Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk Add-ons for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Troubleshoot TA-Exchange-Mailbox

The TA-Exchange-Mailbox add-on should install on your Exchange Server hosts without problems as long as you configure it for the version of Exchange Server you run before you deploy it.

If you do not configure the add-on for your version of Exchange Server before you deploy it, then the add-on only collects data inputs that are common to all supported versions of Exchange Server. This results in missing data that is specific to your version of Exchange Server. See Configure TA-Exchange-Mailbox for the procedure to configure the add-on and distribute it to your Exchange Server hosts.

If you upgrade from an earlier version of the Splunk App for Microsoft Exchange, complete the upgrade instructions in the Splunk App for Microsoft Exchange manual to ensure that the add-on collects all Exchange Server data for the version of Exchange Server that you run.

Mailbox audit log collection failure

Mailbox audit log collection failure produces the below error log. 

Search-MailboxAuditLog : The requesting account doesn't have permission to access the audit log.
At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-Mailbox\bin\powershell\read-mailbox-audit-logs_2010_2013.ps1:49char:2
+     Search-MailboxAuditLog -Identity $Identity -LogonTypes Owner,Delegate,Admin -Sh ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogAccessDeniedException
    + FullyQualifiedErrorId : [Server=SRRZ2EXC01,RequestId=a61a5900-6e29-4b12-b703-680246db44d4,TimeStamp=16.11.2016 0
   7:25:13] [FailureCategory=Cmdlet-AuditLogAccessDeniedException] 55A06F96,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog

The mailbox audit log script is unable to read the timestamp of each mailbox. To fix this issue

  1. Navigate to C:/Windows/Temp on your Forwarder/Exchange Server machine.
  2. Delete splunk-msexchange-auditfile.clixml and splunk-msexchange-mailboxauditlogs.clixml.
Last modified on 06 February, 2017
Configure TA-Exchange-Mailbox   Overview of TA-Exchange-HubTransport

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters