Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Make configuration changes to match your existing environment

As discussed in "Other deployment considerations", if you have an existing Splunk deployment and wish to use it to store your Splunk App for Microsoft Exchange data, then you must edit the configuration files in the Splunk App for Microsoft Exchange installation prior to deployment. This topic provides examples of the kind of edits you should make prior to deploying the app and the associated technology add-ons.

  • For information about how Splunk configuration files work, refer to "About configuration files" in the core Splunk product documentation.

Overview

By default, the Splunk App for Microsoft Exchange stores data in the following indexes:

  • msexchange for Exchange data collected from Exchange servers.
  • perfmon for performance metrics collected from Exchange servers.
  • blackberry for data collected from computers running Blackberry Enterprise Server.

If you need to change where the Splunk App for Active Directory stores its data, then use these instructions to configure the Splunk App for Microsoft Exchange to use the existing indexes in your Splunk deployment.

Change the index(es) that the app sends data to

Follow these instructions to configure the index locations:

1. Unpack the Splunk_for_Exchange-vX.XX.spl package into an accessible location, if you haven't already.

2. Determine the TAs that you need to install, based on your Exchange Server layout.

Note: Read "Configure the Splunk App for Microsoft Exchange technology add-ons" in this manual for information on where to install the TAs.

3. Once you have determined which TAs you need to install, edit the configuration files for each of those TAs, as follows:

a. Locate the TA folder within the Splunk_for_Exchange archive you unpacked earlier.
Note: You can find the TA folders within Splunk_for_Exchange\appserver\addons.
b. In the local directory within each TA folder, create and open an inputs.conf.
Note: You might need to create the local directory within the TA folder, if it does not exist.
c. Open the inputs.conf in the default directory of the TA folder.
d. Copy the input stanza text (in this case, the stanza which represents the input whose destination index you want to change) from default\inputs.conf.
f. Paste the copied stanza into the newly-created local\inputs.conf within the TA directory.
g. Change the index for that stanza by specifying the appropriate index= attribute/value pair.
Important: The index must already exist before you specify it in the configuration file.
h. Save the inputs.conf file in local and close it.

For example, if your environment runs Exchange Server 2007, and you want the Exchange Server 2007 Message Tracking logs to go into an index called msgtracking instead of the default msexchange, you would do the following:

  • Open TA-Exchange-2007-HubTransport\default\inputs.conf in the TA.
  • Create and open local\inputs.conf in TA-Exchange-2007-HubTransport.
  • Copy the [monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking] stanza from TA-Exchange-2007-HubTransport\default\inputs.conf.
  • Paste the copied stanza in the new inputs.conf in TA-Exchange-2007-HubTransport\local\
  • Configure the attribute/value pair index=msgtracking in the stanza, so that it looks like this:
        [monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking]
        whitelist=\.log$|\.LOG$
        sourcetype=MSExchange:2007:MessageTracking
        index=msgtracking
        queue=parsingQueue
        disabled=false

4. Make changes to the Splunk App for Microsoft Exchange event types configuration file, as follows:

a. In the Splunk_for_Exchange\local directory, create an eventtypes.conf.
b. Open Splunk_for_Exchange\default\eventtypes.conf.
c. Copy the input stanza whose destination index you want to change from Splunk_for_Exchange\default\eventtypes.conf.
d. Paste the stanza into the Splunk_for_exchange\local\eventtypes.conf file.
e. Modify the stanza within eventtypes.conf to use the new index.

Continuing from the previous example, the [msexchange-msgtrack] stanza searches the Message Tracking logs. Copy that stanza into Splunk_for_Exchange\local\eventtypes.conf and add index=msgtracking like this:

        [msexchange-msgtrack]
        search = index=msgtracking ((sourcetype=MSExchange:*:MessageTracking) 
        OR (sourcetype=WinEventLog:Application SourceName=FSCTransportScanner))

5. Repeat steps 3 and 4 for every input whose destination index you want to change.

Configure the Sender Reputation TA to use your outbound mail servers

To configure the mail servers that the mail sender reputation TA will use when it is deployed:

1. In the TA-SMTP-Reputation\local directory, create a reputation.conf.

Note: A template of reputation.conf can be found in the TA-SMTP-Reputation\default directory.

2. Add a [mailservers] stanza to this file. Within the stanza, list the IP addresses of your outbound mail servers, like this:

        [mailservers]
        iplist = 10.10.100.57; 10.10.100.59

Note: Semicolons separate IP addresses within stanzas in reputation.conf.

Deploy your changes

Once you have made the changes you need to match your existing Splunk environment, you can deploy the technology add-ons and the Splunk App for Microsoft Exchange.

Note:

  • If you use a deployment server to deploy the technology add-ons (TAs), then place the relevant TAs for each Exchange server role into %SPLUNK_HOME%\etc\deployment-apps on the deployment server.
  • If you do not use a deployment server, then you must edit the TA configuration files manually on each universal forwarder in the Splunk App for Microsoft Exchange deployment.
The configuration file edits you must make depend specifically on which role(s) each Exchange server performs. Refer to "Configure the Splunk App for Microsoft Exchange technology add-ons" for specifics on where you should install the TAs in your Exchange deployment.
Last modified on 19 July, 2013
Install a universal forwarder on each Exchange server   Deploy configurations for all server roles

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 2.0, 2.1, 2.1.1, 2.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters