Integration of MS Exchange server with splunk

I_B · ‎08-09-2024

Dear All,

I need your assistance in fetching Microsoft Exchange Server logs using the Splunk Universal Forwarder.

I can provide the paths for the MSG Tracking, SMTP, and OWA log files. The goal is to configure the Universal Forwarder to collect these logs and forward them to a central Splunk server.

Given that the Splunk documentation indicates that the MS Exchange App is end-of-life (EOL), is it necessary to use an add-on? The documentation suggests creating GPO policies and making other changes. However, in IBM QRadar, the process is simpler: you install the WinCollect agent, specify the paths for MSG Tracking, SMTP, and OWA logs, and the agent collects and forwards the logs to the QRadar Console. The Auto Discovery feature in QRadar then creates the log source automatically.

Is there a simpler and more straightforward method to collect these logs using the Splunk Universal Forwarder?

Thank you in advance for your assistance.

PickleRick · ‎08-09-2024

Exchange is a relatively big solution so depending on what you want to ingest the answer can vary.

If you want just the message tracking logs, you can easily ingest them using monitor input. I've never dealt with SMTP or OWA logs so can't tell you how these work but I suppose they should also be relatively easily readable. The problem might be in parsing the data of course.

QRadar is simply different so don't bring it for comparison.

Integration of MS Exchange server with splunk

add-on

CLI

universal forwarder

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?