Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade from 3.0.x and earlier

This topic details how to upgrade from version 3.0.x and earlier to the latest version.

How to upgrade If you have a deployment server

Upgrade Splunk Enterprise if necessary

1. Upgrade Splunk Enterprise and universal forwarders on all hosts in the deployment to version 6.2 or later.

Download and unpack apps and add-ons

1. Download the following apps and add-ons from Splunk Apps and save them to an accessible location:

2. Use WinZip or another archive utility to unarchive the Splunk App for Microsoft Exchange and Splunk Add-on for Windows packages.

Configure and deploy add-ons to the deployment server

1. Configure the Splunk Add-on for Windows, as described in "Download and configure the Splunk Add-on for Windows."

2. Copy the following updated add-ons from the Splunk App for Microsoft Exchange installation package to the deployment apps directory on the deployment server:

  • The Splunk Add-on for Windows (Splunk_TA_windows)
  • The Splunk Add-ons for Active Directory: TA-DomainController-NT5/TA-DomainController-NT6
  • The Splunk Add-ons for Windows DNS: TA-DNSServer-NT5/TA-DNSServer_NT6
  • The Splunk Add-ons for Microsoft Exchange: TA-Exchange-*
PS > $exch_apps="C:\Downloads\splunk_app_microsoft_exchange\appserver\addons"
PS > foreach ( $source in @("C:\Downloads\Splunk_TA_windows","$exch_apps\TA-DomainController*","$exch_apps\TA-DNSServer*","$exch_apps\TA-Exchange*") ) { Copy-Item -Path $source -Destination "C:\Program Files\Splunk\etc\deployment-apps" -Recurse }

3. Log into Splunk Enterprise the deployment server.

4. Go to Forwarder Management.

5. If you do not already use server classes to group the hosts in your deployment, create them:

6. Deploy the add-ons to the appropriate Windows, Active Directory, and Exchange deployment clients, according to the following tables:

Exchange and DNS add-ons

If the Exchange server runs: and it holds this Exchange role: then install or deploy:
Exchange Server 2007 Client Access Server TA-Exchange-2007-CAS
TA-Windows-2003-Exchange-IIS
The Splunk Add-on for Windows Splunk_TA_Windows
Edge Transport TA-Exchange-2007-HubTransport
Splunk_TA_Windows
Hub Transport TA-Exchange-2007-HubTransport
Splunk_TA_Windows
Mailbox Server TA-Exchange-2007-MailboxStore
Splunk_TA_Windows
Exchange Server 2010 Client Access Server TA-Exchange-2010-CAS
TA-Windows-2008R2-Exchange-IIS
Splunk_TA_Windows
Edge Transport TA-Exchange-2010-HubTransport
Splunk_TA_Windows
Hub Transport TA-Exchange-2010-HubTransport
Splunk_TA_Windows
Mailbox Server TA-Exchange-2010-MailboxStore
Splunk_TA_Windows
Exchange Server 2013 Client Access Server TA-Exchange-2013-ClientAccess
TA-Windows-2012-Exchange-IIS
Splunk_TA_Windows
Mailbox Server TA-Exchange-2013-Mailbox
Splunk_TA_Windows

Active Directory add-ons

If the server: and it runs: then install or deploy:
does not have a role in Active Directory any supported version of Windows Server Splunk_TA_Windows
is a domain controller Windows Server 2003 or Server 2003 R2 Splunk_TA_Windows
TA-DomainController-NT5
Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, or Server 2012 Splunk_TA_Windows
TA-DomainController-NT6
Windows Server 2012 R2 Splunk_TA_Windows
TA-DomainController-2012r2
is a DNS server Windows Server 2003 or Server 2003 R2 Splunk_TA_Windows
TA-DNSServer-NT5
Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, Server 2012, or Server 2012 R2 Splunk_TA_Windows
TA-DNSServer-NT6
is a domain controller and a DNS server Windows Server 2003 or Server 2003 R2 Splunk_TA_Windows
TA-DomainController-NT5
TA-DNSServer-NT5
Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, or Server 2012 Splunk_TA_Windows
TA-DomainController-NT6
TA-DNSServer-NT6
Windows Server 2012 R2 Splunk_TA_Windows
TA-DomainController-2012r2
TA-DNSServer-NT6

7. Install the updated Splunk Add-on for Windows onto all hosts in the central Splunk App for Microsoft Exchange instance.

8. Install the updated Splunk Supporting Add-on for Active Directory onto all search heads in the central Splunk App for Microsoft Exchange instance.

  • If you operate a search head cluster, install the add-on into the cluster master.

9. Install the updated Splunk App for Microsoft Exchange into all search heads in the central Splunk App for Microsoft Exchange instance.

  • If you operate a search head cluster, install the add-on into the cluster master.

10. Restart all servers in the central Splunk App for Microsoft Exchange instance in order for the changes to take effect.

Log in and run the first time experience

1. Log into Splunk Enterprise on a search head in the central Splunk App for Microsoft Exchange instance. This activates the first-time setup experience.

2. Proceed through the first-time setup experience. Address any missing data issues by following the on-screen prompts.

3. Wait. As part of the upgrade, the Splunk App for Microsoft Exchange builds an accelerated data model. Depending on the size of your environment, this can take time. See "Check data model build progress."

4. After the accelerated data model build has completed, use the app and confirm that all of the data is present and the pages show data as you expect.


How to upgrade if you do not have a deployment server

If you do not have a deployment server, this upgrade process helps you set one up.

A deployment server reduces deployment complexity and room for errors due to typos in configuration files. Once you complete setup, you then only need to make app and configuration changes in one place.

Read more about deployment server

See the following topics to learn more about deployment server:

Upgrade Splunk Enterprise if necessary

1. Upgrade Splunk Enterprise and universal forwarders on all hosts in the deployment to version 6.2 or later.

Download and unpack apps and add-ons

1. Download the following apps and add-ons from Splunk Apps and save them to an accessible location:

2. Use WinZip or another archive utility to unarchive the Splunk App for Microsoft Exchange and Splunk Add-on for Windows packages.

Activate a deployment server and define server classes

1. Configure the Splunk Add-on for Windows, as described in "Download and configure the Splunk Add-on for Windows."

2. Choose a host in your deployment that does not regularly experience high CPU or disk utilization and note the host name or IP address of the host.

  • If the host does not already have Splunk Enterprise installed on it, perform the installation.

3. On this host, log into Splunk Enterprise.

4. Create the "Send to indexer" app, as described in "Create the 'send to indexer' app."

5. Activate deployment server on the host by copying the following objects to the deployment apps directory:

  • The Splunk Add-on for Windows (Splunk_TA_windows).
  • The "Send to Indexer" app (sendtoindexer).
  • The Splunk Add-ons for Active Directory (TA-DomainController-*).
  • The Splunk Add-ons for Windows DNS (TA-DNSServer-*)
  • The Splunk Add-ons for Microsoft Exchange (TA-Exchange-*).
  • The SMTP Reputation Add-on (TA-SMTP-Reputation)
PS > $exch_apps="C:\Downloads\splunk_app_microsoft_exchange\appserver\addons"
PS > foreach ( $source in @("C:\Downloads\Splunk_TA_windows","C:\Program Files\Splunk\etc\apps\sendtoindexer","$exch_apps\TA-DomainController*","$exch_apps\TA-DNSServer*","$exch_apps\TA-Exchange*","$exch_apps\TA-SMTP-Reputation") ) { Copy-Item -Path $source -Destination "C:\Program Files\Splunk\etc\deployment-apps" -Recurse }

6. In Splunk Enterprise on the deployment server, define server classes:

7. Assign apps to the server classes according to the following table:

Server Class Name Add-ons to add to the Server Class
Universal Forwarder Splunk_TA_windows

sendtoindexer

Active Directory - Server 2003 TA-DomainController-NT5 (on Windows Server 2003)
Active Directory - Server 2008 TA-DomainController-NT6 (on Windows Server 2008)
Active Directory - Server 2012 R2 TA-DomainController-2012r2
Windows DNS - Server 2003 TA-DNSServer-NT5
Windows DNS - Server 2008 TA-DNSServer-NT6
Exchange Server 2007 - CAS TA-Exchange-2007-CAS

TA-Windows-2003-Exchange-IIS

Exchange Server 2007 - Hub Transport TA-Exchange-2007-HubTransport
Exchange Server 2007 - Mailbox Store TA-Exchange-2007-MailboxStore
Exchange Server 2010 - CAS TA-Exchange-2010-CAS

