https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179829#M36070 <P>I´m using Splunk 6.1.1. Universal Forwarder 6.1.1 and Exchange T.A 2.1.2</P> <P>Regards,<BR /> Caroline Fortunato</P> Wed, 28 May 2014 12:35:57 GMT caroline_fortun 2014-05-28T12:35:57Z https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179827#M36068 <P>Hello,</P> <P>I installed splunk universal forwarder and the Exchange2010-Mailbox app to collect Exchange Auditing data.<BR /> I noticed that every time Splunk executes the exchange script it´s getting the data over and over again. The data is being duplicated.</P> <P>Is there anything I did wrong? I just installed Universal Forwarder and copied the Exchange add on folder inside splunk app folder.</P> <P>Regards,<BR /> Caroline Fortunato</P> Tue, 27 May 2014 20:44:24 GMT https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179827#M36068 caroline_fortun 2014-05-27T20:44:24Z https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179828#M36069 <P>Unfortunately, you don't say what version you have installed and how it was installed. The latest version should not do this. Prior versions had this bug.</P> Tue, 27 May 2014 20:46:20 GMT https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179828#M36069 ahall_splunk 2014-05-27T20:46:20Z https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179829#M36070 <P>I´m using Splunk 6.1.1. Universal Forwarder 6.1.1 and Exchange T.A 2.1.2</P> <P>Regards,<BR /> Caroline Fortunato</P> Wed, 28 May 2014 12:35:57 GMT https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179829#M36070 caroline_fortun 2014-05-28T12:35:57Z https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179830#M36071 <P>What version of Exchange (including Service Pack) and what version of Windows is it running on? How are you running the Universal Forwarder? (Domain User or System Local)</P> <P>Are there are logs in index=_internal sourec=*splunkd.log that pertain to the data input?</P> Wed, 28 May 2014 14:20:20 GMT https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179830#M36071 ahall_splunk 2014-05-28T14:20:20Z https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179831#M36072 <P>It´s an Exchange Server 2010 SP3 installed on a Windows Server 2008 R2.<BR /> The universal forwarder is running with System Local account.</P> <P>I have logs like bellow at the source splunkd.log. There is nothing mentioning MailboxAudit.</P> <P>"05-28-2014 15:19:52.474 -0300 WARN DateParserVerbose - Accepted time (Thu May 22 18:22:34 2014) is suspiciously far away from the previous event's time (Fri May 23 16:09:35 2014), but still accepted because it was extracted by the same pattern. Context: source::Powershell|host::maillab|MSExchange:2010:AdminAudit|274"</P> <P>Regards,<BR /> Caroline Fortunato</P> Wed, 28 May 2014 18:36:21 GMT https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179831#M36072 caroline_fortun 2014-05-28T18:36:21Z https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179832#M36073 <P>That message is fairly normal in a stable system that doesn't see a lot of activity. However, I'm no closer to understanding why mailbox audit is duplicating events. I'll try to set up a repro.</P> <P>In the meantime, I suggest disabling the mailbox audit data input.</P> Wed, 28 May 2014 18:39:53 GMT https://community.splunk.com/t5/Getting-Data-In/Exchange-Add-On-Duplicated-Logs/m-p/179832#M36073 ahall_splunk 2014-05-28T18:39:53Z