Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Download and configure the Splunk Add-on for Windows

In this part of the setup process, you get Windows data into the Exchange App environment by installing the Splunk Add-on for Windows.

About the Splunk Add-on for Windows

The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Microsoft Exchange, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to the following components of a Splunk App for Microsoft Exchange environment:

  • All hosts that run Exchange Server.
  • All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.
  • Basically, everywhere.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Download the Splunk Add-on for Windows

You can download the Splunk Add-on for Windows from Splunkbase.

  1. In a web browser, proceed to the Splunk Add-on for Windows download page.
  2. Click the download link to begin the download process. You might need to sign in with your Splunk account before the download starts.
  3. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  4. Use an archive utility such as WinZip to unarchive the file to an accessible location.

Configure the Splunk Add-on for Windows

Before the add-on can collect Windows data, you must configure it.

  1. In the location where you unarchived the download file, locate the Splunk_TA_Windows directory.
  2. Inside this directory, make a subdirectory local.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
    • From version 5.0.1 onwards, Splunk Add-on for Windows collects data in multikv mode by default. This mode has a different event format over the existing single mode and Exchange app supports single mode only, so change the value of mode parameter to single in the perfmon stanzas in /Splunk_TA_Windows/local/inputs.conf on the forwarder.
    [perfmon://CPU]
    counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = Processor
    useEnglishOnly=true
    
    ## Logical Disk
    [perfmon://LogicalDisk]
    counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = LogicalDisk
    useEnglishOnly=true
    
    ## Physical Disk
    [perfmon://PhysicalDisk]
    counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = PhysicalDisk
    useEnglishOnly=true
    
    ## Memory
    [perfmon://Memory]
    counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
    disabled = 1
    interval = 10
    mode = single
    object = Memory
    useEnglishOnly=true
    
    ## Network
    [perfmon://Network]
    counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size 
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = Network Interface
    useEnglishOnly=true
    
    ## Process
    [perfmon://Process]
    counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = Process
    useEnglishOnly=true
    
    ## ProcessInformation
    [perfmon://ProcessorInformation]
    counters = % Processor Time; Processor Frequency
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = Processor Information
    useEnglishOnly=true
    
    ## System
    [perfmon://System]
    counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = System
    useEnglishOnly=true
    

    Note: If you do not complete the above step, then windows perfmon data will not be considered in dashboards.

    • From version 5.0.1 onwards, Splunk Add-on for Windows has removed indexes so you have two options either you can use default windows index as mentioned in below table or you can create your own custom index. For the former one, you have to add index parameter with the values mentioned in below table in /Splunk_TA_Windows/default/inputs.conf on forwarder.
    Input Stanza Indexes Macro
    [WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System], [WinEventLog://ForwardedEvents] wineventlog wineventlog-index
    [monitor://$WINDIR\System32\DHCP], [monitor://$WINDIR\WindowsUpdate.log], [script://.\bin\win_listening_ports.bat], [script://.\bin\win_installed_apps.bat], [script://.\bin\win_timesync_status.bat], [script://.\bin\win_timesync_configuration.bat], [WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles], [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port], [WinNetMon://inbound], [WinNetMon://outbound] windows windows-index
    [perfmon://CPU], [perfmon://LogicalDisk], [perfmon://PhysicalDisk], [perfmon://Memory], [perfmon://Network], [perfmon://Process], [perfmon://ProcessorInformation], [perfmon://System] perfmon perfmon-index
    [admon://default], [WinRegMon://default], [WinRegMon://hkcu_run], [WinRegMon://hklm_run] windows windows-index
    • Here are the few examples of inputs stanzas. Similarly, you can configure others.
    [perfmon://CPU]
    counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
    disabled = 1
    instances = *
    interval = 10
    mode = single
    object = Processor
    useEnglishOnly=true
    index = perfmon
    
    [WinEventLog://Application]
    disabled = 1
    start_from = oldest
    current_only = 0
    checkpointInterval = 5
    renderXml=false
    index = wineventlog
    
    [WinPrintMon://port]
    type = port
    interval = 600
    baseline = 1
    disabled = 1
    index = windows
    
  5. Enable the Windows inputs you want to get data for. Do this by changing the value of the disabled attribute in each input stanza from 1 to 0.
  6. Note: At a minimum, enable the following sets of inputs:

    Input Supported page(s)
    [WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System] POP3/IMAP4 access from Exchange Client Access Servers

    Event Monitoring

    [perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime] Performance Monitoring
    Network Monitoring inputs Network Monitoring
    Print Monitoring inputs Print Monitoring
    Host Monitoring inputs Host Monitoring
  7. Save the inputs.conf file in the local subdirectory.

