Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Prepare and configure the add-ons

This topic discusses the preparations you need to make before installing the add-ons needed for the Splunk App for Microsoft Exchange into the universal forwarders installed on your servers.

As described previously, the Splunk App for Microsoft Exchange's suite of add-ons collects Exchange and other data, which you then send to the central Splunk App for Microsoft Exchange instance for viewing, reporting, and alerting. To ensure that you are collecting the right data, especially if you have an existing Splunk App for Microsoft Exchange installation, you should take a few moments to ensure that the suite of add-ons points toward the appropriate indexes and has the correct event types configured.

More information about the add-ons

The following table reminds you where you can find the add-ons that the Splunk App for Microsoft Exchange needs, and what each add-on provides.

Add-on: Where to find it: What it provides: Where to install it:
TA-Exchange-* In the Splunk App for Microsoft Exchange installation package, at splunk_app_microsoft_exchange \ appserver \ addons Exchange server data. There are versions for Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013. Universal forwarders on Exchange servers
TA-Windows-*-Exchange-IIS In the Splunk App for Microsoft Exchange installation package, at splunk_app_microsoft_exchange \ appserver \ addons Exchange IIS/Client Access server data, including event transformations. There are versions for the Windows Server 2003, Server 2008 R2, and Server 2012 families. Universal forwarders on Exchange servers
TA-DomainController-NT5 /
TA-DomainController-NT6
In the Splunk App for Microsoft Exchange installation package, at splunk_app_microsoft_exchange \ appserver \ addons Active Directory statistics Universal forwarders on AD domain controllers
TA-DomainController-2012r2 In the Splunk App for Microsoft Exchange installation package, at splunk_app_microsoft_exchange \ appserver \ addons Active Directory statistics for computers that run Windows Server 2012 R2 only. Requires the Splunk Add-on for Microsoft PowerShell. Universal forwarders on AD domain controllers
TA-DNSserver-NT5 /
TA-DNSServer-NT6
In the Splunk App for Microsoft Exchange installation package, at splunk_app_microsoft_exchange \ appserver \ addons Windows DNS server statistics, DNS server logs Universal forwarders on AD DNS servers
Splunk Add-on for Windows (Splunk_TA_Windows) On Splunk Apps. Windows statistics (Event logs, Registry/network/host/print monitoring)
  • All search heads in the deployment
  • All indexers in the deployment
  • All Windows servers from which you want Windows data
Splunk Add-on for PowerShell (SA-ModularInput-PowerShell On Splunk Apps. Extensions for PowerShell. The TA-DomainController-2012r2 add-on requires this add-on. Universal forwarders on Windows Server 2012 R2 machines
Splunk Supporting Add-on for Active Directory (SA-LDAPSearch On Splunk Apps. Extensions for PowerShell. The TA-DomainController-2012r2 add-on requires this add-on. All search heads in the deployment

Configure the add-ons that come with the Splunk App for Microsoft Exchange

The add-ons included with the Splunk App for Microsoft Exchange can be found in the installation package at splunk_app_microsoft_exchange\appserver\addons.

The add-ons are:

Exchange Add-ons

Add-on: Description:
TA-Exchange-2007-CAS For servers that run Exchange 2007 and hold the Client Access Server role
TA-Exchange-2007-HubTransport For servers that run Exchange 2007 and hold the Hub Transport server role
TA-Exchange-2007-MailboxStore For servers that run Exchange 2007 and hold the Mailbox Server role
TA-Exchange-2010-CAS For servers that run Exchange 2010 and hold the Client Access Server role
TA-Exchange-2010-HubTransport For servers that run Exchange 2010 and hold the Hub Transport server role
TA-Exchange-2010-MailboxStore For servers that run Exchange 2010 and hold the Mailbox Server role
TA-Exchange-2013-ClientAccess For servers that run Exchange 2013 and hold the Client Access Server role
TA-Exchange-2013-Mailbox For servers that run Exchange 2013 and hold the Mailbox Server role
TA-Windows-2003-Exchange-IIS For servers that run Windows Server 2003, to be installed on all servers that run the Exchange 2007 Client Access Server role
TA-Windows-2008R2-Exchange-IIS For servers that run Windows Server 2003, to be installed on all servers that run the Exchange 2010 Client Access Server role
TA-Windows-2012-Exchange-IIS For servers that run Windows Server 2003, to be installed on all servers that run the Exchange 2012 Client Access Server role
TA-SMTP-Reputation E-mail sender reputation, requires a server that has an outbound connection to the Internet

Active Directory Add-ons

Add-on: Description:
TA-DNSServer-NT5 For DNS Servers running Windows Server 2003/2003 R2 and earlier
TA-DNSServer-NT6 For DNS Servers running Windows Server 2008/2008 R2 and later
TA-DomainController-NT5 For Active Directory domain controllers running Windows Server 2003/2003 R2 and earlier
TA-DomainController-NT6 For Active Directory domain controllers running Windows Server 2008/2008 R2 and later
TA-DomainController-2012r2 For Active Directory domain controllers running Windows Server 2012 R2 and later. Requires the Splunk Add-on for PowerShell.

Configure the add-ons you downloaded separately

You must also configure the add-ons that you downloaded separately as part of the Splunk App for Microsoft Exchange installation. These add-ons are:

Add-on: Description:
Splunk_TA_Windows Provides Windows data. Enable the Security event log to collect the data for POP3 and IMAP4 services on Exchange Client Access Servers. Enable specific inputs in inputs.conf depending on the data that you want to collect. Then, deploy onto Windows and Exchange servers. Read "Review and edit configuration files" for details on how to enable the inputs.
SA-ModularInput-PowerShell Provides PowerShell extensions. The TA-DomainController-2012r2 add-on requires this add-on.

Review and edit configuration files

The Exchange and Active Directory add-ons ship with inputs enabled by default, and have been configured to send data to specific indexes. In a brand new installation, you do not need to make changes to these add-ons.

The Splunk Add-on for Windows, however, ships with all inputs disabled by default. It requires you to enable inputs prior to deployment.

To enable inputs:

1. Unpack the installation to an accessible location.

2. In the package, at Splunk_TA_Windows\default, copy inputs.conf to Splunk_TA_Windows\local.

3. Using a text editor, open Splunk_TA_Windows\local\inputs.conf for editing.

4. Enable the inputs for which you want data collected. Achieve this by setting the disabled attribute for the input to 0. For example, to enable the [WinEventLog://Security] event log input, change the input stanza so that it looks like the following:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

5. Save the file and close it.

Which inputs must be enabled?

To ensure maximum data coverage in the Splunk App for Microsoft Exchange, enable the following inputs in the Splunk Add-on for Windows:

Input: Supported page(s):
[WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System] POP3/IMAP4 access from Exchange Client Access Servers

Event Monitoring

[perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime] Performance Monitoring
Network Monitoring inputs Network Monitoring
Print Monitoring inputs Print Monitoring
Host Monitoring inputs Host Monitoring

Important: To collect information on POP3 and IMAP4 accesses from Exchange Client Access Servers, you must enable the Windows Security Event Log inputs ([WinEventLog://Security]). However, we recommend that you enable all three main Event Log inputs ([WinEventLog://Security], [WinEventLog://Application], and [WinEventLog://System]).

If you choose not to use the default Splunk App for Microsoft Exchange indexes

If you need to make changes to the index(es) that the add-ons send data to for any reason, then follow the instructions in "Make configuration changes to match your existing environment".

Last modified on 29 October, 2014
Enable auditing and local PowerShell script execution on Active Directory and Exchange servers   Install the add-ons into universal forwarders

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters