Getting Data In

Exchange admin audit logs

nuwan
New Member

Can splunk read exchange 2010 sp1 admin audit logs. I beleive exchange admin logs goes to a configured email. Does splunk exchange app reads the exchange admin logs
Thank you in advance

Tags (1)
0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Yes. Download the Splunk App for Microsoft Exchange - the TA-Exchange-2010-* technology add-ons that are included read the Admin Audit Logs from each server.

nuwan
New Member

Thank you.

0 Karma

micnuw2
New Member

I am also curious as it seems this issue isnt getting fixed. The short answer my Splunk team got from their Splunk rep was that the account that is forwarding to the Exchange app indexes needs to be in the same domain with organizational management role in Exchange XD. Im sorry but the expectation that an Exchange team using this app would give full open ended access to a service account just to forward admin audit logs is insane.

0 Karma

tomasmoser
Contributor

Hi,

I am curious when below bug will be fixed. It is related to Exchange 2016 admin audit log extraction.

2016-12-30 EXC-2052

read-audit-logs_2010_2013.ps1 failure. The search command search-adminauditlog used in read-audit-logs_2010_2013, does not work in PowerShell for the 2016 Exchange Server product. The MSExchange:2013:AdminAudit sourcetype will not display in Splunk platform searches.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...