Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Install the central Splunk for Microsoft Exchange app instance

The central components of a Splunk App for Microsoft Exchange deployment are the Splunk indexer that stores Exchange data and the search head that searches the stored data. (Optionally, additional indexers and/or search heads can be added to the instance to increase indexing and searching bandwidth).

You install the following components on the central instance:

  • The Splunk App for Microsoft Exchange app and all associated add-ons must be installed onto every search head in the central instance.

Before installing the Splunk App for Microsoft Exchange onto your central Splunk instance, make sure that you have provisioned the instance to support the level of indexing and interaction that you anticipate for your deployment. For more information on this, review:

Install Splunk

If you do not have an existing Splunk installation for the central Splunk instance, download the full Splunk package for your platform and follow the installation instructions in the core Splunk Enterprise documentation.

Install the Supporting Add-on for Active Directory (SA-ldapsearch)

Download and install the Supporting Add-on for Active Directory on all search heads in the deployment.

Install the central instance of Splunk App for Microsoft Exchange

This procedure assumes you have already installed Splunk on the host you intend to use as the indexer for your Exchange data.

1. Download the Splunk App for Microsoft Exchange from Splunk Apps.

2. Install the splunk_app_microsoft_exchange-x.x.x-xxxxxx.tgz file onto the search heads in your Splunk App for Microsoft Exchange instance.

Note: You can install the app by going into the Apps screen in Manager (Splunk 5.0) or Settings (Splunk 6.x) and clicking the Install app from file button. You can also unpack the installation package directly into %SPLUNK_HOME%\etc\apps on the machine.

3. Restart Splunk Enterprise on each machine in the instance.

4. Log back in to Splunk Enterprise.

Configure the central instance of Splunk App for Microsoft Exchange

Once you have installed the Splunk App for Microsoft Exchange on the central Splunk instance, you must configure the instance so that it collects all of the relevant Exchange data you want to monitor.

Configure NetBIOS to DNS domain name translation

Ensure that the Splunk App for Microsoft Exchange monitors all connections into Exchange properly by editing the NetBIOS-to-DNS domain name alias file.

Configure logon name normalization lookups

You can also tell the Splunk App for Microsoft Exchange to translate logon usernames to normalized logon names. To do so, create and/or edit %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local\active_directory.csv.

You must create this file if it does not exist.

Each line in active_directory.csv contains three comma-separated strings. For example: 

	spl.com,jdoe,john.doe

The above example says "translate john.doe to jdoe@spl.com".

You can have any number of lines in this file. The contents of the file vary depending on how your users log into Exchange - whether it is through Outlook Web Access, Exchange Web Services or some other web-based mail agent. You can generate a list from Active Directory, if needed.

Configure base searches and indexes used to gather data

Before starting the Splunk App for Microsoft Exchange, review %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\eventtypes.conf to make sure that all of the app's base searches are using the correct indexes.

If you need to make changes to this file, copy it to %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local before making the changes.

Configure display options and searches that gather data

Finally, review %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\macros.conf to ensure that the app properly uses the defined searches to gather data from your Exchange servers.

Configure Splunk to receive the data from the forwarders on your Exchange servers

You can enable receiving on a Splunk instance through Splunk Web or the CLI.

Important: By default, the Splunk App for Microsoft Exchange configures your instance of Splunk to receive data over TCP port 9997. If you need this to be a different port, you can change this value. You will also need to change it in a copy of the outputs.conf files on the universal forwarders installed on your Exchange servers.

Set up receiving with Splunk Web

Use Splunk Manager or Settings to set up a receiver:

1. Log into Splunk Web as admin on the machine that is to receive data from a forwarder.

2. Click Manager (or Settings on Splunk 6.x) in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Receive data section.

5. Specify the TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will listen for data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

6. Click Save.

Note: You must restart Splunk Enterprise to complete the process.

Set up receiving with the Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME\bin\.

To enable receiving, enter: 

./splunk enable listen <port> -auth <username>:<password>

Splunk prompts you for your Splunk username (by default, admin) and password.

For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By default, receivers listen on port 9997, but you can specify any unused TCP port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

To disable receiving, enter: 

./splunk disable listen -port <port> -auth <username>:<password>
Last modified on 29 October, 2014
Configure NetBIOS to DNS domain name translation   How to upgrade the Splunk App for Microsoft Exchange

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters