Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Exchange Message Tracking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you help me retrieve message-tracking logs from our on-premises Exchange server? I added the following lines to inputs.conf, but the data still isn’t being parsed. I guess smt is missing or incorrect.
I’m also unsure how to set up the Exchange add-on and haven’t found clear documentation. Any guidance would be greatly appreciated
[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\]
disabled = false
sourcetype = exchange_messagetracking
index = exchange
host_segment = 4
[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.log]
disabled = false
sourcetype = exchange_messagetracking
index = exchange
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using indexers (or a standalone Splunk Enterprise instance), follow these steps:
Deploy the TA-Exchange-Mailbox add-on to the indexer at the following path:
/opt/splunk/etc/apps/TA-Exchange-MailboxRestart the Splunk service on the indexer to apply the changes.
On the Universal Forwarder, verify that the inputs.conf is correctly configured with the appropriate sourcetype for message tracking logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for replies. To clarify, which path should I place the add-on file?It comes as .tgz, to where should i extract it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nopera
Please can you confirm if you have downloaded and installed the Splunk Add-on for Microsoft Exchange app from Splunkbase on your forwarder?
Ensure that the folder listed in monitor:// exists on your filesystem and that the Splunk service can read the files.
Are you able to see other logs (such as _internal logs) on your Splunk instance from the Forwarder with this config on? Are there are any error logs in $SPLUNK_HOME/var/log/splunk/splunkd.log regarding these inputs/monitor configs?
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The props.conf configuration is specific to the sourcetype MSExchange:2013:MessageTracking. Please ensure that the corresponding add-on is installed on your heavy forwarder to enable proper parsing of the data.
[MSExchange:2013:MessageTracking] CHARSET = UTF-8 SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false REPORT-fields = msexchange2013msgtrack-fields, msgtrack-extract-psender, msgtrack-psender, msgtrack-sender, msgtrack-recipients, msgtrack-recipient TRANSFORMS-comments = ignore-comments FIELDALIAS-server_hostname_as_dest = server_hostname AS dest FIELDALIAS-host_as_dvc = host AS dvc EVAL-src=coalesce(original_client_ip,cs_ip) EVAL-product = "Exchange" EVAL-vendor = "Microsoft" EVAL-sender = coalesce(PurportedSender,sender) EVAL-src_user = coalesce(PurportedSender,sender) EVAL-sender_username = coalesce(psender_username,sender_username) EVAL-sender_domain = coalesce(psender_domain,sender_domain) LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action TIME_PREFIX = ^\d\d MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %y-%m-%dT%H:%M:%S.%QZ
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to install this add-on https://splunkbase.splunk.com/app/3225 and match the exact sourcetype for the parsing.
Example:
[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking] whitelist=\.log$|\.LOG$ time_before_close = 0 sourcetype=MSExchange:2013:MessageTracking queue=parsingQueue index=msexchange disabled=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for reply. To clarify, which path should I place the add-on file?It comes as .tgz, to where should i extract it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Install the add-on in the /opt/splunk/etc/apps directory on the HF.
If you're using a deployment server and plan to deploy the add-on to a heavy forwarder (HF), place the add-on in the /opt/splunk/etc/deployment-apps directory on the deployment server.
Then, create a server class, add the HF to that server class, associate the app with it, and deploy it to the HF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont use heavy forwarder, i installed universal forwarded to the exchange server, i placed the add-on "TA-Exchange-Mailbox" (server is in mailbox role) to the path "C:\Program Files\SplunkUniversalForwarder\etc\apps". Now i am getting the logs but message tracking logs arent parsed correctly. What should I do now? Example logs below from test env.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nopera The docs state "You ONLY need to install these add-ons on FORWARDERS." - The emphasis on ONLY is their wording not mine! However after investigating the contents of the app its clear there are field extractions which need to be on your Searchhead and time/event parsing that needs to be on your indexers (since you are using a Universal Forwarder).
Please install the app on your Searchheads and Indexers using your usual app deployment approach and this should provide the relevant field extraction / CIM compliance.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using indexers (or a standalone Splunk Enterprise instance), follow these steps:
Deploy the TA-Exchange-Mailbox add-on to the indexer at the following path:
/opt/splunk/etc/apps/TA-Exchange-MailboxRestart the Splunk service on the indexer to apply the changes.
On the Universal Forwarder, verify that the inputs.conf is correctly configured with the appropriate sourcetype for message tracking logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked. Thank you so much.
For other people that need help about this situation, a summary:
- My environment:
- a standalone Splunk Enterprise instance
- on-prem exchange server 2019 in mailbox role
- exhange server universal forwarder installed
- Actions to get exchange logs:
- on Splunk Enterprise instance :
- deployed the Splunk add-on for Microsoft Exchange indexes (to easily manage indexes)
Deploy the TA-Exchange-Mailbox add-on in the file at /opt/splunk/etc/apps/TA-Exchange-Mailbox
- Restart Splunk service
- on Exchange Server
- Deploy the TA-Exchange-Mailbox add-on at C:\Program Files\SplunkUniversalForwarder\etc\apps
- Restart the forwarder
- on Splunk Enterprise instance :
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recommend installing the add-on on both the indexers and the search heads.
Indexers are responsible for index-time operations such as parsing, data transformation, and routing. Therefore, any add-on containing props.conf or transforms.conf should be deployed to the indexers.
Search Heads handle search-time functions, including dashboards, lookups, macros, and CIM mappings. While it's safe to install the add-on on the search heads for search-time functionality, doing so won’t interfere with index-time processes, provided those configurations are also present on the indexers.
In general, it's best practice to install the add-on across all relevant tiers, indexers, search heads, and forwarders, and enable only the necessary components on each, depending on the role of the system.
https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
