Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Install the Splunk App for Microsoft Exchange on a search head cluster

The Splunk App for Microsoft Exchange can be installed in a search head cluster. The procedure to install the app on a search head cluster is different than performing it on a stand-alone search head.

This topic contains basic instructions on how to install and configure the Splunk App for Microsoft Exchange on a search head cluster. To learn more about how to install and configure search head clusters, see "Deploy a search head cluster" in the Distributed Search manual.

The final tasks for setup of the Splunk App for Microsoft Exchange are:

  1. Configure a search head cluster, including a separate instance for a search head cluster deployer.
  2. Install the Splunk Add-on for Windows on the search head cluster.
  3. Install the Splunk Add-on for Microsoft Active Directory on the search head cluster.
  4. Install the Splunk Add-on for Windows DNS on the search head cluster.
  5. Install the Splunk Supporting Add-on for Active Directory on the search head cluster.
  6. Install the Splunk App for Microsoft Exchange on the search head cluster.
  7. On the search head cluster deployer, add the 'exchange_admin' role.
  8. On the deployer, configure search peers that have Exchange and Windows data.
  9. Run the first time setup on the deployer.
  10. Push the app, add-ons, and configurations to the search head cluster members.
  11. If you run Splunk Enterprise 6.3 on-premises, add the "exchange_admin" role to the user that runs the app on each search head cluster member.
  12. Build lookups on a search head cluster member.

Configure the search head cluster

To install the Splunk App for Microsoft Exchange on a search head cluster, you must have a cluster configured.

When you designate hosts for a search head cluster, always install new instances of Splunk Enterprise. If you attempt to add an existing instance to a search head cluster, the process overwrites any configurations or apps that reside on the instance.

Also, designate a separate host as a search head cluster deployer.

To configure a search head cluster, see Deploy a search head cluster" in the Distributed Search manual.

Install the Splunk Add-on for Windows on the deployer

Install the Splunk Add-on for Windows onto the search head cluster deployer instance.

1. In a web browser, proceed to the Splunk Add-on for Windows download page.

2. Click the download link to start the download.

  • Make sure you download the latest version of the add-on.
  • You might need to sign in with your Splunk account before the download starts.

3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.

4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

Install the Splunk Add-ons for Microsoft Active Directory and Windows DNS

To get the event transformations that the app needs to function properly, you must install the Splunk Add-ons for Microsoft Active Directory and Windows DNS onto the search head cluster.

1. Proceed to the Splunk Add-on for Microsoft Active Directory download page.

2. Click the download link to start the download.

3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.

4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

5. Repeat these steps for the Splunk Add-on for Windows DNS.

6. Configure both add-ons to disable data inputs.

Disable inputs on the add-ons to prevent data duplication

  1. In the %SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD directory on the search head, create a local directory.
  2. Copy inputs.conf from %SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD\default to %SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD\local.
  3. Edit %SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD\local\inputs.conf.
  4. In each stanza, set the disabled attribute to true.
  5. Save the file and close it.
  6. Repeat these steps for the Spunk Add-on for Windows DNS, using Splunk_TA_Microsoft_DNS as the add-on name.

Install the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) on the deployer

Next, install the Splunk Supporting Add-on for Active Directory on the deployer:

1. In a web browser, proceed to the Splunk Supporting Add-on for Active Directory download page.

2. Click the download link to start the download.

  • Make sure you download the latest version of the add-on.
  • You might need to sign in with your Splunk account before the download starts.

3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.

4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

Install the Splunk App for Microsoft Exchange on the deployer

Next, install is the Splunk App for Microsoft Exchange on the deployer.

1. Download the Splunk App for Microsoft Exchange if you have not already.

2. Use an archive utility such as WinZip or tar to unarchive the file to %SPLUNK_HOME%\etc\apps on the deployer.

3. Restart Splunk Enterprise on the deployer.

Add the exchange_admin role to the user that will run the app on the deployer

The exchange_admin role is required to run the first-time setup on the search head cluster deployer instance.

  1. Log into Splunk Enterprise on the deployer.
  2. Navigate to Settings > Access controls and click on Roles.
  3. Under Role name, select the admin role.
  4. Navigate to the Inheritance section and select the exchange_admin role to move it from Selected roles to Available roles.
  5. Click Save.

Note: If you do not see the exchange_admin role in the list, make sure that you have installed the application, as described in "Install the Splunk App for Microsoft Exchange on the deployer".

Add search peers with Exchange data to the deployer

Before the first time setup experience can complete, you must add at least one search peer (indexer) with Exchange and Active Directory data.

