Getting Data In

Splunk for Microsoft Exchange : deployment question

NewMilenium
Path Finder

Hello,

my question is quite simple : is that possible to use Splunk for Microsoft Exchange application only splunk-sided, not installing anything on the Exchange Servers, so that it only analyses the logs splunk already received?

If not, my problem is the next one : I must use splunk to create reports about the logs we receive (and so, it has to "recognize" them). At the moment, I can't find with just splunk how to recognize the Microsoft Exchange source type for the logs (list of types currently proposed by splunk : "access_combined", "apache_error", "csv", "iis", "log4j", "log4php", "syslog"). So, if that app' can't help me neither, I'll have to start working on an app' to do this... and that's something I really really would like to avoid...

Thank you for any answer, for the time spent.

Tags (1)
0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

It is not possible for the Splunk for Microsoft Exchange to be fully functional and not install anything on the Exchange server. Too many things are embedded in the Exchange Powershell and/or .NET structures that we read as part of this.

However, you can still use PARTS of the app to handle your logs. For instance, let's say you put your message tracking logs on a file share instead. You can import them with the sourcetype MSExchange:2010:MessageTracking (or replace the 2010 with 2007 or 2013, depending on your version), then they will be recognized by the props/transforms that are in the Splunk for Microsoft Exchange. In this case, you will need the sections of the props/transforms from the app that deal with the message tracking logs, plus a file input that reads the files and sets the sourcetype.

NewMilenium
Path Finder

Well my enterprise cannot and doesn't want to access to the clients' servers, in (very) short.
This might change in the future though, so, I'll use this "question" again here if needed.

Thanks for the information, you've been much help!

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

No, you would not. The Splunk App for Exchange requires a good set of data to determine the function of each machine.

Is there a reason you cannot install the Splunk UF on the Exchange host?

0 Karma

NewMilenium
Path Finder

And with such configuration, I would be able to use some parts of the menus and such with graphical statistics and reports?
Very little question, by the way : would the PDF reports have any chance to work? (I know the little trick with XML file and

autoRun="true"

to put in)

Thank you a lot, I will post again here in next days if needed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...