Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Deploy the Splunk Add-ons for Exchange

This topic discusses how to deploy the Splunk Add-ons for Exchange into deployment clients that you install onto your Exchange servers.

Which Exchange add-ons go where?

As with the other components of the Splunk App for Microsoft Exchange, you must add the Splunk Add-ons for Microsoft Exchange to the deployment server before you can deploy them to deployment clients

The process for this set of add-ons is significantly more complex than with the Windows, AD, and DNS add-ons because there are so many of them. But the theory is the same - not every Windows server is an Exchange server, and since Splunk has provided support for different versions of Exchange, those versions require different add-ons to deal with the different logging formats that the Exchange versions use.

The execution is also the same - you must create a server class for each Exchange version and server role to account for all possible combinations. While this might seem daunting at first, once you create the server classes, you can add any new Exchange Server deployment clients to the right class based on the role that they play in your Exchange environment.

Take a moment to review the available add-ons for Exchange, and the versions of Windows Server and roles of Exchange Server they should be installed on:

Add-on: Description:
TA-Exchange-2007-CAS For servers that run Exchange 2007 and hold the Client Access Server role
TA-Exchange-2007-HubTransport For servers that run Exchange 2007 and hold the Hub Transport server role
TA-Exchange-2007-MailboxStore For servers that run Exchange 2007 and hold the Mailbox Server role
TA-Exchange-2010-CAS For servers that run Exchange 2010 and hold the Client Access Server role
TA-Exchange-2010-HubTransport For servers that run Exchange 2010 and hold the Hub Transport server role
TA-Exchange-2010-MailboxStore For servers that run Exchange 2010 and hold the Mailbox Server role
TA-Exchange-2013-ClientAccess For servers that run Exchange 2013 and hold the Client Access Server role
TA-Exchange-2013-Mailbox For servers that run Exchange 2013 and hold the Mailbox Server role
TA-Windows-2003-Exchange-IIS For servers that run Windows Server 2003, to be installed on all servers that run the Exchange 2007 Client Access Server role
TA-Windows-2008R2-Exchange-IIS For servers that run Windows Server 2008R2, to be installed on all servers that run the Exchange 2010 Client Access Server role
TA-Windows-2012-Exchange-IIS For servers that run Windows Server 2012, to be installed on all servers that run the Exchange 2012 Client Access Server role
TA-SMTP-Reputation E-mail sender reputation, requires a server that has an outbound connection to the Internet

This is the same table shown in "More information about the Exchange add-ons."

Place the add-ons in the deployment apps directory on the deployment server

Before thinking about server classes just yet, put the new add-ons onto the deployment server:

1. Open a command prompt on the deployment server/indexer.

2. Copy the Splunk Add-ons for Microsoft Exchange folders from their current location to the deployment apps directory:

> Copy-Item -Path C:\Downloads\splunk_app_microsoft_exchange\appserver\addons\TA-Exchange* -Destination C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force
> Copy-Item -Path C:\Downloads\splunk_app_microsoft_exchange\appserver\addons\TA-Windows* -Destination C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force

3. Tell the deployment server to reload its deployment configuration.

> cd \Program Files\Splunk\bin
> .\splunk reload deploy-poll

4. From a web browser, log into Splunk Enterprise on the deployment server.

5. In the system bar, select Settings > Forwarder Management.

6. Click the Apps tab. You should see the TA_Exchange* and TA_Windows* add-ons in the list of apps.

Define new server classes for each Exchange server version and role

Define a new server class for each Exchange Server version and role. Then, assign the server classes to deployment clients that run the version of Exchange Server and host the Exchange Server role(s) that the server classes describe.

You must define up to eight server classes, depending on the version of Exchange Server that you run:

Server Class Name Add-ons to add to the server class
Exchange Server 2007 - CAS TA-Exchange-2007-CAS

TA-Windows-2003-Exchange-IIS

Exchange Server 2007 - Hub Transport TA-Exchange-2007-HubTransport
Exchange Server 2007 - Mailbox Store TA-Exchange-2007-MailboxStore
Exchange Server 2010 - CAS TA-Exchange-2010-CAS

TA-Windows-2008R2-Exchange-IIS

Exchange Server 2010 - Hub Transport TA-Exchange-2010-HubTransport
Exchange Server 2010 - Mailbox Store TA-Exchange-2010-MailboxStore
Exchange Server 2013 - Client Access TA-Exchange-2013-ClientAccess

TA-Windows-2012-Exchange-IIS

Exchange Server 2013 - Mailbox TA-Exchange-2013-Mailbox
SMTP Reputation TA-SMTP-Reputation

To define the server classes, use the following instructions:

1. Log back into the indexer.

2. From the system bar, select Settings > Forwarder Management.

3. Click the Server classes tab.

4. On the far right side of the window, click New Server Class

5. Enter the Server Class name from the "Server Class Name" column in the table above.

6. Click Save. Splunk Enterprise loads the information page for the server class you just created.

Note: The page says that you have not added any apps or clients yet. This is okay, as you have just created the class.

7. Click Add apps. Splunk Enterprise loads the "Edit Apps" page.

8. Locate the add-on(s) in the "Add-ons to add to the server class" column of the table above.

9. Click each of the add-ons in the "Unselected Apps" pane on the left. The add-on moves to the "Selected Apps" pane on the right.

10. Click Save. Splunk Enterprise saves the configuration and returns you to the server class information page.

Repeat these steps for all server classes in the table above.

Add Exchange Server clients to the server class

Note: If you have not yet installed a universal forwarder on the Exchange servers, do so now, using the instructions in "Install a universal forwarder on each Windows host". Then continue with the following steps.

To assign the Exchange Server deployment client to the appropriate Exchange server class:

1. Note the version of Exchange Server that the client runs and any Exchange role(s) that it holds.

  • For example, if the host runs Exchange Server 2007 and hold the Client Access Server role, then it needs to be added to the "Exchange Server 2007 - CAS" server class.
  • If it also holds the Exchange Server 2007 Hub Transport role, then it also needs to be added to the "Exchange Server 2007 - Hub Transport" server class.
  • You might want to build a list of all your Exchange servers and the Exchange roles that the servers hold to make this process easier.

2. Log back into the indexer.

3. From the system bar, select Settings > Forwarder Management.

4. Click the Server Classes tab.

5. Select a server class from the list you created by clicking Edit in the Actions column for the class.

6. In the menu that pops up, click Edit clients. Splunk Enterprise loads the "Edit clients" page.

7. In the "Include (whitelist)" field, enter the name(s) of all hosts whose properties match the server class you are editing.

  • For example, if you are editing the "Exchange Server 2007 - CAS" sever class, enter the names of hosts that run Exchange Server 2007 and hold the Client Access Server role.
  • You can separate multiple hosts with a comma.
  • You can also use wildcards to specify multiple hosts.

8. Click Preview. Splunk Enterprise updates the host list at the bottom and places check marks on the host(s) that match what you entered in the "Include (whitelist)" field.

9. Click Save. Splunk Enterprise adds the host(s) to the server class and deploys the add-ons associated with the class to the deployment clients.

Add the Exchange deployment clients to the "universal forwarder" server class

In the same way that you added the Exchange Server deployment clients to the Exchange server classes to deploy the Exchange add-ons, you must also add the client to the "universal forwarder" server class. This does two things:

  • Deploys the Splunk Add-on for Windows to the clients, which enables the client to collect Windows data from the Exchange server.
  • Deploys the "send to indexer" app to the clients, which enables the client to forward Windows and Exchange data to the indexer.

To add the Exchange client to the "universal forwarders" server class, follow the instructions at "Add the universal forwarder to the server class."

What's next?

You have now deployed the Exchange add-ons onto your Exchange Server deployment clients. In the future, you can use this procedure to deploy the add-on(s) to additional client(s).

Next, you will confirm that Exchange data is coming into the indexer from the deployment client.

Last modified on 06 August, 2015
PREVIOUS
Download and configure the Splunk Add-ons for Exchange
  NEXT
Confirm and troubleshoot Exchange data collection

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters