Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Exchange 2010 Inputs Assist

tgiles
Path Finder
‎09-02-2011 09:31 AM

Hi, all.

I was asked to get Exchange logs from an Exchange 2010 cluster going to Splunk. I've installed a forwarder on all four members of the cluster and started looking at the Exchange app (available for download from splunk-base).

From what I can tell from the app (and from other posts on splunk-base) there should be a "Exchange Auditing" Windows event log I can point Splunk to. Unfortunately, I don't see that anywhere. The closest I see might be "MSExchange Management", but it's not really showing me a lot of data.

I also notice there's a "C:\Program Files\Microsoft\Exchange Server\V14\Logging" directory on the systems that seem to have quite a bit I'll be interested in, but unfortunately nothing mentioning Exchange Auditing.

So, what inputs would you recommend I setup in my Splunk forwarders to pull exchange audit logs? Pointing me to the relevant documentation (if available) would be awesome, or input from anyone who's performed this sort of setup would be great.

Thanks,

tom

Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:03 AM

You need to enable Exchange auditing. Unfortunately, it isn't available on Exchange 2010. I will be addressing this in the next release of the Splunk App for Microsoft Exchange.

View solution in original post

Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:03 AM

You need to enable Exchange auditing. Unfortunately, it isn't available on Exchange 2010. I will be addressing this in the next release of the Splunk App for Microsoft Exchange.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎09-02-2011 11:32 AM

this doesn't directly answer your question, but there is a Splunk app for Exchange:
http://splunk-base.splunk.com/apps/28976/splunk-app-for-microsoft-exchange

it's a free app. the documentation for it is here:
http://docs.splunk.com/Documentation/MSExchange/latest/DeployMSX/AboutSplunkforMicrosoftExchange

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...