If you followed the instructions in this manual, then you already have an indexer with Exchange data. Configure this host as a search peer to the deployer.

If you have not collected Exchange data yet, then follow the setup chapters in this manual to get this data before continuing:

  • Set up basic infrastructure
  • Get Windows data
  • Get Active Directory data
  • Get Domain Name Service (DNS) data
  • Get Exchange data

To configure a search peer:

1. From the deployer, log into Splunk Enterprise.

2. Click Settings > Distributed search.

3. In the Actions column, next to Search peers, click Add new.

4. In the Peer field, enter the host name or IP address and management port number of the search peer (indexer) that contains the Exchange data. For example, if the host name is idx1.mycompany.com, enter idx1.mycompany.com:8089. If the management port is not the default, use the port number that you configured.

5. In the Remote username field, enter the user that the deployer should use to authenticate into the search peer. This user must be an existing user on the search peer, and must have the 'admin' role.

6. In the Remote password field, enter the password for the user that the deployer should supply to the search peer when it connects.

7. In the Confirm password field, re-enter the password you used in the previous step.

8. Click Save. The deployer saves the configuration and authenticates into the search peer.

9. Restart Splunk Enterprise on the deployer.

Run the first-time setup experience on the deployer

Next, log into Splunk Enterprise and start the first-time setup experience.

1. On one of the search head cluster members, log into Splunk Enterprise.

2. Open the Splunk App for Microsoft Exchange. From the system bar, click Apps > Splunk App for Microsoft Exchange.

3. Follow the prompts and confirm that you have all the data that the app needs.

4. (Optional) After the first-time setup completes, remove the search peers from the deployer.

Distribute the app, add-ons, and configurations to the other search head cluster members

1. From a command or shell prompt on the deployer, copy the app, add-ons, and configurations to the search head cluster apps directory:

Copy-Item -Path C:\Program Files\Splunk\etc\apps\Splunk_TA_windows -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
Copy-Item -Path C:\Program Files\Splunk\etc\apps\SA_LDAPsearch -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
Copy-Item -Path C:\Program Files\Splunk\etc\apps\splunk_app_microsoft_exchange -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force

2. From a command or shell prompt on the deployer, push the app, add-ons, and configurations to the search head cluster members:

splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

In this command:

  • -target specifies the URI and management port of one of the search head cluster members. For example, if one of the members is splunk2.mycompany.com, you would specify https://splunk2.mycompany.com:8089.

3. The deployer displays the following message:

Warning: Depending on the configuration changes being pushed, this command
might initiate a rolling-restart of the cluster members. Please refer to the
documentation for the details.  Do you wish to continue? [y/n]:

Proceed by responding to the message with y.

4. Wait for the deployer to send the configuration bundle to the search head cluster members.

On Splunk Enterprise 6.3 and earlier only, add roles to all search head cluster members

If you run an on-premises version of Splunk Enterprise of 6.3 or earlier, you must manually add the exchange_admin role to the user that runs the app on the other search head cluster members. This is because those versions do not handle replication of user roles across search head cluster members automatically.

You do not need to perform this procedure if you run Splunk Cloud.

1. Log into Splunk Enterprise on a search head cluster member.

2. In the system bar, click Settings > Access controls.

3. Click Users.

4. Click the user that will run the application. Splunk Enterprise displays the information page for the user.

5. In the Assign to roles section, in the Available roles column, click exchange_admin role. The role moves from the "Available roles" to the Selected roles column.

Note: If you do not see the exchange_admin role in the list, make sure that you have distributed the apps and configurations as described in "Distribute the app, add-ons, and configurations to the other search head cluster members".

6. Click Save. Splunk Enterprise assigns the role to the user you selected.

7. Repeat this process on all the other search head cluster members.

Build lookups on one search head cluster member

To complete setup of the app, you need to build lookups for the app on one search head cluster member.

1. Log into Splunk Enterprise on a search head cluster member.

2. Open the Splunk App for Microsoft Exchange. In the system bar, select Apps > Splunk App for Microsoft Exchange.

3. In the menu bar, select Tools and Settings > Build lookups.

4. Wait for the lookup build process to complete.

5. Once the build completes, click Finish and go back.

You can now use the Splunk App for Microsoft Exchange. Visit the Reference manual for information on how to use the app dashboards.

Last modified on 29 March, 2017
PREVIOUS
Install the Splunk App for Microsoft Exchange on the search head
  NEXT
Install a license

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.4.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters