Install the Splunk App for Microsoft Exchange on the search head
Complete setup
If you have followed the instructions in this manual, then by completing the procedures in this topic, you complete the setup phase for the Splunk App for Microsoft Exchange.
The final tasks for setup are:
- Install the Splunk Add-on for Windows on the search head.
- Install the Splunk Supporting Add-on for Active Directory on the search head.
- Install the Splunk Add-ons for Microsoft Active Directory and Windows DNS on the search head.
- Install the Splunk App for Microsoft Exchange on the search head.
If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.
Where is the search head?
In this manual, the search head is the indexer that you set up the basic infrastructure for the app on. All Splunk Enterprise instances can be a search head when they hold indexed data.
In this procedure, you install all of these components on this host. To install the app onto a cluster of search heads, see Install the Splunk App for Microsoft Exchange on a search head cluster.
When you scale the Splunk App for Microsoft Exchange, the search head is on a separate host from the indexer. See Size a Splunk App for Microsoft Exchange deployment.
Install the Splunk Add-on for Windows on the search head
As part of getting Windows data into the instance, you should have already installed the Splunk Add-on for Windows. If you have not downloaded and installed this add-on yet, see the following topic to configure the add-on. Then, proceed with activating the add-on on the search head.
Activate the Splunk Add-on for Windows
- Copy the add-on from either the location where you saved the download or the deployment apps directory to the Splunk apps directory:
> Copy-Item -Path C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows -Destination C:\Program Files\Splunk\etc\apps -Recurse -Force
Install the Splunk Add-ons for Microsoft Active Directory and Windows DNS on the search head
As part of the installation procedure, you should have already downloaded the Splunk Add-ons for Microsoft Active Directory and Windows DNS. If you have not downloaded and installed these add-ons yet, see the following topics to configure the add-ons. Then, proceed with activating the add-ons on the search head.
- Download and configure the Splunk Add-on for Microsoft Active Directory
- Download and configure the Splunk Add-on for Windows DNS
Activate the Splunk Add-ons for Microsoft Active Directory and Windows DNS
- Copy the Splunk Add-on for Microsoft Active Directory from the deployment apps directory to the apps directory.
> Copy-Item -Path C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_Microsoft_AD -Destination C:\Program Files\Splunk\etc\apps -Recurse -Force
- Copy the Splunk Add-on for Windows NDS from the deployment apps directory to the apps directory.
> Copy-Item -Path C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_Microsoft_DNS -Destination C:\Program Files\Splunk\etc\apps -Recurse -Force
Disable inputs on the Splunk Add-ons for Microsoft Active Directory and Windows DNS to prevent data duplication
- In the
%SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD
directory on the search head, create alocal
directory. - Copy inputs.conf from
%SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD\default
to%SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD\local
. - Edit
%SPLUNK_HOME%\etc\apps\Splunk_TA_Microsoft_AD\local\inputs.conf
. - In each stanza within the file, set the
disabled
attribute totrue
. - Save the file and close it.
- Repeat these steps for the Splunk Add-on for Windows DNS, using
Splunk_TA_Microsoft_DNS
as the add-on name.
Install the Splunk Supporting Add-on for Active Directory on the search head
- In a web browser, proceed to the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) download page.
- Click the download link to begin the download process. You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip or tar to unarchive the file to the Splunk apps directory.
Install the Splunk App for Microsoft Exchange on the search head
- In a web browser, proceed to the Splunk App for Microsoft Exchange download page.
- Click the download link to begin the download process. You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip or tar to unarchive the file to the Splunk apps directory.
- Restart Splunk Enterprise.
- Restart all universal forwarders.
- On the Splunk App for Microsoft Exchange search head, log back in to Splunk Enterprise.
Add the exchange_admin role to the user that will run the app on the deployer
The exchange_admin role is required to run the first-time setup on the search head cluster deployer instance.
- Log into Splunk Enterprise on the deployer.
- Navigate to Settings > Access controls and click on Roles.
- Under Role name, select the admin role.
- Navigate to the Inheritance section and select the exchange_admin role to move it from Selected roles to Available roles.
- Click Save.
Note: If you do not see the exchange_admin role in the list, make sure that you have installed the application, as described in "Install the Splunk App for Microsoft Exchange on the deployer".
Next Step
You have completed setup of the Splunk App for Microsoft Exchange.
Sample Exchange searches and dashboards | Install the Splunk App for Microsoft Exchange on a search head cluster |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 4.0.4
Feedback submitted, thanks!