How to deploy the Splunk App for Microsoft Exchange
This topic details the deployment procedure for the Splunk App for Microsoft Exchange.
There are several main steps to installing the Splunk App for Microsoft Exchange:
- First, you install universal forwarders on the Exchange servers in your environment.
- Next, you configure the universal forwarders with technology add-ons that come with the Splunk App for Microsoft Exchange installation package.
- Then, you configure the Splunk App for Microsoft Exchange on your central Splunk instance to receive and search the incoming data.
To deploy the Splunk App for Microsoft Exchange into your environment, perform the following steps:
Install and configure universal forwarders on your Exchange servers
1. Install a universal forwarder on each Exchange server in your environment.
Note: Do not enable any of the inputs when installing the universal forwarder.
Configure and deploy the Splunk App for Microsoft Exchange technology add-ons
2. Review, and if needed, edit the configurations of the Splunk App for Microsoft Exchange technology add-ons (TAs) that must be installed on the universal forwarders running on each Exchange server included in your deployment.
Note: The TAs can be found in the Splunk App for Microsoft Exchange installation package, in Splunk_for_Exchange\appserver\addons
. Review the configuration files within each TA to ensure that it sends data to the proper index(es) on the central Splunk instance. If you need to make changes to the index(es) that the TAs send data to, then follow the instructions in "Make configuration changes to match your existing environment".
3. Install or deploy the appropriate TA(s) for each Exchange server role into the universal forwarders on each Exchange server. The table below shows you which TAs should be installed onto each Exchange server in your environment.
If your Exchange server runs: | and it holds this Exchange role: | then install or deploy these TA(s): |
---|---|---|
Exchange 2007 | Client Access Server | TA-Exchange-2007-CAS TA-Windows-2003-Exchange-IIS
|
Edge Transport | TA-Exchange-2007-HubTransport
| |
Hub Transport | TA-Exchange-2007-HubTransport
| |
Mailbox Server | TA-Exchange-2007-MailboxStore
| |
Exchange 2010 | Client Access Server | TA-Exchange-2010-CAS TA-Windows-2008R2-Exchange-IIS
|
Edge Transport | TA-Exchange-2010-HubTransport
| |
Hub Transport | TA-Exchange-2010-HubTransport
| |
Mailbox Server | TA-Exchange-2010-MailboxStore
| |
Exchange 2013 | Client Access Server | TA-Exchange-2013-ClientAccess TA-Windows-2012-Exchange-IIS
|
Mailbox Server | TA-Exchange-2013-Mailbox
|
Important:
- If you have a Splunk deployment server and want to use it to deploy the app, then copy the TA folders into
%SPLUNK_HOME%\etc\deployment-apps
on the deployment server.
- If you do not have a deployment server, or do not want to use one to deploy the app, then you must manually copy the appropriate TA(s) to
%SPLUNK_HOME%\etc\apps
on the Exchange server(s) from which you want to get Exchange logs. Review the table above to determine on which servers you should install the TAs.
4. Next, install a full Splunk instance that has an outbound connection to the Internet.
Note: This server should be separate from the central Splunk App for Microsoft Exchange instance and any Exchange servers which also run universal forwarders.
5. Configure the instance to be a heavy forwarder, and to send data to indexers in the central Splunk App for Microsoft Exchange instance.
6. Deploy the TA-SMTP-Reputation
TA onto this instance.
Important: Be sure to edit the reputation.conf
file within the TA so that it contains the IP addresses of all of your outbound mail servers.
7. Confirm that all of the Exchange servers that you want to include in the deployment send Exchange log data to the usual places, in the usual formats. If they do not, review "Where and how the Splunk App for Microsoft Exchange expects to find your logs" in this manual for instructions on configuring the app to account for the changes in logging locations.
Install and configure the central Splunk instance
1. Install a full copy of Splunk or designate an existing installation as your "central" Splunk instance.
Note: If you're using an existing installation, be sure to review "Other deployment considerations" in this manual and make any configuration changes to the Splunk App for Microsoft Exchange before proceeding.
2. Download the Splunk App for Microsoft Exchange package.
3. Install the Splunk App for Microsoft Exchange onto your central Splunk instance.
4. Download and install the Supporting Add-on for Active Directory on the central Splunk instance.
5. Confirm that the universal forwarders on each of the Exchange server hosts can connect to the central Splunk instance.
6. Restart your central Splunk instance to ensure that all changes take effect.
Generate lookup tables
After you have installed the app and confirmed that you are receiving Exchange data into your central Splunk instance, you must then generate the lookup tables that the Splunk App for Microsoft Exchange uses.
Important: You must wait about 10 to 15 minutes after you have confirmed that the central Splunk instance correctly indexes Exchange data before you run this procedure.
To generate the lookups:
1. Log into your central Splunk instance.
2. Once logged in, open the Splunk App for Microsoft Exchange.
3. Generate the lookups shown below by selecting the appropriate menu item under Searches & Reports > Lookup Builder:
- Lookup - Database Information
- Lookup - Host Information
- Lookup - Performance Monitoring
Note: You only need to run each lookup once.
If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.
What a Splunk App for Microsoft Exchange deployment looks like | Install a universal forwarder on each Exchange server |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 2.1, 2.1.1, 2.1.2
Feedback submitted, thanks!