The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server and Windows Server that you run.
Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an
inputs.conf file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.
To get a reputation for a particular VM then the user has to add VM IP in
Download and unpack the TA-Exchange-SMTP-Reputation add-on
- Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
- Unpack the add-on bundle to an accessible location.
Create and edit
- Open a PowerShell window, command prompt, or Explorer window.
- Create a local directory within the
- Copy inputs.conf from the
TA-SMTP-Reputation\defaultdirectory to the
- Use a text editor such as Notepad to open the
TA-SMTP-Reputation\local\inputs.conffile for editing.
- Modify the
inputs.conffile so that the common data inputs that you run are enabled. Do this by changing
disabled = true to disabled = false for all input stanzas<c/ode>. See the example
inputs.conflater in this topic.
- After you update the
inputs.conf file, save it and close it.
Distribute the add-ons
If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.
- Copy the TA-SMTP-Reputation add-on to the
%SPLUNK_HOME%\etc\deployment-appsdirectory on the deployment server.
- Push the add-on to all hosts in this server class.
This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.5.2, 4.0.0, 4.0.1