Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Upgraded from MS Exchange 2010 to 2013 and now I no longer get any data from the eventtype=msexchange-admin-audit?

avf925
New Member
‎12-01-2017 05:46 AM

All of the other data from all previous eventtypes is coming through just fine, except the msexchnage-admin-audit. We have 10 Exchange Servers all on MS Exchange 2013 - and after we migrated from Exchange 2010 to Exchange 2013 all Dashboards and Reports continue to work fine other than the AUDIT reports using the above event type. We are using SPLUNK Enterprise 6.4.4.

How can I get the eventtypes=msexchange-admin-audit to repopulate the reports and dashboards

0 Karma
Reply

rhays
New Member
‎12-29-2017 10:40 AM

Did anyone solve this? I am running into this same issue with Exchange 2016,

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 06:28 AM

The stuff comes from different places between 2010 and 2013 so you need to enable new stanzas, some of which are off by default.
Check TA-Exchange-ClientAccess/*/inputs.conf which has completely different sections for each version. Make sure you have disabled = 0 in local for these stanzas:

[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1]
[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1]

The latter defaults to disabled.
Update and then restart all Splunk instances to put it in effect.

0 Karma
Reply

avf925
New Member
‎12-04-2017 09:40 AM

As of this morning - all changes noted above have been made - we are getting A LOT more data into the system, but still NOTHING from the following event type
eventtypes=msexchange-admin-audit

Other thoughts - suggestions - things we can try?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2017 10:46 AM

Do you have an index named msexchange defined on your indexers?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2017 10:45 AM

Have you upgraded your Splunk forwarders to a recent 6.* or 7.* release? Depending on the version of your forwarder, (the latest versions do not require this but I am not sure where the dividing line is), you my have to deploy the PowerShell TA in order the PowerShell-based forwarder inputs to work. Perhaps it is time to open a support case.

0 Karma
Reply

avf925
New Member
‎12-01-2017 10:36 AM

alt text

Preview file
1 KB
0 Karma
Reply

avf925
New Member
‎12-01-2017 10:37 AM

Above are the changes that we made to the .conf file - still nothing - we have a forwarder on each of the Exchange Servers - thoughts?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 11:23 AM

Do you have an index called msexchange defined on your indexers and did you bounce Splunk on your forwarders?

0 Karma
Reply

avf925
New Member
‎12-01-2017 07:11 AM

There is no TA-Exchnage-Client Access on the Search Head or the Indexer

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 07:30 AM

This will be on your forwarders, your Exchange Servers. This should be deployed from your Deployment Server so check there.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...