Getting Data In

Upgraded from MS Exchange 2010 to 2013 and now I no longer get any data from the eventtype=msexchange-admin-audit?

New Member

All of the other data from all previous eventtypes is coming through just fine, except the msexchnage-admin-audit. We have 10 Exchange Servers all on MS Exchange 2013 - and after we migrated from Exchange 2010 to Exchange 2013 all Dashboards and Reports continue to work fine other than the AUDIT reports using the above event type. We are using SPLUNK Enterprise 6.4.4.

How can I get the eventtypes=msexchange-admin-audit to repopulate the reports and dashboards

0 Karma

New Member

Did anyone solve this? I am running into this same issue with Exchange 2016,

0 Karma

Esteemed Legend

The stuff comes from different places between 2010 and 2013 so you need to enable new stanzas, some of which are off by default.
Check TA-Exchange-ClientAccess/*/inputs.conf which has completely different sections for each version. Make sure you have disabled = 0 in local for these stanzas:

[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1]
[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1]

The latter defaults to disabled.
Update and then restart all Splunk instances to put it in effect.

0 Karma

New Member

As of this morning - all changes noted above have been made - we are getting A LOT more data into the system, but still NOTHING from the following event type
eventtypes=msexchange-admin-audit

Other thoughts - suggestions - things we can try?

0 Karma

Esteemed Legend

Do you have an index named msexchange defined on your indexers?

0 Karma

Esteemed Legend

Have you upgraded your Splunk forwarders to a recent 6.* or 7.* release? Depending on the version of your forwarder, (the latest versions do not require this but I am not sure where the dividing line is), you my have to deploy the PowerShell TA in order the PowerShell-based forwarder inputs to work. Perhaps it is time to open a support case.

0 Karma

New Member

alt text

0 Karma

New Member

Above are the changes that we made to the .conf file - still nothing - we have a forwarder on each of the Exchange Servers - thoughts?

0 Karma

Esteemed Legend

Do you have an index called msexchange defined on your indexers and did you bounce Splunk on your forwarders?

0 Karma

New Member

There is no TA-Exchnage-Client Access on the Search Head or the Indexer

0 Karma

Esteemed Legend

This will be on your forwarders, your Exchange Servers. This should be deployed from your Deployment Server so check there.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!