Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Upgrade the Splunk App for Microsoft Exchange

If you wish to upgrade to the Splunk App for Microsoft Exchange version 2.1, you must understand the changes between the previous version and this one. You must also follow some procedures to ensure that the new version of the app sees the existing data.

If your Splunk App for Microsoft Exchange deployment is large or complex, you might want to consult Splunk's Professional Services team for assistance.

Differences between versions 1.x and 2.1

The major differences between version 1.x and 2.1 of the Splunk App for Microsoft Exchange are:

  • The app provides new PowerShell-based scripted data inputs for the following features:
    • Mailbox Audit (Provides information on user activities in a mailbox, such as delegation, access by someone other than the owner, and so on. The user that runs Splunk must have the ability to read mailbox audit logs to use this feature.)
    • Distribution Lists
    • Inbox Rules (Provides data on what rules users add to mail that arrives in their inbox)
    • Client Access Server (CAS) throttling rules (Provides data on how the CAS limits logon attempts into Exchange.)
  • The app provides a new dashboard: The Internal Spamming Reports view provides information on users that send large quantities of messages to large numbers of users in a short period of time. The Distribution List Expansions dashboard gives you additional information on the distribution lists within your organization.
  • The app provides several new macros which help you gain insight on message tracking operations.
  • The app no longer includes the TA_bes5 and TA_Forefront-Security-for-Exchange technology add-ons.
  • The app no longer provides data visualization for Blackberry Enterprise Server (BES) and Forefront Security for Exchange. If you already collect BES data, you will not lose it, but you must install the Add-on for Blackberry Enterprise Server 5 onto the central Splunk instance to see it.

Differences between versions 2.0 and 2.1

The major differences between versions 2.0 and 2.1 of the Splunk App for Microsoft Exchange are:

  • Fewer supporting app requirements - SideView Utils and Google Maps are no longer required.

Upgrade from version 1.x to version 2.1

Follow these steps to upgrade the Splunk App for Microsoft Exchange from version 1.x to 2.1:

Download and install the SA-ldapsearch supporting add-on

Before you upgrade the Splunk App for Microsoft Exchange, you must download and install the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) on all servers in your central Splunk instance.

Upgrade the technology add-ons on your Exchange servers

Once you have installed SA-ldapsearch into the central Splunk instance, you must then upgrade the technology add-ons on the universal forwarders on your Exchange servers.

  • The upgraded TAs are inside the Splunk App for Microsoft Exchange installation package, at Splunk_for_Exchange\etc\appserver\addons.
  • If you use a deployment server, read "Deploy configurations for all server roles" in this manual for instructions on how to use the deployment server to distribute the upgraded TAs to your Splunk App for Microsoft Exchange environment.
  • If you have deployed either the TA_bes5 (Blackberry Enterprise Server v5) or the TA_Forefront-Security-for-Exchange (Forefront-Security for Exchange) TAs, note that there is no upgrade for these TAs.

Configure message tracking macros (if required)

Version 2.1 of the Splunk App for Microsoft Exchange includes two new message tracking macros:

  • msgtrack-inbound-senderip: This macro gets a list of IP addresses that have successfully sent email to your Exchange servers.
  • msgtrack-outbound-clientip: This macro gets a list of IP addresses that your Exchange servers have successfully sent email to.

If you currently use the msgtrack-inbound-messages and msgtrack-inbound-messages macros by making changes to %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local\macros.conf, then you must also configure these additional macros. If you have not configured either of these older macros, then you do not need to configure the new ones.

Upgrade the Splunk App for Microsoft Exchange

Next, install the new Splunk App for Microsoft Exchange on all servers in the central Splunk instance.

You can install the updated app in one of two ways:

  • By unpacking the app into %SPLUNK_HOME%\etc\apps on all servers in your central Splunk instance.
  • By using a deployment server to distribute the app onto all servers in your central Splunk instance.

Important: Do not install the app on the universal forwarders on your Exchange servers.

Finally, proceed to "Regenerate lookup tables" in this topic to complete the upgrade.

Upgrade from version 2.0 to version 2.1

To upgrade from version 2.0 to 2.1 of the Splunk App for Microsoft Exchange, follow these steps:

Upgrade the technology add-ons on your Exchange servers

Once you have installed SA-ldapsearch into the central Splunk instance, you must then upgrade the technology add-ons on the universal forwarders on your Exchange servers.

  • The upgraded TAs are inside the Splunk App for Microsoft Exchange installation package, at Splunk_for_Exchange\etc\appserver\addons.
  • If you use a deployment server, read "Deploy configurations for all server roles" in this manual for instructions on how to use the deployment server to distribute the upgraded TAs to your Splunk App for Microsoft Exchange environment.

Upgrade the Splunk App for Microsoft Exchange

Next, install the new Splunk App for Microsoft Exchange on all servers in the central Splunk instance.

You can install the updated app in one of two ways:

  • By unpacking the app into %SPLUNK_HOME%\etc\apps on all servers in your central Splunk instance.
  • By using a deployment server to distribute the app onto all servers in your central Splunk instance.

Important: Do not install the app on the universal forwarders on your Exchange servers.

Finally, proceed to "Regenerate lookup tables" in this topic to complete the upgrade.

Regenerate lookup tables

After you have upgraded the app and confirmed that you are receiving Exchange data into your central Splunk instance, you must then regenerate the lookup tables that the Splunk App for Microsoft Exchange uses.

To regenerate the lookups:

1. Log into your central Splunk instance.

2. Once logged in, open the Splunk App for Microsoft Exchange.

3. Run each of the lookups by selecting the appropriate menu item under Searches & Reports > Lookup Builder:

  • Lookup - Database Information
  • Lookup - Host Information
  • Lookup - Performance Monitoring

Note: You only need to run each lookup once.

For specifics on what the central Splunk instance is, read "What a Splunk App for Microsoft Exchange deployment looks like" in this manual.

Last modified on 06 February, 2013
Install the central Splunk for Microsoft Exchange app instance   Log in and get started

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 2.1, 2.1.1, 2.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters