Splunk® App for Microsoft Exchange

Deploy and Use the Splunk Add-ons for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

About the Splunk Add-on for Microsoft Exchange

The Splunk Add-ons for Microsoft Exchange let you collect Exchange data from the hosts in your Exchange Server environment. The add-ons have been designed to work with the Splunk App for Microsoft Exchange, but are now available as a separate download from Splunkbase. You can use them with the app or to provide knowledge objects for Splunk Enterprise dashboards that you design by yourself.

Get the add-ons

The Splunk Add-ons for Microsoft Exchange are available on Splunkbase.

Install the add-ons

The add-ons require configuration before they can be used. Each add-on must be configured for the version of Exchange Server or Windows Server (for TA-Windows-Exchange-IIS) that you run in your Exchange Server environment. See the "Configure" topics in the chapter for each add-on for installation instructions.

See Where to install Splunk add-ons and Install an add-on in a distributed Splunk Enterprise deployment in the Add-ons Overview manual for more information about deploying the Splunk Add-on for Microsoft Exchange.

Prerequisites

  • Ensure that the SplunkForwarder service is running as a local system account.
  • Download the Splunk Add-on for Microsoft Exchange Indexes from Splunkbase for required index definitions to store the data.

Here's how to run the SplunkForwarder service as a local system account:

  1. Navigate to Services.
  2. Right click SplunkForwarder Service.
  3. Click Properties.
  4. Navigate to the Log On tab.
  5. Select Local System Account.
  6. Click Apply.
  7. Restart the SplunkForwarder service.

Add-on package contents

The Splunk Add-ons for Microsoft Exchange come in a bundle and include the following:

TA-Exchange-ClientAccess

This add-on collects Exchange data from Exchange Server hosts that hold the Client Access Server role. It has support for Exchange Server 2010, 2013, 2016, 2019. See Overview of TA-Exchange-ClientAccess.

TA-Exchange-Mailbox

This add-on collects Exchange data from Exchange Server hosts that hold the Mailbox Store/Mailbox Server roles. It has support for Exchange Server 2010, 2013, 2016, and 2019. See Overview of TA-Exchange-Mailbox.

TA-Exchange-HubTransport

This add-on collects Exchange data from Exchange Server hosts that hold the Hub Transport role. It has support for Exchange Server 2010. Exchange Server versions 2013, 2016 and 2019 do not have this role. See Overview of TA-HubTransport.

TA-Windows-Exchange-IIS

This add-on collects Internet Information Server (IIS) data from Exchange Server hosts that hold the Client Access Server role. It has support for Windows Server2008 R2, 2012 R2, 2016 and 2019 and must be configured for the version of Windows Server that the Exchange Client Access Server hosts run. See Overview of TA-Windows-Exchange-IIS.

Splunk Add-on for Microsoft Exchange Component Installation Locations

The table below lists what components to install and where to install them:

Add-on Indexer Universal Forwarder Heavy Forwarder
TA-Exchange-ClientAccess X
TA-Exchange-HubTransport X
TA-Exchange-Mailbox X
TA-Windows-Exchange-IIS X
TA-SMTP-Reputation X
Splunk Add-on for Microsoft Exchange Indexes X

If you run into performance issues, see Troubleshoot Splunk App for Microsoft Exchange performance issues.

Last modified on 07 October, 2021
  NEXT
Release Notes for Splunk Add-ons for Microsoft Exchange

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.5.2, 4.0.0, 4.0.2, 4.0.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters