Make configuration changes to match your existing environment
As discussed in "Other deployment considerations", if you have an existing Splunk deployment, you should edit some of the configurations in the Splunk App for Microsoft Exchange before deploying it. This topic provides examples of the kind of edits you should make.
- For information about how Splunk configuration files work, refer to "About configuration files" in the core Splunk product documentation.
Change the index that the indexed data is sent to
1. Install the full Splunk_for_Exchange-vX.XX.spl
package.
Note: If you're planning to use a deployment server to deploy the technology add-ons (TAs), place the relevant TAs for each Exchange server role into $SPLUNK_HOME\etc\deployment-apps
on your central Splunk instance.
2. In the local
directory within each TA, create an inputs.conf
.
3. Copy the relevant input stanza from default\inputs.conf
into the newly-created local\inputs.conf
within the TA.
4. Change the index for that stanza by specifying the appropriate index=
attribute/value pair.
- For example, if you want your Exchange 2007 Message Tracking logs to go into an index called "msgtracking", make a copy of the stanza for that particular input, put it in the new
inputs.conf
inTA-Exchange-2007-HubTransport\local\
, and configure the attribute/value pairindex=msgtracking
to it so that it looks like this:
[monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking] whitelist=\.log$|\.LOG$ sourcetype=MSExchange:2007:MessageTracking index=msgtracking queue=parsingQueue disabled=false
5. In the Splunk_for_Exchange\local
directory, create an eventtypes.conf
.
6. Copy the relevant input stanza from Splunk_for_Exchange\default\eventtypes.conf
into this file.
7. Modify the stanza within eventtypes.conf
to include the new index.
- Continuing from the previous example, the
[msexchange-msgtrack]
stanza searches the Message Tracking logs. Copy that stanza intoSplunk_for_Exchange\local\eventtypes.conf
and addindex=msgtracking
like this:
[msexchange-msgtrack] search = index=msgtracking ((sourcetype=MSExchange:*:MessageTracking) OR (sourcetype=WinEventLog:Application SourceName=FSCTransportScanner))
8. Repeat steps 2 through 7 for every input that you want to send to a specific index.
Configure the sender reputation TA to use your outbound mail servers when it is deployed
To configure the mail servers that the mail sender reputation TA will use when it is deployed:
1. In the TA-SMTP-Reputation\local
directory, create a reputation.conf
.
Note: A template of reputation.conf
can be found in the TA-SMTP-Reputation\default
directory.
2. Add a [mailservers]
stanza to this file. Within the stanza, list the IP addresses of your outbound mail servers, like this:
[mailservers] iplist = 10.10.100.57; 10.10.100.59
Note: IP addresses are separated by semicolons within stanzas in reputation.conf
.
Install a universal forwarder on each Exchange server | Deploy configurations for all server roles |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.1, 1.1.1, 1.1.4, 1.1.5, 1.1.6
Feedback submitted, thanks!