Splunk® App for Microsoft Exchange

Deploy and Use the Splunk Add-ons for Microsoft Exchange

Download manual as PDF

Download topic as PDF

Configure TA-Exchange-ClientAccess

The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server that you run.

Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an inputs.conf file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.

Download and unpack the TA-Exchange-ClientAccess add-on

  1. Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
  2. Unpack the add-on bundle to an accessible location.

Create and edit inputs.conf

  1. Open a PowerShell window, command prompt, or Explorer window.
  2. Create a local directory within the TA-Exchange-ClientAccess add-on.
  3. Copy inputs.conf from the TA-Exchange-ClientAccess\default directory to the TA-Exchange-ClientAccess\local directory.
  4. Use a text editor such as Notepad to open the TA-Exchange-ClientAccess\local\inputs.conf file for editing.
  5. Modify the inputs.conf file so that the common data inputs and the inputs that are for the version of Exchange Server that you run are enabled. Do this by changing disabled = true to disabled = false for all input stanzas that are associated with your version of Exchange Server. See the example inputs.conf later in this topic.
  6. After you update the inputs.conf file, save it and close it.

Distribute the add-ons

If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.

If you run more than one version of Exchange Server in your environment, set up a deployment server for each version of Exchange. This is because the Splunk Add-ons for Microsoft Exchange include data inputs for all versions of Exchange Server.

  1. Copy the TA-Exchange-ClientAccess add-on to the %SPLUNK_HOME%\etc\deployment-apps directory on the deployment server.
  2. Create a server class for all hosts that run Exchange Server and hold the Client Access Server role.
  3. Add all Exchange Server hosts that hold the Client Access Server role to this server class.
  4. Push the add-on to all hosts in this server class.

Example inputs.conf

The following inputs.conf listing is an example of how you should configure the TA-Exchange-ClientAccess add-on for installation on an Exchange Server 2010 host that holds the Client Access Server role. In this example, Exchange Server 2010 block has had its input stanzas changed from disabled = true to disabled = false. All other data input blocks have not been changed.

Remember to save the inputs.conf file after editing it, as changes do not take effect until the file has been saved and the add-on has been pushed to Exchange Server hosts.

##################################################################################################
#User should enable the stanza specific to the exchange server version by setting disabled=false #
##################################################################################################

####Common Stanzas - Start####

[WinHostMon://Processes]
index = windows
interval = 10
disabled = false
type = process

[WinHostMon://Services]
index = windows
interval = 10
disabled = false
type = service

[perfmon://Total_Processor_Time]
index=perfmon
object=Processor
counters=% Processor Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Processor]
index=perfmon
object=Processor
counters=% User Time; % Privileged Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://System]
index=perfmon
object=System
counters=Processor Queue Length
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Available_Memory]
index=perfmon
object=Memory
counters=Available MBytes; Page Reads/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Memory]
index=perfmon
object=Memory
counters=Pool Nonpaged bytes; Pool Paged bytes; Cache Bytes; Committed Bytes; %Committed Bytes in Use; Transition Pages Repurposed/sec; Pages/sec; Pages Input/sec; Pages Output/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://DotNET_CLR_Memory]
index=perfmon
object=.NET CLR Memory
counters=% Time in GC; # Bytes in all Heaps
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Network_Utilization]
index=perfmon
object=Network Interface
counters=Bytes Total/sec; Packets Outbound Errors
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv4]
index=perfmon
object=TCPv4
counters=Connections Established; Connections Reset
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv6]
index=perfmon
object=TCPv6
counters=Connection Failures
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Control_Panel]
index=perfmon
object=MSExchange Control Panel
counters=Outbound Proxy Requests - Average Response Time; Requests - Average Response Time; ASP.Net Request Failures/sec; Explicit Sign-On Inbound Proxy Requests/sec; Explicit Sign-On Inbound Proxy Sessions/sec; Explicit Sign-On Outbound Proxy Requests/sec; Explicit Sign-On Outbound Session Requests/sec; Explicit Sign-On Standard RBAC Requests/sec; Explicit Sign-On Standard RBAC Sessions/sec; Inbound Proxy Requests/sec; Inbound Proxy Sessions/sec; Outbound Proxy Requests - Average Response Time; Outbound Proxy Requests/sec; Outbound Proxy Sessions/sec; PowerShell Runspaces - Activations/sec; PowerShell Runspaces - Average Active Time; PowerShell Runspaces/sec; RBAC Sessions/sec; Requests - Activations/sec; Requests - Average Response Time
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchangePop3]
index=perfmon
object=MSExchangePop3
instances=_total
counters=Connections Current; Connections Failed; Connections Rejected; Connections Total; Current Unauthenticated Connections; Unauthenticated Connections/sec; Proxy Current Connections; Proxy Connections Failed; Proxy Total Connections; Active SSL Connections; SSL Connections; Invalid Commands; Invalid Commands Rate; AUTH Failures; AUTH Rate; AUTH Total; CAPA Failures; CAPA Rate; CAPA Total; DELE Failures; DELE Rate; DELE Total; LIST Failures; LIST Rate; LIST Total; NOOP Failures; NOOP Rate; NOOP Total; PASS Failures; PASS Rate; PASS Total; QUIT Failures; QUIT Rate; QUIT Total; Request Failures; Request Rate; Request Total; RETR Failures; RETR Rate; RETR Total; RSET Failures; RSET Rate; RSET Total; STAT Failures; STAT Rate; STAT Total; STLS Failures; STLS Rate; STLS Total; TOP Failures; TOP Rate; TOP Total; UIDL Failures; UIDL Rate; UIDL Total; USER Failures; USER Rate; USER Total; XPRX Failures; XPRX Rate; XPRX Total; Average Command Processing Time (milliseconds); Connections Rate; Transient Mailbox Connection Failures/minute; Mailbox Offline Errors/minute; Transient Storage Errors/minute; Permanent Storage Errors/minute; Transient Active Directory Errors/minute; Permanent Active Directory Errors/minute; Transient Errors/minute; Average RPC Latency; Average LDAP Latency
interval=30
disabled=false
useEnglishOnly=true

[perfmon://MSExchangeImap4]
index=perfmon
object=MSExchangeImap4
instances=_total
counters=Current Connections; Connections Failed; Connections Rejected; Connections Total; Current Unauthenticated Connections; Unauthenticated Connections/sec; Proxy Current Connections; Proxy Connections Failed; Proxy Total Connections; Active SSL Connections; SSL Connections; Invalid Commands; Invalid Commands Rate; Append Failures; Append Rate; Append Total; Authenticate Failures; Authenticate Rate; Authenticate Total; Capability Failures; Capability Rate; Capability Total; Check Failures; Check Rate; Check Total; Close Failures; Close Rate; Close Total; Copy Failures; Copy Rate; Copy Total; Create Failures; Create Rate; Create Total; Delete Failures; Delete Rate; Delete Total; Examine Failures; Examine Rate; Examine Total; Expunge Failures; Expunge Rate; Expunge Total; Fetch Failures; Fetch Rate; Fetch Total; Idle Failures; Idle Rate; Idle Total; List Failures; List Rate; List Total; Login Failures; Login Rate; Login Total; Logout Failures; Logout Rate; Logout Total; LSUB Failures; LSUB Rate; LSUB Total; Namespace Failures; Namespace Rate; Namespace Total; NOOP Failures; NOOP Rate; NOOP Total; Rename Failures; Rename Rate; Rename Total; Request Failures; Request Rate; Request Total; Search Failures; Search Rate; Search Total; Select Failures; Select Rate; Select Total; STARTTLS Failures; STARTTLS Rate; STARTTLS Total; Status Failures; Status Rate; Status Total; Store Failures; Store Rate; Store Total; Subscribe Failures; Subscribe Rate; Subscribe Total; Unsubscribe Failures; Unsubscribe Rate; Unsubscribe Total; XPROXY Failures; XPROXY Rate; XPROXY Total; Average Command Processing Time (milliseconds); Connections Rate; SearchFolder Creation Rate; SearchFolder Creation Total; Folder View Reload Rate; Folder View Reload Total; Transient Mailbox Connection Failures/minute; Mailbox Offline Errors/minute; Transient Storage Errors/minute; Permanent Storage Errors/minute; Transient Active Directory Errors/minute; Permanent Active Directory Errors/minute; Transient Errors/minute; Average RPC Latency; Average LDAP Latency; Total IMAP UID Fixes; Current IMAP UID Fixes; Total IMAP UID Items Fixed
interval=30
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Availability_Service]
index=perfmon
object=MSExchange Availability Service
counters=Average Time to Process a Free Busy Request; Availability Requests (sec)
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_FDS_OAB]
index=perfmon
object=MSExchangeFDS:OAB
counters=Download Task Queued; Download Tasks Completed
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchangeAutodiscover]
index=perfmon
object=MSExchangeAutodiscover
counters=Requests/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchangeWS]
index=perfmon
object=MSExchangeWS
counters=Requests/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Web_Service]
index=perfmon
object=Web Service
counters=Current Connections; Connection Attempts/sec; ISAPI Extension Requests/sec; Other Request Methods/sec
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

####Common Stanzas - End####

###From Exchange app/add-on version 3.5.2,support for exchange server 2007 has ended.###
####Exchange Server 2007 - Start####

