Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Make configuration changes to match your existing environment

As discussed in "Other deployment considerations", if you have an existing Splunk deployment and wish to use it to store your Splunk App for Microsoft Exchange data, then you must edit the configuration files in the Splunk App for Microsoft Exchange installation prior to deploying the app. This topic provides examples of the kind of edits you should make prior to deploying the app and the associated technology add-ons.

If you do not have an existing Splunk deployment, then do not proceed further in this topic. You do not need to make any of the configuration changes shown here.

  • For information about how Splunk configuration files work, refer to "About configuration files" in the core Splunk Enterprise documentation.

Overview

By default, the Splunk App for Microsoft Exchange stores data in the following indexes:

  • msexchange for Exchange data collected from Exchange servers.
  • perfmon for performance metrics collected from Exchange servers.
  • msad for Active Directory information and metrics.
  • winevents for Windows event log information.

If you need to change where the Splunk App for Microsoft Exchange stores its data, then use these instructions to configure the Splunk App for Microsoft Exchange to use the existing indexes in your Splunk deployment.

Change the index(es) that the app sends data to

Follow these instructions to configure the index locations:

1. Unpack the splunk_app_microsoft_exchange-x.x.x-xxxxxx.tar.gz package into an accessible location, if you haven't already.

2. Determine the add-ons that you need to install, based on your Exchange Server layout.

Note: Read "Configure the Splunk App for Microsoft Exchange technology add-ons" in this manual for a table that shows which add-ons you need to install for each Exchange server role.

3. Once you have determined which add-ons you need to install, edit the configuration files for each of those add-ons, as follows:

a. Locate the add-on folder within the splunk_app_microsoft_exchange archive you unpacked earlier.
Note: You can find the add-on folders within splunk_app_microsoft_exchange\appserver\addons.
b. In the local directory within each TA folder, create and open an inputs.conf for editing.
Note: You might need to create the local directory within the add-on folder, if it does not exist.
c. Open the inputs.conf in the default directory of the TA folder.
d. Copy the input stanza text (in this case, the stanza which represents the input whose destination index you want to change) from default\inputs.conf.
f. Paste the copied stanza into the newly-created local\inputs.conf within the TA directory.
g. Change the index for that stanza by specifying the desired index for the index= attribute/value pair.
Important: The index must already exist before you specify it in the configuration file.
h. Save the inputs.conf file in local and close it.
i. Close the inputs.conf file in default.

For example, if your environment runs Exchange Server 2007, and you want the Exchange Server 2007 Message Tracking logs to go into an index called msgtracking instead of the default msexchange, you would do the following:

  • Open TA-Exchange-2007-HubTransport\default\inputs.conf in the TA-Exchange-2007-HubTransport add-on.
  • Create and open local\inputs.conf in TA-Exchange-2007-HubTransport.
  • Copy the [monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking] stanza from TA-Exchange-2007-HubTransport\default\inputs.conf.
  • Paste the copied stanza in the new inputs.conf in TA-Exchange-2007-HubTransport\local\
  • Configure the attribute/value pair index=msgtracking in the stanza, so that it looks like this:
        [monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking]
        whitelist=\.log$|\.LOG$
        sourcetype=MSExchange:2007:MessageTracking
        index=msgtracking
        queue=parsingQueue
        disabled=false

4. Make changes to the Splunk App for Microsoft Exchange event types configuration file, as follows:

a. In the splunk_app_microsoft_exchange\local directory, create an eventtypes.conf.
b. Open that file for editing..
c. Open splunk_app_microsoft_exchange\default\eventtypes.conf.
d. Copy the input stanza whose destination index you want to change from splunk_app_microsoft_exchange\default\eventtypes.conf.
e. Paste the stanza into the splunk_app_microsoft_exchange\local\eventtypes.conf file.
f. Modify the stanza within eventtypes.conf to use the new index.

Continuing from the previous example, the [msexchange-msgtrack] stanza searches the Message Tracking logs. Copy that stanza into Splunk_for_Exchange\local\eventtypes.conf and add index=msgtracking like this: 

        [msexchange-msgtrack]
        search = index=msgtracking ((sourcetype=MSExchange:*:MessageTracking) 
        OR (sourcetype=WinEventLog:Application SourceName=FSCTransportScanner))

5. Repeat steps 3 and 4 for every input whose destination index you want to change.

Configure the Sender Reputation add-on to use your outbound mail servers

To configure the mail servers that the mail sender reputation add-on will use when you deploy it:

1. In the TA-SMTP-Reputation\local directory, create a reputation.conf.

Note: A template of reputation.conf can be found in the TA-SMTP-Reputation\default directory.

2. Add a [mailservers] stanza to this file. Within the stanza, list the IP addresses of your outbound mail servers, like this: 

        [mailservers]
        iplist = 10.10.100.57; 10.10.100.59

Note: Semicolons separate IP addresses within stanzas in reputation.conf.

Deploy your changes

Once you have made the changes you need to match your existing Splunk environment, you can deploy the add-ons and the Splunk App for Microsoft Exchange.

Note:

  • If you use a deployment server to deploy the add-ons, then place the relevant add-ons for each Exchange server role into %SPLUNK_HOME%\etc\deployment-apps on the deployment server.
  • If you do not use a deployment server, then you must edit the configuration files for each add-on manually on each universal forwarder in the Splunk App for Microsoft Exchange deployment.
The configuration file edits you must make depend specifically on which role(s) each Exchange server performs. Refer to "Configure the Splunk App for Microsoft Exchange add-ons" for specifics on where you should install the add-ons in your Exchange deployment.
Last modified on 11 December, 2013
Install the add-ons into universal forwarders   Deploy configurations for all server roles

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters