Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk Add-ons for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot TA-Exchange-Mailbox

The TA-Exchange-Mailbox add-on should install on your Exchange Server hosts without problems as long as you configure it for the version of Exchange Server you run before you deploy it.

If you do not configure the add-on for your version of Exchange Server before you deploy it, then the add-on only collects data inputs that are common to all supported versions of Exchange Server. This results in missing data that is specific to your version of Exchange Server. See Configure TA-Exchange-Mailbox for the procedure to configure the add-on and distribute it to your Exchange Server hosts.

If you upgrade from an earlier version of the Splunk App for Microsoft Exchange, complete the upgrade instructions in the Splunk App for Microsoft Exchange manual to ensure that the add-on collects all Exchange Server data for the version of Exchange Server that you run.

In DAG, read-audit-logs_2010_2013.ps1 script will index the data of the mailbox server only where this script is running. So it is required to enable this script on all servers in DAG.

Mailbox audit log collection failure

Mailbox audit log collection failure produces the below error log.

Search-MailboxAuditLog : The requesting account doesn't have permission to access the audit log.
At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-Mailbox\bin\powershell\read-mailbox-audit-logs_2010_2013.ps1:49char:2
+     Search-MailboxAuditLog -Identity $Identity -LogonTypes Owner,Delegate,Admin -Sh ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogAccessDeniedException
    + FullyQualifiedErrorId : [Server=SRRZ2EXC01,RequestId=a61a5900-6e29-4b12-b703-680246db44d4,TimeStamp=16.11.2016 0
   7:25:13] [FailureCategory=Cmdlet-AuditLogAccessDeniedException] 55A06F96,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog

The mailbox audit log script is unable to read the timestamp of each mailbox. To fix this issue

  1. Navigate to C:/Windows/Temp on your Forwarder/Exchange Server machine.
  2. Delete splunk-msexchange-auditfile.clixml and splunk-msexchange-mailboxauditlogs.clixml.
Last modified on 16 July, 2020
PREVIOUS
Configure TA-Exchange-Mailbox
  NEXT
Overview of TA-Exchange-HubTransport

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.2, 3.4.3, 3.4.4, 3.5.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters