Exchange has a variety of logs. I believe the Splunk app for Exchange 3.0 will get you loads of info it gathers from the environment. Unfortunately, with Exchange, the security audit logs for Mailbox auditing are stored within Exchange, inaccessible to Splunk. This is where LOGbinder bridges that gap. LOGbinder gets the mailbox audit logs from Exchange where they are stored in each users mailbox, correlates guids and other useless unless translated data and outputs it to a location where Splunk can access it. Either in the Security log, application log, a file share or to a Syslog receiver. LOGbinder does the same for the admin audit log. Editted ... View more

LOGbinder for Exchange can handle this for you. It will get both the admin and mailbox audit logs in to Splunk for you. There is also a Splunk App for LOGbinder that they have created. There is a Splunk page on their site here: https://www.logbinder.com/Partners/Splunk ... View more