topic Not getting complete MSExchange management event information ingested into Splunk. in Getting Data In

Not getting complete MSExchange management event information ingested into Splunk.

abhijit_mhatre — Thu, 22 Aug 2019 14:50:05 GMT

The configuration I have written to ingest MSExchange management data isn’t ingesting all the information contained in the event.
Configuration deployed:
[WinEventLog://MSExchange Management]
index =
sourcetype =

We are receiving data in the instance but we are only getting general information associated with each event. Is there a way to get detailed information for an event into splunk?

Let me know.

Re: Not getting complete MSExchange management event information ingested into Splunk.

DavidHourani — Fri, 23 Aug 2019 03:14:37 GMT

Hi @abhijit_mhatre, what kind of details are you looking for ? Is that detail already in WinEventLog ? If so you should be able to fetch it 🙂

Re: Not getting complete MSExchange management event information ingested into Splunk.

abhijit_mhatre — Fri, 23 Aug 2019 11:20:44 GMT

Hi @davidhourani,
There are few additional details being generated on the MSexchange Server but the configuration is not ingesting all of it. It is only ingesting the general details.
Is there a way to modify the configuration and have it pick everything being generated on the server.

Re: Not getting complete MSExchange management event information ingested into Splunk.

DavidHourani — Fri, 23 Aug 2019 11:48:04 GMT

Yes ! Of course. And first before adding anything new make sure you've followed this documentation to activate your required data inputs :
https://docs.splunk.com/Documentation/MSExchange/3.5.2/Add-Ons/ConfigureTA-Exchange-IIS

Sometimes its easy to miss activating inputs so you won't get everything. Double check that and then if you don't find what you're looking for let me know and we can work on making a new input.

Re: Not getting complete MSExchange management event information ingested into Splunk.

abhijit_mhatre — Tue, 27 Aug 2019 10:13:42 GMT

Hi @davidhourani,
There is no configuration to ingest Msexchange Management logs in the TA-Exchange-IIS. I already have a configuration to ingest these logs, it is just that the complete information that can be seen in the event viewer is not getting ingested and only the general information in each event is being ingested.
Let me know if there is a way( like having a script or a configuration) to ingest the complete information present in an event and not just the general information.