Hi All,
Been working at getting the exchange app installed and having issues with this one TA-Exchange-Mailbox and Exchange Server 2010.
http://docs.splunk.com/Documentation/MSExchange/3.4.2/Add-Ons/TA-Mailboxinputs
All the powershell scripts that it tries to run return this error with no more information or reasons.
The scripts can be run manually by a logged in user and they produce data just fine. The only thing that I think it could be is that the powershell scripts can't be run when the Universal Forwarder is configured to run as Local System Account.
Thoughts?
The manual makes no reference to this requirement and all the other TA's powershell scripts run OK.
A colleague suggested I tweak the TA-Exchange-Mailbox/bin/exchangepowershell.cmd file to include -ExecutionPolicy Bypass and data started flowing.
@ECHO OFF
SET SplunkApp=TA-Exchange-Mailbox
IF %1 EQU v8.0 ( GOTO ExchangeVersion2007
) ELSE ( GOTO ExchangeVersionOth)
:ExchangeVersion2007
FOR /F "tokens=2* delims= " %%A IN ('REG QUERY "HKLM\Software\Microsoft\Exchange\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\Bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof
:ExchangeVersionOth
FOR /F "tokens=2* delims= " %%A IN ('REG QUERY "HKLM\Software\Microsoft\ExchangeServer\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof
We suspect it is due to the local powershell script execution policy but since I don't have access to the server directly this is a quick fix.
A colleague suggested I tweak the TA-Exchange-Mailbox/bin/exchangepowershell.cmd file to include -ExecutionPolicy Bypass and data started flowing.
@ECHO OFF
SET SplunkApp=TA-Exchange-Mailbox
IF %1 EQU v8.0 ( GOTO ExchangeVersion2007
) ELSE ( GOTO ExchangeVersionOth)
:ExchangeVersion2007
FOR /F "tokens=2* delims= " %%A IN ('REG QUERY "HKLM\Software\Microsoft\Exchange\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\Bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof
:ExchangeVersionOth
FOR /F "tokens=2* delims= " %%A IN ('REG QUERY "HKLM\Software\Microsoft\ExchangeServer\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof
We suspect it is due to the local powershell script execution policy but since I don't have access to the server directly this is a quick fix.