[perfmon://OWA_2007]
index=perfmon
object=MSExchange OWA
counters=Average Response Time; Average Search Time; Requests/sec; Current Unique Users
interval=10
disabled=true
useEnglishOnly=true

[perfmon://ActiveSync_2007]
index=perfmon
object=MSExchange ActiveSync
counters=Average Request Time; Requests/sec; Ping Commands Pending; Sync Commands/sec; Sync Commands Pending; Current Requests
interval=10
disabled=true
useEnglishOnly=true

[monitor://C:\Program Files\Microsoft\Exchange Server\Logging\RPC Client Access]
whitelist=\.log$|\.LOG$
sourcetype=MSExchange:2007:RPCClientAccess
queue=parsingQueue
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v8.0 get-hoststats_2007_2010.ps1]
source=Powershell
sourcetype=MSExchange:2007:Topology
interval=300
index=msexchange
disabled=true

####Exchange Server 2007 - End####


####Exchange Server 2010 - Start####

[perfmon://OWA_2010]
index=perfmon
object=MSExchange OWA
counters=Average Response Time; Average Search Time; Requests/sec; Current Unique Users
interval=10
disabled=false
useEnglishOnly=true

[perfmon://ActiveSync_2010]
index=perfmon
object=MSExchange ActiveSync
counters=Average Request Time; Requests/sec; Ping Commands Pending; Sync Commands/sec; Sync Commands Pending; Current Requests
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Throttling_2010]
index=perfmon
object=MSExchange Throttling
instances=*
counters=Average Thread Sleep Time; Active PowerShell Runspaces; Active PowerShell Runspaces/Sec; Exchange Executing Cmdlets; Exchange Executing Cmdlets/Sec; Organization Throttling Policy Cache Hit Count; Organization Throttling Policy Cache Miss Count; Organization Throttling Policy Cache Length; Organization Throttling Policy Cache Length Percentage; Throttling Policy Cache Hit Count; Throttling Policy Cache Miss Count; Throttling Policy Cache Length; Throttling Policy Cache Length Percentage
interval=30
disabled=false
useEnglishOnly=true

[monitor://C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access]
whitelist=\.log$|\.LOG$
sourcetype=MSExchange:2010:RPCClientAccess
queue=parsingQueue
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-hoststats_2007_2010.ps1]
source=Powershell
sourcetype=MSExchange:2010:Topology
interval=300
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-throttling-policies_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:ThrottlingPolicy
interval=86400
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:AdminAudit
interval=300
index=msexchange
disabled=false

####Exchange Server 2010 - End####


####Exchange Server 2013/2016/2019 - Start####

[perfmon://MSExchange_Throttling_2013]
index=perfmon
object=MSExchange User Throttling
instances=*
counters=Unique Budgets OverBudget; Total Unique Budgets; Delayed Threads; Users At MaxConcurrency; Users Locked Out; Percentage Users Micro Delayed; Percentage Users At Maximum Delay; Number Of Users At Maximum Delay; Number Of Users Micro Delayed; Budget Usage Five Minute Window 99.9%; Budget Usage Five Minute Window 99%; Budget Usage Five Minute Window 75%; Average Budget Usage Five Minute Window; Budget Usage One Hour Window 99.9%; Budget Usage One Hour Window 99%; Budget Usage One Hour Window 75%; Average Budget Usage One Hour Window
interval=30
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Authentication]
index=perfmon
object=MSExchange Authentication
instances=_Total
counters=Outstanding Authentication Requests; Total Authentication Requests; Rejected Authentication Requests; Authentication Latency
interval=30
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_SmtpReceive]
index=perfmon
object=MSExchangeFrontEndTransport SmtpReceive
counters=Average bytes/inbound message; Inbound Messages Received/sec
instances=_total
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_SmtpSend]
index=perfmon
object=MSExchangeFrontEndTransport SmtpSend
counters=Average message bytes/message; Messages Sent/sec
instances=_total
interval=10
disabled=true
useEnglishOnly=true

[monitor://C:\Program Files\Microsoft\Exchange Server\V15\Logging\RPC Client Access]
whitelist=\.log$|\.LOG$
sourcetype=MSExchange:2013:RPCClientAccess
queue=parsingQueue
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-hoststats_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:Topology
interval=300
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:AdminAudit
interval=300
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-throttling-policies_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:ThrottlingPolicy
interval=86400
index=msexchange
disabled=true

####Exchange Server 2013/2016/2019 - End#### 
Last modified on 11 April, 2019
PREVIOUS
TA-Exchange-ClientAccess inputs
  NEXT
Troubleshoot TA-Exchange-ClientAccess

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.5.2, 4.0.0, 4.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters