Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Onboarding local MS Exchange Server with audit and activity data like O365?

ojay
Path Finder
‎08-04-2021 12:48 AM

Hi all,

i have already integrated O365 using the O365 management API and collecting the user, admin, system, and policy actions and events for O365

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...

I want to collect similar data from a local exchange server now but I don't know the logs. 

The Splunk Add-on for Microsoft Exchange collects the following data using scripted inputs:

  • Senderbase/reputation data. , Topology and Health information and Mailbox Server health and usage information

Is there even similar data on a local MS exchange? and is that data no possible to be collected with a UF?

Any help to direct me in the right direction would help.

Best,

N.

Labels (2)
Labels
0 Karma
Reply

aokur_splunk
Splunk Employee
Splunk Employee
‎05-22-2023 11:16 AM

Older question - but this still came up as a hit on my search results while trying to help another customer, so this might be useful here.

You have to run (or let the splunk agent run and manage) the monitors and scripts responsible for monitoring exchange related logs. To start - I would locally (like to your laptop) download the Add-On, https://splunkbase.splunk.com/app/3225

From there, explore the inputs.conf configurations available in the subdirectories. These define what is to be collected. If you notice, there are a ton of inputs available. These are set to OFF by default. Let's take a look at one of them under \TA-Windows-Exchange-IIS\default\inputs.conf

####Exchange Server Version 2010 - Start####

[monitor://C:\Program Files\Microsoft\Exchange Server\V14\Logging\Ews]
whitelist=\.log$|\.LOG$
sourcetype=MSWindows:2010EWS:IIS
queue=parsingQueue
index=msexchange
disabled=true
initCrcLength=8192

The monitor stanza is defining the location of the path - so in this case, the files are stored in that file path (...\logging\EWS). The whitelist/allowist statement specifies that all files in that directory ending in .log or .LOG are to be allowed. The 'disabled' statement is currently set to false, as per the default. 

To get this working, copy this stanza to a /local/inputs.conf directory, change disabled to '=false' and deploy to the machine that is running exchange. You will need a a UF, or Heavy Forwarder or some other way to getting data to splunk indexers.

Use a similar process for the many other inputs you have available.  Do not turn on all inputs unless you really need them and have done capacity planning as it can be a lot of volume. 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...