All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Active Dir/Exchange

dsteinb
New Member
‎05-29-2013 10:11 AM

Can someone tell me how to get the data into these please.
I have downloaded and put the folders in the forwarder dir (C:\Program Files\SplunkUniversalForwarder) etc\apps and nothing is happening. The only thing that sort of works is Windows. On this server I have the following in ETC\APPS
Splunk_TA_windows
sideview_utils
SplunkUniversalForwarder
TA-SMTP-Reputation
TA-Exchange-2010-MailboxStore
TA-Exchange-2010-HubTransport
TA-DNSServer-NT6
TA-DomainController-NT6

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎05-29-2013 11:43 AM

What version are the Splunk Forwarders? If you are using the latest and greatest, you may need to downgrade to version 4.3.5 on the Active Directory server(s). That is documented in the release notes.

For the Active Directory piece you'll need to enable local PowerShell script execution on the AD servers. That is how the AD data is collected on the end point. You can see that requirement documented here.

As for the Exchange side, you also need PowerShell and very likely you need to specify where the data resides, plus which index the data is meant to land. You should get started here.

I hope this helps. You are likely close but need a bit more configuration before you can awesome results.

Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎05-29-2013 12:43 PM

Splunk Apps will have a default location under %SPLUNK_HOME%\etc\apps. The application itself will have a default directory (case sensitive, lower case is the standard) where all the deault artifacts are loaded. For customization and changes, we copy the appropriate artifact from the default and place in a "local" directory. If one does not exist, you should create one.

%SPLUNK__HOME%\etc\apps\TA-Exchange-2013-Mailbox\local is the right place on the Forwarder.

0 Karma
Reply

dsteinb
New Member
‎05-29-2013 12:25 PM

I am reading the one for exchange and it makes NO sense. there is NO local anywhere under C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_for_Exchange\appserver\addons\TA-Exchange-2013-Mailbox or any of the others. I am also running 2008R2. So where would I copy the inputs to? Am I just making a :
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_for_Exchange\appserver\addons\TA-Exchange-2013-Mailbox\LOCAL ?

0 Karma
Reply

dsteinb
New Member
‎05-29-2013 12:00 PM

I checked and local Powershell script was enabled.

I do appreciate the help

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎05-29-2013 11:04 AM

What role is the machine on which you've installed the Universal forwarder playing? Is it a Domain Controller? Mailbox Store? Or something else? Basically, the appropriate TA for a given role needs to be used on the machine. As Chris suggested earlier, please go over the deployment instructions for both exchange and AD apps and follow the configuration instructions.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎05-29-2013 10:58 AM

Sounds as if maybe you missed some steps to configure the technology add-ons? Are you following the deployment instructions in the documentation?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...