Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

How to deploy the Splunk App for Microsoft Exchange

This topic details the deployment procedure for the Splunk App for Microsoft Exchange.

There are several main steps to installing the Splunk App for Microsoft Exchange:

  • First, you install universal forwarders on the Exchange servers in your environment.
  • Next, you configure the universal forwarders with technology add-ons that come with the Splunk App for Microsoft Exchange installation package.
  • Then, you configure the Splunk App for Microsoft Exchange on your central Splunk instance to receive and search the incoming data.

To deploy the Splunk App for Microsoft Exchange into your environment, perform the following steps:

Install and configure universal forwarders on your Exchange servers

1. Install a universal forwarder on each Exchange server in your environment.

Note: Do not enable any of the inputs when installing the universal forwarder.

Configure and deploy the Splunk App for Microsoft Exchange technology add-ons

2. Review, and if needed, edit the configurations of the Splunk App for Microsoft Exchange technology add-ons (TAs) that must be installed on the universal forwarders running on each Exchange server included in your deployment.

Note: The TAs can be found in the Splunk App for Microsoft Exchange installation package, in Splunk_for_Exchange\appserver\addons. Review the configuration files within each TA to ensure that it sends data to the proper index(es) on the central Splunk instance. If you need to make changes to the index(es) that the TAs send data to, then follow the instructions in "Make configuration changes to match your existing environment".

3. Install or deploy the appropriate TA(s) for each Exchange server role into the universal forwarders on each Exchange server. The table below shows you which TAs should be installed onto each Exchange server in your environment.

If your Exchange server runs: and it holds this Exchange role: then install or deploy these TA(s):
Exchange 2007 Client Access Server TA-Exchange-2007-CAS
TA-Windows-2003-Exchange-IIS
Edge Transport TA-Exchange-2007-HubTransport
Hub Transport TA-Exchange-2007-HubTransport
Mailbox Server TA-Exchange-2007-MailboxStore
Exchange 2010 Client Access Server TA-Exchange-2010-CAS
TA-Windows-2008R2-Exchange-IIS
Edge Transport TA-Exchange-2010-HubTransport
Hub Transport TA-Exchange-2010-HubTransport
Mailbox Server TA-Exchange-2010-MailboxStore
Exchange 2013 Client Access Server TA-Exchange-2013-ClientAccess
TA-Windows-2012-Exchange-IIS
Mailbox Server TA-Exchange-2013-Mailbox

Important:

  • If you have a Splunk deployment server and want to use it to deploy the app, then copy the TA folders into %SPLUNK_HOME%\etc\deployment-apps on the deployment server.
  • If you do not have a deployment server, or do not want to use one to deploy the app, then you must manually copy the appropriate TA(s) to %SPLUNK_HOME%\etc\apps on the Exchange server(s) from which you want to get Exchange logs. Review the table above to determine on which servers you should install the TAs.

4. Next, install a full Splunk instance that has an outbound connection to the Internet.

Note: This server should be separate from the central Splunk App for Microsoft Exchange instance and any Exchange servers which also run universal forwarders.

5. Configure the instance to be a heavy forwarder, and to send data to indexers in the central Splunk App for Microsoft Exchange instance.

6. Deploy the TA-SMTP-Reputation TA onto this instance.

Important: Be sure to edit the reputation.conf file within the TA so that it contains the IP addresses of all of your outbound mail servers.

7. Confirm that all of the Exchange servers that you want to include in the deployment send Exchange log data to the usual places, in the usual formats. If they do not, review "Where and how the Splunk App for Microsoft Exchange expects to find your logs" in this manual for instructions on configuring the app to account for the changes in logging locations.

Install and configure the central Splunk instance

1. Install a full copy of Splunk or designate an existing installation as your "central" Splunk instance.

Note: If you're using an existing installation, be sure to review "Other deployment considerations" in this manual and make any configuration changes to the Splunk App for Microsoft Exchange before proceeding.

2. Download the Splunk App for Microsoft Exchange package.

3. Install the Splunk App for Microsoft Exchange onto your central Splunk instance.

4. Download and install the Supporting Add-on for Active Directory on the central Splunk instance.

5. Confirm that the universal forwarders on each of the Exchange server hosts can connect to the central Splunk instance.

6. Restart your central Splunk instance to ensure that all changes take effect.

Generate lookup tables

After you have installed the app and confirmed that you are receiving Exchange data into your central Splunk instance, you must then generate the lookup tables that the Splunk App for Microsoft Exchange uses.

Important: You must wait about 10 to 15 minutes after you have confirmed that the central Splunk instance correctly indexes Exchange data before you run this procedure.

To generate the lookups:

1. Log into your central Splunk instance.

2. Once logged in, open the Splunk App for Microsoft Exchange.

3. Generate the lookups shown below by selecting the appropriate menu item under Searches & Reports > Lookup Builder:

  • Lookup - Database Information
  • Lookup - Host Information
  • Lookup - Performance Monitoring

Note: You only need to run each lookup once.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.

Last modified on 27 August, 2013
What a Splunk App for Microsoft Exchange deployment looks like   Install a universal forwarder on each Exchange server

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 2.1, 2.1.1, 2.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters