Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade from version 3.2.x

These upgrade instructions help you replace existing add-ons for Microsoft Exchange, Active Directory, and Windows DNS with the updated versions that are available on Splunkbase. You must download these updated add-ons for the Splunk App for Microsoft Exchange to continue to work properly.

When you upgrade the Splunk App for Microsoft Exchange to the latest version, note the following:

  • The Splunk Add-ons for Microsoft Exchange, Microsoft Active Directory, and Windows DNS have changed significantly. They have new names (TA-Microsoft-Exchange*/TA-Windows-Exchange-IIS, TA-Microsoft-AD, and TA-Microsoft-DNS) and improved function. Instead of an add-on for each version of Windows or Exchange, the add-ons now support all versions of Windows and Exchange that Splunk Enterprise supports.
  • Instead of coming packaged with the Splunk App for Microsoft Exchange, all of these add-ons are now available as separate downloads on Splunkbase.
  • You must remove the existing add-ons and download and install the new add-ons.
  • The Splunk Add-ons for Microsoft Active Directory and Windows DNS must be installed on all search heads and indexers in the deployment.
  • The Splunk Add-ons for Microsoft Exchange replace the suite of individual add-ons that came with the Splunk App for Microsoft Exchange installation package. For more information about the updated Splunk Add-on for Microsoft Exchange, see Download and configure the Splunk Add-on for Microsoft Exchange.
  • For more information about the Splunk Add-ons for Microsoft Active Directory and Windows DNS, see About the Splunk Add-on for Microsoft Active Directory and About the Splunk Add-on for Windows DNS.


Download the updated Splunk App for Microsoft Exchange

  1. Download the Splunk App for Microsoft Exchange from Splunkbase.

Download the Splunk Add-on for Windows

  1. Download the Splunk Add-on for Windows from Splunkbase.

Download the new add-ons for Active Directory, Windows DNS, and Microsoft Exchange

  1. Download the Splunk Add-on for Microsoft Active Directory from Splunkbase.
  2. Download the Splunk Add-on for Windows DNS from Splunkbase.
  3. Download the Splunk Add-ons for Microsoft Exchange from Splunkbase.
  4. Unarchive the add-ons to a location that is accessible from all hosts in your Exchange deployment.

Use a deployment server to make updates to apps and configurations

This upgrade method is more streamlined than attempting to upgrade each host in the environment manually.

If you run more than one version of Exchange Server, then you must provision a deployment server for each version of Exchange Server that you run.

For example, If you had one deployment server prior to upgrading to version 3.3.0, and you administer both Exchange Server 2007 and Exchange Server 2010, then you must provision a second deployment server and assign hosts that run Exchange Server 2007 to one deployment server and hosts that run Exchange Server 2010 to the other. This is because the Splunk Add-ons for Microsoft Exchange have been merged and must now be configured for a single version of Exchange Server.

Upgrade the search head

The search head is the Splunk Enterprise instance that runs the Splunk App for Microsoft Exchange and shows all of the app data. These upgrade instructions should be performed on any host that has been designated as a search head in your Exchange deployment.

  1. Update the Splunk Add-on for Windows.
  2. Update the Splunk Supporting Add-on for Active Directory.
  3. Install the Splunk Add-on for Microsoft Active Directory.
  4. Install the Splunk Add-on for Windows DNS.
  5. Update the Splunk App for Microsoft Exchange.
  6. Restart Splunk Enterprise.

Upgrade the indexer

The indexer is the Splunk Enterprise instance that holds all of the data that the Splunk App for Microsoft Exchange has collected from Exchange, Active Directory, and Windows hosts. These instructions should be performed on any host that has been designated as an indexer in your Exchange deployment. If a host acts as both an indexer and a search head, perform these instructions. then perform the "Upgrade the search head" instructions.

  1. Upgrade the Splunk Add-on for Windows.
  2. Restart Splunk Enterprise.

Upgrade the forwarders

Each Windows Server, Active Directory, or Exchange Server host must receive the appropriate Active Directory, Exchange, or DNS Add-ons to continue collecting the right data. Additionally, each of these add-ons must be configured to collect the right set of data.

Prepare the new add-ons

  1. Copy the Splunk Add-ons for Microsoft Exchange (TA-Exchange-*, TA-Windows-Exchange-IIS) to the deployment apps directory (%SPLUNK_HOME%\etc\deployment-apps) on the deployment server.
  2. Copy the Splunk Add-on for Microsoft Active Directory (TA-Microsoft-AD) to the deployment apps directory on the deployment server.
  3. Copy the Splunk Add-on for Windows DNS (TA-Microsoft-DNS) to the deployment apps directory on the deployment server.
  4. Using a command prompt, PowerShell window, or Explorer window, go to the deployment apps directory on the deployment server.
  5. Within each Exchange add-on directory in the deployment apps directory, create a local directory. For example, in %SPLUNK_HOME%\etc\deployment-apps\TA-Exchange-ClientAccess, create %SPLUNK_HOME%\etc\deployment-apps\TA-Exchange-ClientAccess\local.)
  6. For each Exchange add-on, copy the inputs.conf from the default directory of the add-on to the local directory you just created.
  7. For each Exchange add-on, use a text editor to edit the inputs.conf files in the local directory and enable stanzas for the version of Exchange Server that you run.
  8. If you have made any customizations to the old set of Exchange add-ons, copy and paste those configurations from the local directory of those add-ons into the local directory of the new Exchange add-ons.

Create server classes, push the new add-ons, and delete the old add-ons

  1. On the deployment server, create a server class for each of the new Exchange add-ons, the Splunk Add-on for Microsoft Active Directory, and the Splunk Add-on for Windows DNS.
  2. Assign the add-ons to the appropriate server class. For example, the TA-Exchange-HubTransport add-on should be assigned to the "Exchange HubTransport" server class.
  3. Assign the Windows Server, Exchange Server, and Active Directory hosts in your Exchange deployment to the appropriate server classes, depending on the roles that they perform. For example, Exchange Server hosts that hold the Hub Transport role should be assigned to the server class that has the TA-Exchange-HubTransport add-on assigned to it.
  4. Delete all of the old add-ons on the deployment server (for example, TA-DomainController-NT5< TA-Exchange-2013-Mailbox, and so on.)
  5. Use the deployment server to push the new add-ons to all of the hosts in the deployment.
  6. Restart the deployment server.
  7. Restart all forwarders.

(Optional) Provision a second deployment server for a different version of Exchange Server

If you run multiple versions of Exchange Server in your environment, you must provision a second deployment server in the environment to handle the different version of Exchange Server. After you provision this second host, repeat the steps in "Prepare new add-ons" for the different version of Exchange Server.

Upgrade the Splunk App for Microsoft Exchange without a deployment server

If you do not have a deployment server in your environment, you must perform these instructions manually.

Remove the old Splunk Add-ons for Active Directory and DNS Server

  1. On every domain controller in your Exchange environment that has a Splunk universal forwarder and the old TA-DomainController* add-on installed, remove the TA-DomainController* add-ons.
  2. On every DNS server in your environment that has a Splunk universal forwarder the old TA-DNSServer* add-on installed, remove the TA-DNSServer* add-ons.

Install the new Splunk Add-ons for Microsoft Active Directory and Windows DNS

  1. Download the Splunk Add-ons for Microsoft Active Directory and Windows DNS from Splunkbase.
  2. Install the new Splunk_TA_Microsoft_AD add-on onto the domain controllers.
  3. Install the new Splunk_TA_Microsoft_DNS add-on onto the DNS servers.
  4. Restart the universal forwarders on all Active Directory domain controllers and DNS servers.

Upgrade the Splunk Add-ons for Microsoft Exchange

A deployment server makes this part of the upgrade easier.

  1. Download the Splunk Add-ons for Microsoft Exchange from Splunkbase.
  2. On every Exchange host in your environment that has a Splunk universal forwarder and the old TA-Exchange* and TA-Windows* add-ons installed, remove the TA-Exchange* add-ons.
  3. If the old TA-Windows-*-Exchange-IIS add-on is present on any host, remove it also..
  4. Install the new TA-Exchange-* add-on onto the Exchange hosts based on the role they perform.
  5. On hosts that hold the Exchange Server Client Access Server role, install the new TA-Windows-Exchange-IIS add-on.

Add the Splunk Add-ons for Microsoft Active Directory and Windows DNS to indexers and search heads

  1. Install the Splunk_TA_Microsoft_AD add-on into all Splunk Enterprise indexers and search heads in the deployment.
  2. Install the Splunk_TA_Microsoft_DNS add-on into all Splunk Enterprise indexers and search heads in the deployment.
  3. On the search heads, disable the data inputs on the add-ons.
  4. Restart Splunk Enterprise on all indexers and search heads in the deployment.

Upgrade the Splunk App for Microsoft Exchange

  1. Download the updated app installation package from Splunkbase and save it to an accessible location.
  2. Unpack the archive.
  3. Copy the splunk_app_microsoft_exchange folder to the %SPLUNK_HOME%\etc\apps folder on the search head(s) in the deployment.
  4. (Optional) If the operating system asks if you want to overwrite the existing folder, answer yes.
  5. Restart Splunk Enterprise on the search heads.
  6. Log back into Splunk Enterprise.
  7. From the Home page, activate the Splunk App for Microsoft Exchange. Choose Splunk App for Microsoft Exchange from the list of apps on the left.
Last modified on 13 January, 2017
PREVIOUS
Upgrade from version 3.1.x
  NEXT
Log in and get started

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.4.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters