Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Exchange 2019 - How to configure Edge Transport se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exchange 2019 - How to configure Edge Transport servers?
Being completely new to this: Our SMTP servers gathered data completely before using the SMTP Add-on.
My Doman admin Now wants me to start ingesting D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\. So I have deployed TA-Exchange-Mailbox from the TA-Exchange App download from Splunkbase. I also deployed TA-exchange-SMTP.
The TA-exchange-smtp local/inputs.conf file looks like this - only made a couple changes in the path:
[monitor://D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\...\*]
index = smtp
sourcetype = exchange:smtp
added this one after install:
[monitor://D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*]
index = smtp
sourcetype = MSExch2019:Tracking
So I am not 100% sure this is correct.
For the TA-Exchange-Mailbox - I have 3 stanzas based upon the info from this forum previous messages:
[monitor://D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2019:MessageTracking
queue=parsingQueue
index=smtp
disabled=0
[monitor://D:\Exchange Server\TransportRoles\Logs\*\ProtocolLog\SmtpReceive]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2019:SmtpReceive
queue=parsingQueue
index=smtp
disabled=false
[monitor://D:\Exchange Server\TransportRoles\Logs\*\ProtocolLog\SmtpSend]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2019:SmtpSend
queue=parsingQueue
index=smtp
disabled=false
Again - I know nothing in regards to this level of data gathering so Im hoping one of you all who have will be able to guide me in the right direction so that I can begin ingesting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like it would work. If you're not quite sure and you want to make sure it is correct before the data goes into the index, then you could set up a sandbox index and use crcSalt to stop the logs from being registered as indexed already. In terms of billing, you would be paying for all logs, sandboxed or not, but it would avoid the annoyance of deleting wrongly-indexed data in your production indexes.
E.g.
[monitor://D:\Exchange Server\TransportRoles\Logs\*\ProtocolLog\SmtpReceive]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2019:SmtpReceive
queue=parsingQueue
index=sandbox
disabled=false
crcSalt = "testing"
(then remove or modify the crcSalt when the logs look good in the sandbox and are ready for production.)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