How to change the configuration files to handle custom indexes

Update the following conf files for using custom index(es)

Update inputs.conf

  1. Copy the inputs.conf file from the default subdirectory /Splunk_TA_Windows/default/ to the local directory folder /Splunk_TA_Windows/local/ folder of forwarder.
  2. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
  3. If you are using <<CUSTOM INDEX>> instead of TA_windows default indexes then add index = <<CUSTOM INDEX>> under stanzas as defined in the table (Table A) for TA_windows default indexes. Refer to the above table (Table A) for TA_windows default indexes.

Here are the few examples of inputs stanzas. Similarly, you can configure others.

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 1
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = <<CUSTOM INDEX>>

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = <<CUSTOM INDEX>>

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
index = <<CUSTOM INDEX>>

Update macros.conf

  1. Copy the macros.conf file from the default subdirectory /splunk_app_microsoft_exchange/default/ to the local directory folder /splunk_app_microsoft_exchange/local/ folder on search head.
  2. Open the macros.conf in the local subdirectory with a text editor, such as Notepad.
  3. If you are using <<CUSTOM INDEX>> instead of TA_windows default indexes then update the following macro definitions as shown below.

Table A

Default Index Custom Index Updated Macro
perfmon <<CUSTOM INDEX 1>> [perfmon-index], definition = index=perfmon OR index=<<CUSTOM INDEX 1>>
wineventlog <<CUSTOM INDEX 2>> [wineventlog-index], definition = index=wineventlog OR index=<<CUSTOM INDEX 2>>
windows <<CUSTOM INDEX 3>> [windows-index], definition = index=windows OR index=<<CUSTOM INDEX 3>>

Update authorize.conf

  1. Copy the authorize.conf file in the default subdirectory /splunk_app_microsoft_exchange/default/ to the local directory folder /splunk_app_microsoft_exchange/local/ on Search head.
  2. Open the authorize.conf in the local subdirectory with a text editor, such as Notepad.
  3. Add those custom index(es) in authorize.conf under role_exchange-admin stanza against srchIndexesDefault parameter like shown below.
[role_exchange-admin]
srchIndexesDefault = msad;msexchange;windows;perfmon;wineventlog;<<CUSTOM INDEX 1>>;<<CUSTOM INDEX 2>>;<<CUSTOM INDEX 3>>;

Note: If no custom index or default TA_windows indexes are defined then all data will be stored in main index.

Update the following conf files for using main index

Update macros.conf

  1. Add main index in the definition of the following macro stanzas.
Default Index Main Index Updated Macro
perfmon main [perfmon-index], definition = index=perfmon OR index=main
wineventlog main [wineventlog-index], definition = index=wineventlog OR index=main
windows main [windows-index], definition = index=windows OR index=main

Update authorize.conf

  1. Add main(default index' in authorize.conf as show below.
[role_exchange-admin]
srchIndexesDefault = msad;msexchange;windows;perfmon;wineventlog;default

Note: If you skip this step, your Splunk platform will not have the index configurations which can result into data loss.

Next Step

You have downloaded and configured the Splunk Add-on for Windows. Next, you will deploy it to the deployment clients. After they receive the add-on, they use the configuration in the "send to indexer" app to send Windows data to the indexer.

Deploy the Splunk Add-on for Windows

Last modified on 01 September, 2020
PREVIOUS
Add the universal forwarder to the server class
  NEXT
Deploy the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 4.0.0, 4.0.1, 4.0.2, 4.0.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters