All of the other data from all previous eventtypes is coming through just fine, except the msexchnage-admin-audit. We have 10 Exchange Servers all on MS Exchange 2013 - and after we migrated from Exchange 2010 to Exchange 2013 all Dashboards and Reports continue to work fine other than the AUDIT reports using the above event type. We are using SPLUNK Enterprise 6.4.4.
How can I get the eventtypes=msexchange-admin-audit to repopulate the reports and dashboards
The stuff comes from different places between 2010 and 2013 so you need to enable new stanzas, some of which are off by default.
TA-Exchange-ClientAccess/*/inputs.conf which has completely different sections for each version. Make sure you have
disabled = 0 in
local for these stanzas:
[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] [script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1]
The latter defaults to disabled.
Update and then restart all Splunk instances to put it in effect.
As of this morning - all changes noted above have been made - we are getting A LOT more data into the system, but still NOTHING from the following event type
Other thoughts - suggestions - things we can try?
Have you upgraded your Splunk forwarders to a recent 6.* or 7.* release? Depending on the version of your forwarder, (the latest versions do not require this but I am not sure where the dividing line is), you my have to deploy the PowerShell TA in order the PowerShell-based forwarder inputs to work. Perhaps it is time to open a support case.