How to configure TA-Mailbox Message tracking?

ze271021 · ‎04-24-2023

Hello,

I have a question regarding the TA-Exchnage-Mailbox in splunk app for microsoft exchange.

I am using this app on my deployment server to parse the exchange logs but the logs are not parsed on the search head. I copied the default conf files to the local one and I made the changes to receive the logs but they are not parsed especially for the message tracking ones.

Any idea on how to configure it?

Thank you in advance!

PickleRick · ‎04-24-2023

Did you read https://docs.splunk.com/Documentation/AddOns/released/MSExchange/OverviewofTA-Mailbox ?

ze271021 · ‎04-26-2023

Yes, but the logs are not parsed.

if the location of log files is not the default one, it may be the cause?

PickleRick · ‎04-26-2023

OK. What exactly did you do to ingest the Exchange logs? And how (and where) did you install the TA-Mailbox?

ze271021 · ‎04-26-2023

Ok. I have a cluster of indexes with one master and one search head.

I installed the Universal forwarder on the exchange servers directly to collect the logs. the logs are saved in the E:\ partition and the default one in the C:\ partition.

I installed the TA-Mailbox on the master in the deployment app folder and I pushed it to the server class that contains the exchange servers.

In the TA-Mailbox , I created the local folder and added the inputs.conf file and modified it based on the exchange version that I am using and the type of logs I want to collect.

Now I am receiving the logs on the search head but they are not parsed.

What should I do?

Thank you !

PickleRick · ‎04-26-2023

OK. So I assume that your cluster master doubles as a deployment server. That's not the best option but well, what can I do? Anyway, you say that you "modified the inputs.conf" file.

Question is how did you modify it. For the message tracking to work you need to adjust the path in the monitor stanza (you don't need the other inputs if you only want message tracking) so that proper message tracking logs are ingested with proper sourcetype.

And - which is a bit confusing since the docs don't seem to explictly mention it - you need to install the add-on on your search head as well (just don't enable any inputs there!). The UF will ingest the file and set the proper sourcetype but it's the search-head that does the parsing and field extraction so the search-head needs to have the info contained within the app as well.

ze271021 · ‎04-26-2023

Okay. Yes I adjusted the path in the monitor stanza for the message tracking logs.

Ok I will install the app on the search head as well. But where I have to install it ? in the master apps folder?

And should I created an local file ?

Thank you !!

PickleRick · ‎04-26-2023

I do not know whether you deploy apps to search-head from your deployment server or not. If so, then use it to deploy the app to SH. If not - install directly on SH.

And no, on SH you don't need to configure the inputs. The default settings should suffice to parse the logs (as long as your message tracking logs are ingested with proper sourcetype).

How to configure TA-Mailbox Message tracking?

configuration

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases