All of the other data from all previous eventtypes is coming through just fine, except the msexchnage-admin-audit. We have 10 Exchange Servers all on MS Exchange 2013 - and after we migrated from Exchange 2010 to Exchange 2013 all Dashboards and Reports continue to work fine other than the AUDIT reports using the above event type. We are using SPLUNK Enterprise 6.4.4.
How can I get the eventtypes=msexchange-admin-audit to repopulate the reports and dashboards
Did anyone solve this? I am running into this same issue with Exchange 2016,
The stuff comes from different places between 2010 and 2013 so you need to enable new stanzas, some of which are off by default.
Check TA-Exchange-ClientAccess/*/inputs.conf
which has completely different sections for each version. Make sure you have disabled = 0
in local
for these stanzas:
[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1]
[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1]
The latter defaults to disabled.
Update and then restart all Splunk instances to put it in effect.
As of this morning - all changes noted above have been made - we are getting A LOT more data into the system, but still NOTHING from the following event type
eventtypes=msexchange-admin-audit
Other thoughts - suggestions - things we can try?
Do you have an index named msexchange
defined on your indexers?
Have you upgraded your Splunk forwarders to a recent 6.* or 7.* release? Depending on the version of your forwarder, (the latest versions do not require this but I am not sure where the dividing line is), you my have to deploy the PowerShell TA in order the PowerShell-based forwarder inputs to work. Perhaps it is time to open a support case.
Above are the changes that we made to the .conf file - still nothing - we have a forwarder on each of the Exchange Servers - thoughts?
Do you have an index called msexchange
defined on your indexers and did you bounce Splunk on your forwarders?
There is no TA-Exchnage-Client Access on the Search Head or the Indexer
This will be on your forwarders, your Exchange Servers. This should be deployed from your Deployment Server so check there.