Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Integration of MS Exchange server with splunk

I_B
New Member
‎08-09-2024 05:40 AM

Dear All,

I need your assistance in fetching Microsoft Exchange Server logs using the Splunk Universal Forwarder.

I can provide the paths for the MSG Tracking, SMTP, and OWA log files. The goal is to configure the Universal Forwarder to collect these logs and forward them to a central Splunk server.

Given that the Splunk documentation indicates that the MS Exchange App is end-of-life (EOL), is it necessary to use an add-on? The documentation suggests creating GPO policies and making other changes. However, in IBM QRadar, the process is simpler: you install the WinCollect agent, specify the paths for MSG Tracking, SMTP, and OWA logs, and the agent collects and forwards the logs to the QRadar Console. The Auto Discovery feature in QRadar then creates the log source automatically.

Is there a simpler and more straightforward method to collect these logs using the Splunk Universal Forwarder?

Thank you in advance for your assistance.

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-15-2026 12:04 AM

Hi @I_B ,

even if the Splunk App for MS Exchange is at its EoL, you need the Splunk Add-On for Microsoft Exchange (https://splunkbase.splunk.com/app/3225).

You should deploy it to the UF using e.g. the Deployment Server (Splunk Best Practice) or another solution and configure it as described in the documentation.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-09-2024 06:04 AM

Exchange is a relatively big solution so depending on what you want to ingest the answer can vary.

If you want just the message tracking logs, you can easily ingest them using monitor input. I've never dealt with SMTP or OWA logs so can't tell you how these work but I suppose they should also be relatively easily readable. The problem might be in parsing the data of course.

QRadar is simply different so don't bring it for comparison.

0 Karma
Reply

dprez
New Member
‎10-02-2025 10:26 PM

Hi.

I am also migrating from QRadar. I am sorry but it might be different but it needs to be mentioned. We had a solution working, and we need these logs that is why we would like to achieve the same in Splunk.


0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...