Getting Data In

Exchange Reputation Setup

jbreu
Explorer

I am trying to configure the Exchange Reputation piece in Splunk and am a little confused by the instructions.

In the instructions, it states:

  1. In the TA-SMTP-Reputation\local directory, create a reputation.conf.

Should the "TA-SMTP-Reputation\local" directory be located on an Exchange server or on the server with the full Splunk install? Our outbound email servers are a hosted Proofpoint solution so installing the forwarders on to those servers isn't an option.

The full Splunk install is on a server with internet access, but there isn't a folder called local in the directory.

Should I just create a folder called local within this location "C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation"?

Tags (2)
1 Solution

mameisberger
Engager

I was running into the same issues. We have Splunk installed on Windows servers. Here is what I did.

  1. Create a forwarder on the Heavy Forwarder Splunk server to the Indexer server if you are using a multi-server deployment. Make sure the Indexing server also has a receiver to receive data from that server and the ports match.
  2. On the Splunk server that is a Heavy Forwarder, copy the TA-SMTP-Reputation folder from the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons location and place it in the C:\Program Files\Splunk\etc\apps location.
  3. Now open the TA-SMTP-Reputation folder you placed and create a folder named 'local'.
  4. Open the 'default' folder and copy the 'inputs.conf' and 'reputation.conf' folders and paste them into the 'local' folder you created.
  5. Open the 'reputation.conf' file in the local folder and add the IP addresses of the outbound mail servers separated by a semi-colon.
  6. THIS IS A VERY IMPORTANT STEP. Open the 'inputs.conf' file in the local folder. By default, the stanza that uses the UNIX path is enabled and the WINDOWS path is disabled. Change the stanza that has the left leaning slashes to be 'disabled=false' and change the other to 'disabled=true'.
  7. Restart the Splunk instances and it should work for you.

Additionally, our reputation was reporting as 'Mixed' even after getting it working. What I found was that one of the sites that the python script was checking was invalid and timing out and causing the degraded reputation. The web app was telling me that dnsbl.solid.net was timing out so I removed that one from the 'check_my_reputation.py' script in the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation\bin location. Once that entry was removed, our reputation was reported as 'Good'. A static file might not have been the best way to go on that one.

Hope this works for you.

View solution in original post

the0duke0
Path Finder

I had an issue getting the Reputation script to run as well. I found that the slashes in the input.conf withint the TA-SMPT-Reputation app were forward slashes and on my windows box I had to change them to back slashes. Note that the first two don't change.

Was
[script://./bin/check_my_reputation.py]

changed to
[script://.\bin\check_my_reputation.py]

0 Karma

cgisplunk
Path Finder

Adrian,

Any help with my post here:
http://splunk-base.splunk.com/answers/81213/splunk-for-exchange-smtp-reputation-script-errors
Cannot get it to work.
Thank you,
Slava.

0 Karma

mameisberger
Engager

I was running into the same issues. We have Splunk installed on Windows servers. Here is what I did.

  1. Create a forwarder on the Heavy Forwarder Splunk server to the Indexer server if you are using a multi-server deployment. Make sure the Indexing server also has a receiver to receive data from that server and the ports match.
  2. On the Splunk server that is a Heavy Forwarder, copy the TA-SMTP-Reputation folder from the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons location and place it in the C:\Program Files\Splunk\etc\apps location.
  3. Now open the TA-SMTP-Reputation folder you placed and create a folder named 'local'.
  4. Open the 'default' folder and copy the 'inputs.conf' and 'reputation.conf' folders and paste them into the 'local' folder you created.
  5. Open the 'reputation.conf' file in the local folder and add the IP addresses of the outbound mail servers separated by a semi-colon.
  6. THIS IS A VERY IMPORTANT STEP. Open the 'inputs.conf' file in the local folder. By default, the stanza that uses the UNIX path is enabled and the WINDOWS path is disabled. Change the stanza that has the left leaning slashes to be 'disabled=false' and change the other to 'disabled=true'.
  7. Restart the Splunk instances and it should work for you.

Additionally, our reputation was reporting as 'Mixed' even after getting it working. What I found was that one of the sites that the python script was checking was invalid and timing out and causing the degraded reputation. The web app was telling me that dnsbl.solid.net was timing out so I removed that one from the 'check_my_reputation.py' script in the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation\bin location. Once that entry was removed, our reputation was reported as 'Good'. A static file might not have been the best way to go on that one.

Hope this works for you.

damode
Motivator

Hi @mameisberger,

if my Heavy forwarder is already forwarding all data to the indexer by default, do I still need to create a forwarder on it ?

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

TA-SMTP-Reputation has three requirements:

  • It needs Python, so it needs a full Splunk install
  • It needs Internet Access
  • The index it feeds needs to be searchable from the search head

The latter is only important in multi-tier deployments. You can just create the local directory underneath the $SPLUNK_HOME/etc/apps/TA-SMTP-Reputation directory.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...