What data the Splunk App for Microsoft Exchange collects

The Splunk App for Microsoft Exchange and its associated add-ons collect data from your Exchange servers and index it so that it can be used to generate the dashboards and reports shown in the Splunk App for Microsoft Exchange GUI. This topic discusses the specifics of the data being collected.

The Splunk App for Microsoft Exchange collects the following data using file inputs:

• Internet Information Server (IIS) logs for the Exchange servers whose designated roles require IIS
• Post Office Protocol version 3 (POP3) and Internet Message Access Protocol (IMAP) transport logs
• Windows Event logs
  • Exchange audit logs
  • Application logs, such as Forefront Protection Services (FPS) security logs

The Splunk App for Exchange collects the following data using scripted inputs:

• Performance monitoring data on all servers running the Mailbox Server role
• Senderbase/reputation data. This feature needs internet access to function, as it looks up the reputation score for your email users.

Caution: The Splunk App for Exchange puts all the data it indexes into the default Splunk index, main. If you don't want to use this index for the data, then you must change the app's configuration as described in "Other deployment considerations" in this manual.

Where and how the Splunk App for Exchange expects to find your logs

The Splunk App for Exchange assumes that all your Exchange servers are logging to their default locations. If this is not true, then you must edit the relevant forwarder access components (FACs) to tell the Splunk App for Exchange to look in the right place.

To make edits to FACs within the Splunk App for Exchange directory store:

• Using Explorer, a command prompt, or a PowerShell instance, navigate to %SPLUNK_HOME%\etc\apps.
• In the the relevant FAC within %SPLUNK_HOME%\etc\apps, make a copy of \fwd_*\default\inputs.conf and place it in \fwd_*\local\. If you've already deployed the app, make a copy of %SPLUNK_HOME%\etc\apps\fwd_*\default\inputs.conf and put it in %SPLUNK_HOME%\etc\apps\fwd_*\local\.
• Edit the copy and change the file paths for the relevant input stanzas to the desired locations.
• Save the file. If you have already deployed, restart the Splunk forwarder.

Log format

The Splunk App for Exchange also assumes you haven't changed the format of the logs. If, for example, you are running IIS 6 and your IIS logs are in a non-default format, you must edit the relevant fwd_windows2003_iis FAC to tell the Splunk App for Exchange how to process your logs. To do this:

• In the fwd_windows2003_iis FAC, make a copy of \fwd_windows2003_iis\default\inputs.conf.
• Put this file in \fwd_windows2003_iis\local\. If you've already deployed, make a copy of %SPLUNK_HOME%\etc\apps\fwd_windows2003_iis\default\transforms.conf and put it in %SPLUNK_HOME%\etc\apps\fwd_windows2003_iis\local\.
• Edit the copy to define the field extractions regular expressions to match the log format you're using.

Note: Refer to "Create and maintain search-time field extractions through configuration files" in the core Splunk product documentation for information on how to edit transforms.conf. If you don't know what a regular expression is, refer to this Splunk Blogs video on regular expressions or the "Regular expressions" entry on Wikipedia.

• Save the file. If you have already deployed, restart the Splunk forwarder.