I have LOGbinder for Exchange installed on my on-prem Exchange server and configured to direct the audit XML files to my personal mailbox (for now). I am seeing the logs come through in mass on a regular basis and they get shuffled off to my "Deleted" folder quite quickly. So I gather that LOGbinder is doing as expected.

What I'm looking to do now is integrate what LOGbinder for Exchange is doing with my Splunk install on a separate server in our domain. I have Supercharger and Splunk installed on a single server separate from our Exchange install and need some direction on getting the logs & events pushed up into Splunk. I've tried finding documentation and following the tutorial video here, but I can't seem to connect the two.

Below are screenshots of my LOGbinder for Exchange setup.

Default Mailbox Audit Policy

LOGbinder EX Event Log Setup

Syslog Generic (File) Setup

From the emails appearing and being moved to the Deleted folder, it does seem like LOGbinder is doing its job. Since you have the LOGbinder EX event log enabled as an output, you can check there to see if the Exchange audit events do appear.

For the Splunk integration, please follow the instruction in the Splunk App for LOGbinder Integration Guide.

Thx @tamas. I checked and there are indeed events in the Event Viewer under "LOGbinder EX".


I've tried changing the output for the "Syslog Generic (File)" to a shared UNC path on the Supercharger server and it seems I am now able to see that data coming into Splunk (after following the Splunk setup steps in the guide you referenced). 


However, I'm still not seeing any events populated in the LOGbinder for Splunk --> Exchange dashboard. Perhaps is just the types of events that this should show aren't occurring on our system?

Exchange events are identified by these two fields : sourcetype=logbinder:syslog and product="LOGbinder EX". Are those two fields present when you search for index=logbinder ?
The product name is extracted from the start of the event.
  Please check the contents of the log file, the log file should have a similar format as this example, from there is the product field extracted using regex.

Yes I can see events like that in splunk. However, when I go to the Exchange view in the LOGbinder splunk app, all the panels just say "No results found."

The raw event is looking good, it has all the needed elements. As you suggested, it might be simply that there were no events generated which would show up on the dashboards.

Just to be sure, please run this search :

index=logbinder sourcetype="logbinder:syslog" product="LOGbinder EX"

on this dashboard:

http://%SPLUNK_URL%/en-US/app/logbinder/search

replace %SPLUNK_URL% with the url of your splunk instance.

If that search returns any results, then everything is working correctly it is just the case that there are no events with eventids the app is looking for, for example eventid between 25100 and 25599