How to deploy the Splunk App for Microsoft Exchange

This topic details the deployment procedure for the Splunk App for Microsoft Exchange.

There are two main steps to installing the Splunk App for Microsoft Exchange:

• First, you install and configure universal forwarders and technology add-ons on your Exchange servers.
• Then, you configure the Splunk App for Microsoft Exchange on your central Splunk instance to receive and search the incoming data.

To deploy the Splunk App for Microsoft Exchange into your environment, perform the following steps:

Install and configure universal forwarders on your Exchange servers

1. Install a universal forwarder on each Exchange server in your environment.

2. Review, and if needed, edit the configurations of the Splunk App for Microsoft Exchange technology add-ons (TAs) that must be installed on the universal forwarders running on each Exchange server included in your deployment.

Note: The TAs are located in the Splunk App for Microsoft Exchange installation package, in Splunk_for_Exchange\appserver\addons. Review the configuration files within each TA to ensure that it sends data to the proper index(es) on the central Splunk instance. If you need to make changes, then follow the instructions in "Make configuration changes to match your existing environment".

3. Install or deploy the appropriate TA(s) for each Exchange server role into the universal forwarders on each Exchange server. The table below shows you which TAs should be installed onto each Exchange server in your environment.

Important:

• If you have a Splunk deployment server and want to use it to deploy the app, then copy the TA folders into %SPLUNK_HOME%\etc\deployment-apps on the deployment server.

• If you do not have a deployment server, or do not want to use one to deploy the app, then you must manually copy the appropriate TA(s) to %SPLUNK_HOME%\etc\apps on the Exchange server(s) from which you want to get Exchange logs. Review the table above to determine on which servers you should install the TAs.

4. Next, deploy the TA-SMTP-Reputation TA on a full Splunk instance (configured as a heavy forwarder) that has an outbound connection to the Internet.

Important: Be sure to edit the reputation.conf file within the TA so that it contains the IP addresses of all of your outbound mail servers.

5. Confirm that all of the Exchange servers that you want to include in the deployment send Exchange log data to the usual places, in the usual formats. If they do not, review "Where and how the Splunk App for Microsoft Exchange expects to find your logs" in this manual for instructions on configuring the app to account for the changes in logging locations.

Install and configure the central Splunk instance

1. Install a full copy of Splunk or designate an existing installation as your "central" Splunk instance.

Note: If you're using an existing installation, be sure to review "Other deployment considerations" in this manual and make any configuration changes to the Splunk App for Microsoft Exchange before proceeding.

2. Download the Splunk App for Microsoft Exchange package.

3. Install the Splunk App for Microsoft Exchange onto your central Splunk instance.

4. Download and install the Supporting Add-on for Active Directory on the central Splunk instance.

5. Download and install Sideview Utils 1.2.5 or later on the central Splunk instance.

6. Download and install Google Maps 1.1 or later on the central Splunk instance.

7. Download and install a copy of the Splunk universal forwarder on each of the Exchange server hosts.

8. Restart your central Splunk instance to ensure that all changes take effect.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.