I've been using the Universal Forwader for Windows on my Exchange 2010 box a while now, it works pretty well. Since then I've found the Exchange App for Splunk. I don't have (or need) a deployment server, but I've been unable to get to the Exchange App to work. Even after manually installing the Exchange App forwarders in the C:\Program Files\Splunk\etc\apps folder On the Exchange server) and creating the "local" sub folder for each of the apps with the inputs.conf in it, no events ever make it to the Exchange App. I manually put the correct fwd_* folders in my apps folder for my version of Exchange. I copied the inputs.conf file from the defaults to the local folder, and I've restarted the Splunk Forwarder service.
Events from Exchange that the Forwarder was getting before still work (Windows Event Logs and IIS Logs), however the Exchange App on the Splunk server isn't seeing any data. I'm running the current version of Splunk.
It seems there is some step I've missed to make the Exchange forwarders work, but I can't figure out what it is. Any ideas?
... View more