Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Install Universal Forwarder on Exchange Server

phamanh1652
Path Finder
4 weeks ago

I’ve installed the Universal Forwarder on an Exchange Server 2016. It successfully collects most of the logs defined in inputs.conf from TA-Exchange-Mailbox, except for the following:

1. MSExchange:2013:AdminAudit

Checked using: Get-AdminAuditLogConfig | Select-Object AdminAuditLogEnabled

Result: AdminAuditLogEnabled = True

2. MSExchange:2013:MessageTracking

Verified the path and files exist in the directory.

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

3. MSExchange:2013:Folder-Usage and MSExchange:2013:Mailbox-Usage unsure how to check this log source.

Is there anything I can check or configure to fix this issue?

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @phamanh1652 ,

as described at https://docs.splunk.com/Documentation/AddOns/released/MSExchange/TroubleshootTA-Mailbox, did you checked if the Domain User Account has Records Management and Organization Management roles enabled?

Otherwise the TA cannot read these logs.

Ciao.

Giuseppe

0 Karma
Reply

phamanh1652
Path Finder
4 weeks ago

Hi @gcusello 

Thank you for your response,

My current service account for SplunkForwarder is NT Service\SplunkForwarder. I'm wondering—can I change this account directly from Log On tab, or do I need to reinstall the Universal Forwarder using a domain account that has the necessary permissions and roles?

phamanh1652_0-1755502490123.png

Regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @phamanh1652 ,

you have to modify the profile in the Windows role, not in Splunk.

Ciao.

Giuseppe

0 Karma
Reply

phamanh1652
Path Finder
3 weeks ago

Hi @gcusello 

I see that the SplunkForwarder service is currently running under the NT SERVICE\SplunkForwarder account. Is it possible to switch this to a domain user account with the required permissions, or would I need to reinstall the Universal Forwarder using that domain account?

Regards,

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

I don't recall if you can add _local_ user to _domain_ group. (I know you can do the opposite but my win-fu is not that strong).

You can either try to fiddle with local permissions to grant the local SplunkForwarder right to read the logs or (and this will probably be easier) - change the user the UF runs as.

The latter requires creating a domain user (preferably a Domain Service Account or however it's called nowadays), changing ownership of the UF installation directory (which is quite easy obviously) and setting the service to run as that user.

The docs say that the user UF runs as needs (additionally to what is needed to read Exchange logs):

[...]

To allow the least privileged user to enable universal forwarder features, grant all or some of the following permissions in the dialog box: Grant Windows privileges to enable universal forwarder features:

 Permission Function

SeBackupPrivilegeSelect to grant the least privileged user READ ONLY permissions for files.
SeSecurityPrivilegeSelect to allow the user to collect Windows security event logs. NOTE: The SeSecurityPrivilege permissions are READ/WRITE by design on Windows. This means that the user can also modify and delete Security Event Logs. To mitigate this issue, see "Manage SePrivilegeUser permissions" in this topic.
SeImpersonatePrivilegeSelect to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources.

Grant Windows groups privileges to enable universal forwarder features:

 Permission Function

Performance Monitor UsersSelect for WMI/perfmon inputs to collect performance data.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @phamanh1652 ,

yes, you can switch a domain account, or add the splunkforwarder to the local accounts, givng to it the above grants.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...