Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk Add-ons for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Release Notes for Splunk Add-ons for Microsoft Exchange

This topic contains information on new features, known issues, and updates of this version the Splunk Add-ons for Microsoft Exchange.

Version 3.4.4 of the Splunk Add-ons for Microsoft Exchange was released on June 11, 2018.

What's new

In version 3.4.4, two new sourcetypes MSWindows:2010EWS:IIS and MSWindows:2013EWS:IIS have been added for monitoring EWS logs. These sourcetypes are useful for collecting data in the panels of Exchange Web Services dashboard.

Known Issues

This version of the Splunk Add-ons for Microsoft Exchange has the following reported known issues and workarounds. If no issues appear below, no issues have yet been reported.


Date filed Issue number Description
2017-06-01 EXC-2101, EXC-2052 read-audit-logs_2010_2013.ps1 failure

Workaround:
*Note*: The workaround is for Exchange Server 2016 and 2019 only

This approach will create a session for Exchange Server to run Exchange command on Powershell and it will close the session once script gets output for Exchange commands.

Here are the steps to perform on Splunk forwarder on Exchange Server  

  • Changes to be made in TA-Exchange-Mailbox*
  1. Add 

[^exchangepowershell_mailbox2016.cmd]

file to _$SPLUNK_HOME\etc\apps\TA-Exchange-Mailbox\bin_ directory

  1. Add 

[^read-audit-logs_2016.ps1]

and

[^read-mailbox-audit-logs_2016.ps1]

files to $_SPLUNK_HOME\etc\apps\TA-Exchange-Mailbox\bin\powershell_ directory

  1. Add the following stanzas to run new files into _$SPLUNK_HOME\etc\apps\TA-Exchange-Mailbox\local\inputs.conf_ 

 

{noformat}[script://.\bin\exchangepowershell_mailbox2016.cmd v15 read-audit-logs_2016.ps1] source=Powershell sourcetype=MSExchange:2013:AdminAudit interval=300 index=msexchange disabled=false{noformat}

{noformat}[script://.\bin\exchangepowershell_mailbox2016.cmd v15 read-mailbox-audit-logs_2016.ps1] source=Powershell sourcetype=MSExchange:2013:MailboxAudit interval=300 index=msexchange disabled=false{noformat}

 

  1. Disable the following existing stanzas from _$SPLUNK_HOME\etc\apps\TA-Exchange-Mailbox\default\inputs.conf_  as well as _$SPLUNK_HOME\etc\apps\TA-Exchange-Mailbox\local\inputs.conf_ 

{noformat}[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] source=Powershell sourcetype=MSExchange:2013:AdminAudit interval=300 index=msexchange disabled=true

[script://.\bin\exchangepowershell.cmd v15 read-mailbox-audit-logs_2010_2013.ps1] source=Powershell sourcetype=MSExchange:2013:MailboxAudit interval=300 index=msexchange disabled=true{noformat}

 

  • Changes to be made in TA-Exchange-ClientAccess*

 

  1. Add 

[^exchangepowershell_clientaccess2016.cmd]

file to _$SPLUNK_HOME\etc\apps\TA-Exchange-ClientAccess\bin_ directory

  1. Add

[^read-audit-logs_2016.ps1]

 file to _$SPLUNK_HOME\etc\apps\TA-Exchange-ClientAccess\bin\powershell_ directory

  1. Add following stanzas to run new files into _$SPLUNK_HOME\etc\apps\TA-Exchange- ClientAccess\local\inputs.conf_  

 

{noformat}[script://.\bin\exchangepowershell_clientaccess2016.cmd v15 read-audit-logs_2016.ps1] source=Powershell sourcetype=MSExchange:2013:AdminAudit interval=300 index=msexchange disabled=true{noformat}

 

  1. Disable the following existing stanza from _$SPLUNK_HOME\etc\apps_

_TA-Exchange-ClientAccess\default\inputs.conf_  as well as_ $SPLUNK_HOME\etc\apps__TA-Exchange-ClientAccess__\local\inputs.conf_ 

{noformat}[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] source=Powershell sourcetype=MSExchange:2013:AdminAudit interval=300 index=msexchange disabled=true{noformat}

  • Change Splunk Logon User and Restart it*
  1. Run Splunk service as domain service account instead of Local System user with required roles

    On Exchange Server go to services > Right click on SplunkForwarder Service > Click on  Properties > Go to Log on tab > Select This account > Select User or Service Account > Ok

  1. Restart Splunk Service

Fixed Issues

This version of the Splunk Add-ons for Microsoft Exchange has the following fixed issues.


Date resolved Issue number Description
2018-05-23 EXC-2132, EXC-2231 Splunk App for Microsoft Exchange's Exchange Web Services dashboard not populating with data
Last modified on 27 December, 2023
About the Splunk Add-ons for Microsoft Exchange   Overview of TA-Exchange-ClientAccess

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters