I am trying to configure the Exchange Reputation piece in Splunk and am a little confused by the instructions.
In the instructions, it states:
- In the TA-SMTP-Reputation\local directory, create a reputation.conf.
Should the "TA-SMTP-Reputation\local" directory be located on an Exchange server or on the server with the full Splunk install? Our outbound email servers are a hosted Proofpoint solution so installing the forwarders on to those servers isn't an option.
The full Splunk install is on a server with internet access, but there isn't a folder called local in the directory.
Should I just create a folder called local within this location "C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation"?
I was running into the same issues. We have Splunk installed on Windows servers. Here is what I did.
Additionally, our reputation was reporting as 'Mixed' even after getting it working. What I found was that one of the sites that the python script was checking was invalid and timing out and causing the degraded reputation. The web app was telling me that dnsbl.solid.net was timing out so I removed that one from the 'check_my_reputation.py' script in the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation\bin location. Once that entry was removed, our reputation was reported as 'Good'. A static file might not have been the best way to go on that one.
Hope this works for you.
I had an issue getting the Reputation script to run as well. I found that the slashes in the input.conf withint the TA-SMPT-Reputation app were forward slashes and on my windows box I had to change them to back slashes. Note that the first two don't change.
Was
[script://./bin/check_my_reputation.py]
changed to
[script://.\bin\check_my_reputation.py]
Adrian,
Any help with my post here:
http://splunk-base.splunk.com/answers/81213/splunk-for-exchange-smtp-reputation-script-errors
Cannot get it to work.
Thank you,
Slava.
I was running into the same issues. We have Splunk installed on Windows servers. Here is what I did.
Additionally, our reputation was reporting as 'Mixed' even after getting it working. What I found was that one of the sites that the python script was checking was invalid and timing out and causing the degraded reputation. The web app was telling me that dnsbl.solid.net was timing out so I removed that one from the 'check_my_reputation.py' script in the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation\bin location. Once that entry was removed, our reputation was reported as 'Good'. A static file might not have been the best way to go on that one.
Hope this works for you.
Hi @mameisberger,
if my Heavy forwarder is already forwarding all data to the indexer by default, do I still need to create a forwarder on it ?
TA-SMTP-Reputation has three requirements:
The latter is only important in multi-tier deployments. You can just create the local directory underneath the $SPLUNK_HOME/etc/apps/TA-SMTP-Reputation directory.