TA-Windows-2008R2-Exchange-IIS

Exchange Server 2010 - Hub Transport TA-Exchange-2010-HubTransport
Exchange Server 2010 - Mailbox Store TA-Exchange-2010-MailboxStore
Exchange Server 2013 - Client Access TA-Exchange-2013-ClientAccess

TA-Windows-2012-Exchange-IIS

Exchange Server 2013 - Mailbox TA-Exchange-2007-Mailbox
SMTP Reputation TA-SMTP-Reputation

8. Restart Splunk Enterprise on the deployment server.

Reconfigure universal forwarders as deployment clients

1. On every universal forwarder in the deployment, issue the following command to turn the forwarder into a deployment client:

PS > cd <Splunk Directory>\bin
PS > .\splunk set deploy-poll <host name or ip address of deployment server>:<port>
  • In the above example: <port> is the management port on the deployment server, and defaults to 8089.

2. On every universal forwarder in the deployment, remove the following add-ons from the Splunk apps directory (%SPLUNK_HOME%\etc\apps):

  • The Splunk Add-on for Windows.
  • The Splunk Add-ons for Active Directory (on Active Directory hosts).
  • The Splunk Add-ons for Microsoft Exchange (on Exchange hosts).
  • The SMTP Reputation add-on (from the host with the outbound connection to the Internet)

3. Restart the universal forwarders.

Confirm that the deployment server sees the universal forwarders

1. Log back into the deployment server.

2. Use Forwarder Management to confirm that universal forwarders have phoned in to the deployment server.

3. Assign the clients to the server classes you defined earlier.

Server Class Name Deployment clients to add to the server class
Universal Forwarder All clients
Active Directory - Server 2003 All clients that run Windows Server 2003 and are domain controllers
Active Directory - Server 2008 All clients that run Windows Server 2008+ and are domain controllers
Active Directory - Server 2012 R2 All clients that run Windows Server 2012 R2 and are domain controllers
Windows DNS - Server 2003 All clients that run Windows Server 2003 and run DNS Server
Windows DNS - Server 2008 All clients that run Windows Server 2008+ and run DNS Server
Exchange Server 2007 - CAS Exchange Server 2007 hosts that hold the Client Access Server role
Exchange Server 2007 - Hub Transport Exchange Server 2007 hosts that hold the Hub Transport role
Exchange Server 2007 - Mailbox Store Exchange Server 2007 hosts that hold the Mailbox Store role
Exchange Server 2010 - CAS Exchange Server 2010 hosts that hold the Client Access Server role
Exchange Server 2010 - Hub Transport Exchange Server 2010 hosts that hold the Hub Transport role
Exchange Server 2010 - Mailbox Store Exchange Server 2010 hosts that hold the Mailbox Store role
Exchange Server 2013 - Client Access Exchange Server 2013 hosts that hold the Client Access role
Exchange Server 2013 - Mailbox Exchange Server 2013 hosts that hold the Mailbox role
SMTP Reputation A client with an outbound connection to the internet

4. In Forwarder Management, confirm that the apps deploy to the correct hosts.

5. Log into Splunk Enterprise on a search head in the deployment.

6. Load the Search App.

7. Confirm that you see new data coming in from the deployment clients.

Log in and run the first time experience

1. Continuing on the search head, choose Apps > Splunk App for Microsoft Exchange. This activates the first-time setup experience.

2. Proceed through the first-time setup experience.

  • Address any missing data issues by following the prompts on-screen.

3. Wait. As part of the upgrade, the Splunk App for Microsoft Exchange builds an accelerated data model which, depending on the size of your environment, can take some time. You can check the progress of the data model build by following the instructions in "Check data model build progress."

4. After the accelerated data model build is complete, use the app and confirm that all of the data is present.

Migrate lookups to app key value store

The Splunk App for Microsoft Exchange uses app key value store to store its configurations.

When you upgrade the Splunk App for Microsoft Exchange, the guided setup experience migrates existing lookups into app key value store. If you want the process to run again after completing the upgrade, select Tools & Settings > Migrate lookups to KV store.

Last modified on 13 January, 2017
PREVIOUS
How to upgrade the Splunk App for Microsoft Exchange
  NEXT
Upgrade from version 3.1.x

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.4.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters