Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Platform and hardware requirements

This topic discusses the underlying requirements for running the Splunk App for Microsoft Exchange.

Hardware and Operating System requirements

Hardware requirements

The Splunk App for Microsoft Exchange installs onto a full Splunk Enterprise instance. It does not install onto a universal forwarder or a light forwarder, because it requires Splunk Web to function fully.

The app has memory, CPU, and disk requirements that are above the standard hardware requirements for the core Splunk Enterprise platform. The added resource requirements depend on how you deploy the app. Be sure to deploy hardware that meets or exceeds the hardware requirements listed in the core Splunk Enterprise documentation.

  • For additional details about supported versions of Windows for Splunk Enterprise, see "System requirements" in the core Splunk Enterprise documentation.
  • For information about estimating hardware requirements for a Splunk deployment, read the following core Splunk Enterprise documentation topic:

Operating system requirements

You can install the app on Splunk Enterprise instances that run on many current versions of Windows, including:

  • Windows XP, Vista, 7, and 8
  • Windows Server 2003/2003 R2, Server 2008/2008 R2, or Server 2012/2012 R2.

You can also install the Splunk App for Microsoft Exchange on a non-Windows Splunk Enterprise instance to display Windows data coming from external Windows sources.

Neither Splunk nor the Splunk App for Microsoft Exchange runs on:

  • Windows 95, 98, or Me
  • Windows NT Workstation or Server 3.1, 3.5, or 4.0
  • Windows 2000 Workstation or Server

What versions of Microsoft Exchange Server does the app support?

  • Exchange Server 2007 (requires Windows Server 2003 SP1 or Server 2003 R2 RTM or later)
  • Exchange Server 2010 (requires Windows Server 2008 SP2 or Server 2008 R2 SP1 or later)
  • Exchange Server 2013 (requires Windows Server 2012 RTM or later)

Caveats

Exchange Server 2003 is not supported because it does not have the level of logging capabilities that Exchange Server 2007 and Server 2010 do. The logging format for Exchange Server 2003 is also different from later versions of the product.

Exchange Server 2000 is also not supported.

What versions of Splunk does the app support?

  • All Splunk indexers and any Splunk search heads (the Splunk servers which index and search data on a distributed central Splunk instance) require Splunk version 6.0 or later.
  • All Splunk universal forwarders (which install onto Exchange servers and collect Exchange data) require version 6.0 or later.

What browsers does the Splunk App for Microsoft Exchange support?

The Splunk App for Microsoft Exchange supports all browsers that the current version of Splunk Enterprise supports, with the exception of Internet Explorer versions 7 or 8.

What are the other prerequisites?

The Splunk Add-on for Windows

In order to collect data from the Windows and Exchange servers in your environment, you need the Splunk Technology Add-on for Windows.

This add-on installs into the universal forwarder that you install on the Windows servers from which you want to collect Windows data. Optionally, it also installs onto all indexers in the central Splunk App for Windows instance for data collection (on Windows servers) and to add knowledge for extractions.

You can download the Splunk Add-on for Windows from Splunk Apps.

The Splunk Supporting Add-on Add-ons for Active Directory

The Splunk Supporting Add-on for Active Directory (SA-Ldapsearch) must be installed on the central Splunk App for Microsoft Exchange instance.

You can download the Splunk Supporting Add-on for Active Directory from Splunk Apps.

Active Directory domain controller, DNS, and Exchange Server role add-ons

The suite of Splunk Add-ons for Active Directory domain controller, DNS, and Exchange Server roles must be installed on the central Splunk App for Microsoft Exchange instance. They must also be installed on universal forwarders on servers in the Splunk App for Microsoft Exchange deployment. The add-ons you must install on the forwarders depend on the roles that the servers run.

The installation package for the Splunk App for Microsoft Exchange includes this suite of add-ons. See "How to deploy the Splunk App for Microsoft Exchange."

PowerShell v2.0 or later

All servers from which you want to collect data - including those that participate in Exchange and Active Directory - require PowerShell 2.0 or later to be installed.

PowerShell is available on many Windows systems. If needed, you can download PowerShell 2.0 as part of the Windows Management Framework from Microsoft.

The Splunk Add-on for PowerShell

If you run Windows Server 2012 R2 and plan to deploy the TA_DomainController_2012R2 add-on to gather Active Directory statistics, you need to also download and install the Splunk Add-on for PowerShell. You install this add-on into universal forwarders on those servers.

You can download the Splunk Add-on for PowerShell from Splunk Apps.

The Java Standard Edition Runtime Environment version 1.7 or later

The Splunk Supporting Add-on for Active Directory (SA-Ldapsearch) requires the Java Standard Edition Runtime Environment version 1.7 or later You can download the software package from Oracle.

Administrative access to Windows servers

You must have administrative access to all Windows servers - and especially Exchange servers - in the Splunk App for Microsoft Exchange deployment. The central servers require this access to install Splunk Enterprise. Any servers in the field also require this access to install universal forwarders. Splunk must run as a user with administrative access to the machine.

A proficient understanding of distributed Splunk deployments

If you plan for your Splunk App for Microsoft Exchange deployment to monitor a large number of Exchange servers, or even a small number, you must understand how distributed Splunk works. You must understand how the instance of Splunk Enterprise that hosts the app interacts with the universal forwarders that send data to the app. You must also understand what you need to do to increase search and indexing performance to make the app run faster. Read the following core Splunk topics for additional information:

Time (and patience)

Depending on the size of your Exchange network, it takes time to get a Splunk App for Microsoft Exchange deployment up and running correctly. You will spend time procuring hardware, identifying servers you want to monitor, installing the Splunk App for Microsoft Exchange and its associated add-ons, tweaking configurations, and troubleshooting any issues you come across. Whether or not you automate certain processes (through tools such as Splunk's deployment server or Microsoft's System Center) determines how much time you spend on the project.

If your deployment is large or complex, you might want to contact Splunk's Professional Services for assistance.

Last modified on 28 October, 2014
How to get support and find more information about Splunk Enterprise   What data the Splunk App for Microsoft Exchange collects

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters