What data the Splunk App for Microsoft Exchange collects

The Splunk App for Microsoft Exchange and its associated add-ons collect data from your Exchange servers and index it so that it can be used to generate the dashboards and reports shown in the Splunk App for Microsoft Exchange UI. This topic discusses the specifics of the data being collected.

The Splunk App for Microsoft Exchange collects the following data using file inputs:

• Internet Information Server (IIS) logs for the Exchange servers whose designated roles require IIS
• Windows Event logs
  • Security Logs
  • Exchange audit logs
  • Application logs, such as Forefront Protection Services (FPS) security logs

The Splunk App for Exchange collects the following data using scripted inputs:

• Performance monitoring data.
• Senderbase/reputation data. This feature needs internet access to function, as it looks up the reputation score for your email users.
• Topology and Health information
• Mailbox Server health and usage information

Important: The Splunk App for Exchange puts the data it indexes into several indexes:

• The Exchange, IIS, and application logs get indexed into the msexchange index.
• The performance monitor logs get indexed into the perfmon index.

If you don't want to use these indexes for the data, then you must change the app's configuration as described in "Other deployment considerations" in this manual.

Where and how the Splunk App for Exchange expects to find your logs

The Splunk App for Exchange assumes that all your Exchange servers are logging to their default locations. If this is not true, then you must edit the relevant technology add-ons (TAs) to tell the Splunk App for Exchange to look in the right place.

To make edits to TAs within the Splunk App for Exchange directory store:

1. Using Explorer, a command prompt, or a PowerShell instance, navigate to %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons.

2. Find the TA that you want to edit:

• If you are using a deployment server, you can locate the TA in %SPLUNK_HOME%\etc\deployment-apps\<TA-Name> on the deployment server.
• If you are not using a deployment server, you can locate the TA in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons\<TA-Name> on the universal forwarder.

3. In the relevant TA directory, make a copy of default\inputs.conf and place it in local\.

Note: If you've already deployed the app, make a copy of %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons\<TA Name>\default\inputs.conf and put it in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons\<desired TA>\local\.

4. Edit the copy and change the file paths for the relevant input stanzas to the desired locations.

5. Save the file.

6. If you have already deployed, restart the Splunk forwarder.

Log format

The Splunk App for Exchange also assumes you haven't changed the format of the logs. If you have changed the log format (for example, you are running IIS 6 and your IIS logs are in a non-default format), then you must configure both the app on the central Splunk instance and the relevant TA-Windows-2003-Exchange-IIS TA on the servers that are producing the logs to tell the Splunk App for Microsoft Exchange how to process those logs.

To reconfigure the TA to understand the changed log format:

1. In the TA-Windows-2003-Exchange-IIS directory, make a copy of default\inputs.conf.

2. Put this file in local\.

Note: If you've already deployed the app, make a copy of %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons\TA-Windows-2003-Exchange-IIS\default\transforms.conf and put it in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons\TA-Windows-2003-Exchange-IIS\local\.

3. Edit the local\transforms.conf to modify the field extractions to match the log format you're using.