Splunk for Exchange v2.1.0 on Splunk v5.0.2 main search head and indexers. Running splunk universal forwarder v5.0.2 with TA-Exchange-2010-HubTransport on windows 2008R2 with exchange hub transport role.

My problem is that I'm not seeing the Message Tracking logs on the main search head. However, I do see perfmon, sourcetype=MSWindows:2008R2:IIS, sourcetype=MSExchange:2010:Topology, sourcetype=MSExchange:2010:ThrottlingPolicy logs from this host.

How do I troubleshoot this?

[monitor://E:\Exchange Server\MessageTracking]
whitelist=\.log$|\.LOG$
sourcetype=MSExchange:2010:MessageTracking
queue=parsingQueue
index=msexchange

disabled=false

c:\Program Files\SplunkUniversalForwarder\bin>splunk.exe list monitor -auth admin:changeme

Monitored Files:

E:\Exchange Server\MessageTracking