All Apps and Add-ons

Does TA-Exchange-Mailbox need domain User account for powershell inputs Exchange 2010?

phoenixdigital
Builder

Hi All,

Been working at getting the exchange app installed and having issues with this one TA-Exchange-Mailbox and Exchange Server 2010.

http://docs.splunk.com/Documentation/MSExchange/3.4.2/Add-Ons/TA-Mailboxinputs

All the powershell scripts that it tries to run return this error with no more information or reasons.

alt text

The scripts can be run manually by a logged in user and they produce data just fine. The only thing that I think it could be is that the powershell scripts can't be run when the Universal Forwarder is configured to run as Local System Account.

alt text

Thoughts?

The manual makes no reference to this requirement and all the other TA's powershell scripts run OK.

0 Karma
1 Solution

phoenixdigital
Builder

A colleague suggested I tweak the TA-Exchange-Mailbox/bin/exchangepowershell.cmd file to include -ExecutionPolicy Bypass and data started flowing.

@ECHO OFF

SET SplunkApp=TA-Exchange-Mailbox

IF %1 EQU v8.0 ( GOTO ExchangeVersion2007 
) ELSE ( GOTO ExchangeVersionOth)

:ExchangeVersion2007
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\Exchange\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\Bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

:ExchangeVersionOth
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\ExchangeServer\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

We suspect it is due to the local powershell script execution policy but since I don't have access to the server directly this is a quick fix.

http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/EnableauditingandPowerShellondom...

View solution in original post

0 Karma

phoenixdigital
Builder

A colleague suggested I tweak the TA-Exchange-Mailbox/bin/exchangepowershell.cmd file to include -ExecutionPolicy Bypass and data started flowing.

@ECHO OFF

SET SplunkApp=TA-Exchange-Mailbox

IF %1 EQU v8.0 ( GOTO ExchangeVersion2007 
) ELSE ( GOTO ExchangeVersionOth)

:ExchangeVersion2007
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\Exchange\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\Bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

:ExchangeVersionOth
FOR /F "tokens=2* delims=     " %%A IN ('REG QUERY "HKLM\Software\Microsoft\ExchangeServer\%1\Setup" /v MsiInstallPath') DO SET Exchangepath=%%B
Powershell -ExecutionPolicy Bypass -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%2'"
goto:eof

We suspect it is due to the local powershell script execution policy but since I don't have access to the server directly this is a quick fix.

http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/EnableauditingandPowerShellondom...

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...