What a Splunk App for Microsoft Exchange deployment looks like

This topic discusses the overall architecture of a Splunk App for Microsoft Exchange deployment.

Overview

At a minimum, a Splunk App for Microsoft Exchange deployment consists of a "central" Splunk App for Microsoft Exchange instance (that contains the index and runs Splunk Web, and that users access to view the app) and a number of universal forwarders--one for each Exchange, Active Directory, or Windows server you want to include in the deployment.

The central Splunk instance can be one or more servers

A central Splunk instance can consist of one or more physical servers:

• An indexer that collects the data from itself or other Exchange, Windows, and Active Directory servers
• A search head that searches through the collected data and hosts the application.

These services can be on the same server. If you want to scale the deployment for additional performance or incoming data volume, you can distribute the central Splunk instance by adding indexers and search heads.

The central Splunk instance can run on any Splunk-supported operating system

You can deploy the Splunk App for Microsoft Exchange on *nix search heads and use *nix indexers to index the data. In this scenario, *nix indexers must receive data sent to them from Windows forwarders - they cannot collect Windows data themselves.

The Splunk App for Microsoft Exchange can monitor many Exchange, Active Directory, and Windows servers at once

The Splunk App for Microsoft Exchange supports collecting data from hundreds of machines. There are many ways to configure the Splunk App for Microsoft Exchange, depending on your network's topology.

You monitor additional servers with your Splunk App for Microsoft Exchange deployment by:

• Installing universal forwarders on each Exchange, Windows, or Active Directory server you want to include in the environment.
• Configuring the forwarders to send data to the indexers in the central Splunk instance.
• Deploying the appropriate included add-ons onto those forwarders.

The indexers in the central Splunk instance index the incoming data and make it available for viewing, searching, and reporting within the app.

About the Splunk for Microsoft Exchange add-ons

Each of the universal forwarders in the deployment contains one or more Splunk App for Microsoft Exchange add-ons that collect the data for the Exchange server role(s) that the Exchange server performs. There are additional add-ons for Active Directory and Windows servers as well. In any case, the universal forwarder sends that data to the central Splunk App for Microsoft Exchange instance.

Each add-on is a folder that contains files needed by the Splunk App for Microsoft Exchange to transform and extract data for a specific Exchange server role, Active Directory role, or Windows metric. Many of these add-ons are specific to the Splunk App for Microsoft Exchange and have names that represent the Exchange version and server role that they were designed for. Additional add-ons augment the Splunk App for Microsoft Exchange and must be downloaded separately.

The add-ons that come with the Splunk App for Microsoft Exchange can be found within %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons in the Splunk App for Microsoft Exchange installation package.

Additional details about the add-ons can be found in the following topics:

• Prepare and configure the add-ons
• Install the add-ons into universal forwarders
• Deploy configurations for all server roles

Example deployment

The diagram below depicts an example Splunk App for Microsoft Exchange deployment.

Each Exchange server on your network gets a Splunk universal forwarder. On that forwarder, you install the add-on which collects the appropriate data for the role that server plays. The add-on then sends that data to the indexer(s) in the central Splunk App for Microsoft Exchange instance.

The central Splunk App for Microsoft Exchange instance has at least a search head (with the Splunk App for Microsoft Exchange installed on it) and an indexer. The indexer indexes the Exchange data (as shown by the black arrows), and the search head searches the indexer for that data (as shown by the green arrow). The indexer returns events to the search head (blue arrow). Users log into the search head to use the app and see the data.

A Splunk App for Microsoft Exchange deployment has several additional options:

• You can install the included Active Directory add-ons onto AD servers to collect AD data and send it to the central Splunk App for Microsoft Exchange instance.
• You can install and enable the separately-available Splunk Add-on for Windows onto other Windows servers to collect Windows data from them.
• If any server in the central Splunk App for Microsoft Exchange instance is a Windows server, you can install the Splunk Add-on for Windows on that server to get Windows data.
• If you want mail sender reputation statistics and have a server that has an outbound connection to the Internet, you can install a full Splunk Enterprise instance, configure it as a heavy forwarder, and then, install the SMTP-Reputation add-on into that instance.