange2007_cas
|
| Edge Transport (for sender reputation) | fwd_reputation
| |
| Forefront Protection Services | fwd_exchange2007_forefront
| |
| Hub Transport | fwd_exchange2007_hub
| |
| Mailbox Server | fwd_exchange2007_store
| |
| Exchange 2010 | Client Access Server | fwd_exchange2010_cas
|
| Hub Transport | fwd_exchange2010_hub
| |
| Mailbox Server | fwd_exchange2010_store
|
8. Next, deploy either the fwd_win2003_iis or fwd_win2008r2_iis FAC on each Exchange server, depending on which version of Windows is running on the server. Deploy the fwd_win2003_iis FAC on each computer running Windows Server 2003, and fwd_win2008r2_iis FAC on each computer running Windows Server 2008.
9. Ensure that all the Exchange server roles you want to include in the deployment are logging to their usual places, in their usual formats. If they're not, take a look at "Where and how the Splunk App for Microsoft Exchange expects to find your logs" in this manual.
10. If your central Splunk instance is distributing searches to search heads, then all of the FACs must also be installed on each of the search heads so that the Splunk knowledge defined in them can be used in displaying views and dashboards to the end users.
If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.
| Other deployment considerations | Install a universal forwarder on each Exchange server |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.0
Download manual
Feedback submitted, thanks!