What data the Splunk App for Microsoft Exchange collects

The Splunk Add-ons for Microsoft Exchange, Microsoft Active Directory, and Windows DNS collect data from your Windows, Active Directory, and Exchange servers. They then send the data to an indexer, which the app uses in its dashboards, charts, and reports. This topic discusses the specifics of the data that the app collects and displays.

The Splunk Add-ons for Microsoft Exchange collects the following data using file inputs:

• Internet Information Server (IIS) logs for the Exchange servers whose designated roles require IIS
• Performance monitoring data.
• Active Directory logs (via the Splunk Add-ons for Windows, Microsoft Active Directory, and Windows DNS)
• Windows network, host, and printer monitoring information (via the Splunk Add-on for Windows.)
• Windows Event logs (via the Splunk Add-on for Windows):
  • Security Logs
  • Exchange audit logs
  • Application logs, such as Forefront Protection Services (FPS) security logs

The Splunk Add-ons for Microsoft Exchange collects the following data using scripted inputs:

• Senderbase/reputation data. This feature needs internet access to function, as it looks up the reputation score for your email users.
• Topology and Health information
• Mailbox Server health and usage information

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Where the Splunk App for Microsoft Exchange sends its data

The Splunk App for Microsoft Exchange puts the data it indexes into several indexes:

• The Exchange, IIS, and application logs get indexed into the msexchange index.
• The performance monitor logs get indexed into the perfmon index.

These indexes must be present on the indexer.