Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.

Deploy the Splunk Add-on for Microsoft Exchange

Which Exchange add-ons go where?

As with the other components of the Splunk App for Microsoft Exchange, you must add the Splunk Add-ons for Microsoft Exchange to the deployment server before you can deploy them to deployment clients.

The process for this set of add-ons is more complex than with the Windows, AD, and DNS add-ons because there are more of them. But the theory is the same. Some Windows hosts are Exchange Servers and some are not. Exchange Servers can hold one or more Exchange Server roles and must receive the correct TAs for the roles they hold.

The execution is also the same - you must create a server class for each Exchange server role to account for all possible combinations. While this might seem daunting at first, once you create the server classes, you can add any new Exchange Server deployment clients to the right server class based on the role that they play in your Exchange environment.

Take a moment to review the available add-ons for Exchange, and the versions of Windows Server and roles of Exchange Server they should be installed on:

Add-on: Description:
TA-Exchange-ClientAccess For servers that hold the Client Access Server role
TA-Exchange-HubTransport For servers tha hold the Hub Transport server role
TA-Exchange-MailboxStore For servers that hold the Mailbox Server role
TA-Windows-Exchange-IIS For hosts that run the Exchange Client Access Server role
TA-SMTP-Reputation E-mail sender reputation, requires a server that has an outbound connection to the Internet

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Place the add-ons in the deployment apps directory on the deployment server

Before thinking about server classes, put the new add-ons onto the deployment server:

  1. Download the Splunk Add-ons of Microsoft Exchange from Splunkbase.
  2. Open a command prompt on the deployment server/indexer.
  3. Copy the Splunk Add-ons for Microsoft Exchange folders from their current location to the deployment apps directory.
    > Copy-Item -Path C:\Downloads\TA-Exchange* -Destination C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force
    > Copy-Item -Path C:\Downloads\splunk_app_microsoft_exchange\appserver\addons\TA-Windows* -Destination C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force
  4. Tell the deployment server to reload its deployment configuration.
    > cd \Program Files\Splunk\bin
    > .\splunk reload deploy-server
  5. From a web browser, log into Splunk Enterprise on the deployment server.
  6. In the system bar, select Settings > Forwarder Management.
  7. Click the Apps tab. You should see the TA_Exchange* and TA_Windows* add-ons in the list of apps.

Define new server classes for each Exchange server version and role

Define a new server class for each Exchange Server role. Then, assign the server classes to deployment clients that host the Exchange Server role(s) that the server classes describe.

You must define up to four server classes, depending on the Exchange Server role that each host holds:

Server Class Name Add-ons to add to the server class
Exchange Server - Client Access TA-Exchange-ClientAccess


Exchange Server - Hub Transport TA-Exchange-HubTransport
Exchange Server - Mailbox Store TA-Exchange-Mailbox
SMTP Reputation TA-SMTP-Reputation

  1. Log back into the deployment server.
  2. From the system bar, select Settings > Forwarder Management.
  3. Click the Server classes tab.
  4. Click New Server Class
  5. Enter the Server Class name from the "Server Class Name" column in the table above.
  6. Click Save. Splunk Enterprise loads the information page for the server class you just created. The page says that you have not added any apps or clients yet. This is okay, as you have just created the class.
  7. Click Add apps. Splunk Enterprise loads the "Edit Apps" page.
  8. Locate the add-on(s) in the "Add-ons to add to the server class" column of the table above.
  9. Click each of the add-ons in the "Unselected Apps" pane on the left. The add-on moves to the "Selected Apps" pane on the right.
  10. Click Save. Splunk Enterprise saves the configuration and returns you to the server class information page.

Repeat these steps for the remaining server classes in the table.

Add Exchange Server clients to the server class

If you have not yet installed a universal forwarder on the Exchange Server hosts, do so now. See Install a universal forwarder on each Windows host. Then continue with the following steps.

  1. Note the Exchange role(s) that a deployment client holds.
    • For example, if the host holds the Client Access Server role, then it needs to be added to the "Exchange Server - ClientAccess" server class.
    • If it also holds the Hub Transport role, then it also needs to be added to the "Exchange Server - Hub Transport" server class.
    • You might want to build a list of all your Exchange servers and the Exchange roles that the servers hold to make this process easier.
  2. Log back into the deployment server.
  3. From the system bar, select Settings > Forwarder Management.
  4. Click the Server Classes tab.
  5. Select a server class from the list you created by clicking Edit in the Actions column for the class.
  6. In the menu that pops up, click Edit clients. Splunk Enterprise loads the "Edit clients" page.
  7. In the "Include (whitelist)" field, enter the name(s) of all hosts whose properties match the server class you are editing.
    • For example, if you are editing the "Exchange Server - Client Access" sever class, enter the names of hosts that hold the Client Access Server role.
    • You can separate multiple hosts with a comma.
    • You can also use wildcards to specify multiple hosts.
  8. Click Preview. Splunk Enterprise updates the host list at the bottom and places check marks on the host(s) that match what you entered in the "Include (whitelist)" field.
  9. Click Save. Splunk Enterprise adds the host(s) to the server class and deploys the add-ons associated with the class to the deployment clients.

Add the Exchange deployment clients to the "universal forwarder" server class

In the same way that you added the Exchange Server deployment clients to the Exchange Server classes to deploy the Exchange add-ons, you must also add the client to the "universal forwarder" server class. This does two things:

  • Deploys the Splunk Add-on for Windows to the clients, which enables the client to collect Windows data from the Exchange server.
  • Deploys the "send to indexer" app to the clients, which enables the client to forward Windows and Exchange data to the indexer.

To add the Exchange client to the "universal forwarders" server class, follow the instructions at "Add the universal forwarder to the server class."

Next Step

You have now deployed the Exchange add-ons onto your Exchange Server deployment clients. In the future, you can use this procedure to deploy the add-on(s) to additional client(s). Next, you will confirm that Exchange data is coming into the indexer from the deployment client.

Confirm and troubleshoot Exchange data collection

Last modified on 06 October, 2021
Download and configure the Splunk Add-ons for Microsoft Exchange and prerequisite add-on   Confirm and troubleshoot Exchange data collection

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 4.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters