Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Microsoft Exchange : deployment question

NewMilenium
Path Finder
‎01-15-2013 01:21 AM

Hello,

my question is quite simple : is that possible to use Splunk for Microsoft Exchange application only splunk-sided, not installing anything on the Exchange Servers, so that it only analyses the logs splunk already received?

If not, my problem is the next one : I must use splunk to create reports about the logs we receive (and so, it has to "recognize" them). At the moment, I can't find with just splunk how to recognize the Microsoft Exchange source type for the logs (list of types currently proposed by splunk : "access_combined", "apache_error", "csv", "iis", "log4j", "log4php", "syslog"). So, if that app' can't help me neither, I'll have to start working on an app' to do this... and that's something I really really would like to avoid...

Thank you for any answer, for the time spent.

Tags (1)
0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎01-15-2013 07:25 AM

It is not possible for the Splunk for Microsoft Exchange to be fully functional and not install anything on the Exchange server. Too many things are embedded in the Exchange Powershell and/or .NET structures that we read as part of this.

However, you can still use PARTS of the app to handle your logs. For instance, let's say you put your message tracking logs on a file share instead. You can import them with the sourcetype MSExchange:2010:MessageTracking (or replace the 2010 with 2007 or 2013, depending on your version), then they will be recognized by the props/transforms that are in the Splunk for Microsoft Exchange. In this case, you will need the sections of the props/transforms from the app that deal with the message tracking logs, plus a file input that reads the files and sets the sourcetype.

Reply

NewMilenium
Path Finder
‎01-15-2013 08:34 AM

Well my enterprise cannot and doesn't want to access to the clients' servers, in (very) short.
This might change in the future though, so, I'll use this "question" again here if needed.

Thanks for the information, you've been much help!

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎01-15-2013 08:05 AM

No, you would not. The Splunk App for Exchange requires a good set of data to determine the function of each machine.

Is there a reason you cannot install the Splunk UF on the Exchange host?

0 Karma
Reply

NewMilenium
Path Finder
‎01-15-2013 08:02 AM

And with such configuration, I would be able to use some parts of the menus and such with graphical statistics and reports?
Very little question, by the way : would the PDF reports have any chance to work? (I know the little trick with XML file and

autoRun="true"

to put in)

Thank you a lot, I will post again here in next days if needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...