In Exchange 2016, to collect the Admin Audit logs, it runs a similar script to 2010
C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-ClientAccess\bin\powershell\read-audit-logs_2010_2013.ps1
which really just does this in a nutshell :
# Retrieve Records from the LastSeen date
$Records = Search-AdminAuditLog -StartDate $LastSeen -EndDate (Get-Date)
$RecordLast = $LastSeen
However, as we run splunk under the localsystem account, it doesn't have rights and logs a variety of errors including :
10:18:18.481 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd" v15 read-audit-logs_2010_2013.ps1" Search-AdminAuditLog : Object reference not set to an instance of an object.
The app log contains
WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance of an object.
How do you configure splunk for Exchange 2016 to have enough permissions when it runs under that local system account to access the admin audit logs and more annoyingly why did it work in Exchange 2010 when it ran under the same local system account.
... View more