All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does TA-Exchange-Mailbox need domain User account for powershell inputs Exchange 2010?

phoenixdigital
Builder
‎09-26-2017 03:43 PM

Hi All,

Been working at getting the exchange app installed and having issues with this one TA-Exchange-Mailbox and Exchange Server 2010.

http://docs.splunk.com/Documentation/MSExchange/3.4.2/Add-Ons/TA-Mailboxinputs

All the powershell scripts that it tries to run return this error with no more information or reasons.

alt text

The scripts can be run manually by a logged in user and they produce data just fine. The only thing that I think it could be is that the powershell scripts can't be run when the Universal Forwarder is configured to run as Local System Account.

alt text

Thoughts?

The manual makes no reference to this requirement and all the other TA's powershell scripts run OK.

Preview file
11 KB
Preview file
153 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phoenixdigital
Builder
‎09-26-2017 04:58 PM

A colleague suggested I tweak the TA-Exchange-Mailbox/bin/exchangepowershell.cmd file to include -ExecutionPolicy Bypass and data started flowing.

@ECHO OFF

SET SplunkApp=TA-Exchange-Mailbox

IF %1 EQU v8.0 ( GOTO ExchangeVersion2007 
) ELSE ( GOTO ExchangeVersionOth)

:ExchangeVersion2007
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\Exchange\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\Bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

:ExchangeVersionOth
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\ExchangeServer\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

We suspect it is due to the local powershell script execution policy but since I don't have access to the server directly this is a quick fix.

http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/EnableauditingandPowerShellondom...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phoenixdigital
Builder
‎09-26-2017 04:58 PM

A colleague suggested I tweak the TA-Exchange-Mailbox/bin/exchangepowershell.cmd file to include -ExecutionPolicy Bypass and data started flowing.

@ECHO OFF

SET SplunkApp=TA-Exchange-Mailbox

IF %1 EQU v8.0 ( GOTO ExchangeVersion2007 
) ELSE ( GOTO ExchangeVersionOth)

:ExchangeVersion2007
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\Exchange\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\Bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

:ExchangeVersionOth
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\ExchangeServer\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

We suspect it is due to the local powershell script execution policy but since I don't have access to the server directly this is a quick fix.

http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/EnableauditingandPowerShellondom...

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...