All Apps and Add-ons

How to configure TA-Mailbox Message tracking?

ze271021
Loves-to-Learn Everything

Hello,

I have a question regarding the TA-Exchnage-Mailbox in splunk app for microsoft exchange.

I am using this app on my deployment server to parse the exchange logs but the logs are not parsed on the search head. I copied the default conf files to the local one and I made the changes to receive the logs but they are not parsed especially for the message tracking ones.

Any idea on how to configure it?

 

Thank you in advance!

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust
0 Karma

ze271021
Loves-to-Learn Everything

Yes, but the logs are not parsed.

if the location of log files is not the default one, it may be the cause?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. What exactly did you do to ingest the Exchange logs? And how (and where) did you install the TA-Mailbox?

0 Karma

ze271021
Loves-to-Learn Everything

Ok. I have a cluster of indexes with one master and one search head.

I installed the Universal forwarder on the exchange servers directly to collect the logs. the logs are saved in the E:\ partition and the default one in the C:\ partition.

I installed the TA-Mailbox on the master in the deployment app folder and I pushed it to the server class that contains the exchange servers.

In the TA-Mailbox , I created the local folder and added the inputs.conf file and modified it based on the exchange version that I am using and  the type of logs I want to collect.

Now I am receiving the logs on the search head but they are not parsed.

What should I do?

Thank you !

 

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. So I assume that your cluster master doubles as a deployment server. That's not the best option but well, what can I do? Anyway, you say that you "modified the inputs.conf" file.

Question is how did you modify it. For the message tracking to work you need to adjust the path in the monitor stanza (you don't need the other inputs if you only want message tracking) so that proper message tracking logs are ingested with proper sourcetype.

And - which is a bit confusing since the docs don't seem to explictly mention it - you need to install the add-on on your search head as well (just don't enable any inputs there!). The UF will ingest the file and set the proper sourcetype but it's the search-head that does the parsing and field extraction so the search-head needs to have the info contained within the app as well.

0 Karma

ze271021
Loves-to-Learn Everything

Okay. Yes I adjusted the path in the monitor stanza for the message tracking logs.

Ok I will install the app on the search head as well. But where I have to install it ? in the master apps folder?

And should I created an local file ?

Thank you !!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I do not know whether you deploy apps to search-head from your deployment server or not. If so, then use it to deploy the app to SH. If not - install directly on SH.

And no, on SH you don't need to configure the inputs. The default settings should suffice to parse the logs (as long as your message tracking logs are ingested with proper sourcetype).

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...