Performing Tracking and Logging Activities in the Organization | Microsoft Exchange Server 2007 Administrators Pocket Consultant Second Edition

This section examines message tracking, protocol logging, and diagnostic logging. You use these features to monitor Exchange Server and to troubleshoot messaging problems.

Using Message Tracking

You use message tracking on Transport servers to monitor the flow of messages into the organization and within it. With message tracking enabled, Exchange Server maintains daily log files, with a running history of all messages transferred within the organization. You use the logs to determine the status of a message, such as whether a message has been sent, received, or is waiting in the queue to be delivered. Because Exchange Server handles postings to public folders in much the same way as e-mail messages, you can also use message tracking to monitor public folder usage.

Tip

Tracking logs can really save the day when you're trying to troubleshoot delivery and routing problems. The logs are also useful in fending off problem users who blame e-mail for their woes. Users can't claim they didn't receive e-mails if you can find the messages in the logs.

Configuring Messaging Tracking

By default, all Hub Transport and Edge Transport servers perform message tracking. You can enable or disable message tracking on a per-server basis by setting the Message-TrackingLogEnabled parameter of the Set-TransportServer cmdlet to $true or $false, as appropriate. The following example disables message tracking on MailServer16:

Set-TransportServer -Identity 'MailServer16' -MessageTrackingLogEnabled $false

Each Transport server in your organization can have different message tracking settings and these settings control:

Where logs are stored
How logging is performed
The maximum log size and maximum log directory size
How long logs are retained

By default, message tracking logs are stored in the C:∖ProgramFiles∖Microsoft ∖Exchange Server∖TransportRoles∖Logs∖MessageTracking directory. To improve performance, you may want to move the tracking logs to a separate disk. Before you do this, however, you should create the directory you want to use and set the following required permissions:

Full Control For Administrator
Full Control For Local System
Read, Write, And Delete Subfolders And Files For Network Service

After you've created the directory and set the required permissions, you can change the location of the tracking logs to any local directory by setting the MessageTrackingLog-Path parameter of the Set-TransportServer cmdlet to the desired local directory. The following example sets the message tracking directory as G:∖Tracking on MailServer16:

Set-TransportServer -Identity 'MailServer16'-MessageTrackingLogPath 'G:∖Tracking'

Note

When you change the location of the message tracking directory, Exchange Server does not copy any existing tracking logs from the old directory to the new one. You must manually copy the old logs to the new location if you want all the logs to be in the same location.

By default, all Hub Transport and Edge Transport servers perform extended message tracking, which allows you to perform searches based on message subject lines, header information, sender, and recipient. If you don't want to collect information on potentially sensitive subject lines, you can disable subject line tracking by setting the MessageTrackingLogSubjectLoggingEnabled parameter of the Set-TransportServer cmdlet to $false, as shown in the following example:

Set-TransportServer -Identity 'MailServer16' -MessageTrackingLogSubjectLoggingEnabled $false

Exchange Server continues to write to message tracking logs until a log grows to a specified maximum size, at which point Exchange Server creates a new log and then uses this log to track current messages. By default, the maximum log file size is 10 megabytes (MB). You can change this behavior by setting the MessageTrackingLog-MaxFileSize parameter to the desired maximum file size. You must qualify the desired file size using B for bytes, KB for kilobytes, MB for megabytes, or GB for gigabytes. The following example sets the message log file size to 50 MB:

Set-TransportServer -Identity 'MailServer16' -MessageTrackingLogMaxFileSize '50MB'

Exchange Server uses circular logging to delete the oldest message tracking logs automatically when tracking logs reach a maximum age or when the maximum log directory size is reached. By default, the maximum age is 30 days, and the maximum log directory size is 250 MB. You can use the MessageTrackingLogMaxAge parameter to set the maximum allowed age in the following format:

DD.HH:MM:SS

where DD is the number of days, HH is the number of hours, MM is the number of minutes, and SS is the number of seconds. The following example sets the maximum age for logs to 90 days:

Set-TransportServer -Identity 'MailServer16' -MessageTrackingLogMaxAge '90.00:00:00'

You can set the maximum log directory size using the MessageTrackingLogMaxDirectorySize parameter. As with the maximum log file size, the qualifiers are B, KB, MB, and GB. The following example sets the maximum log directory size to 2 GB:

Set-TransportServer -Identity 'MailServer16' -MessageTrackingLogMaxDirectorySize '2GB'

Searching Through the Tracking Logs

You use the Message Tracking tool to search through the message tracking logs. The tracking logs are useful in troubleshooting problems with routing and delivery. You can search the logs in several ways:

By message ID
By sender
By server that processed the messages
By event ID
By date
By subject

To begin a search, you must specify one or more of the previously listed identifiers as the search criteria. You must also identify a server in the organization that has processed the message in some way. This server can be the sender's server, the recipient's server, or a server that relayed the message.

To search through the message tracking logs, complete the following steps:

In Exchange Management Console, select the Toolbox node, and then double-click Message Tracking. After the Troubleshooting Assistant checks for updates to the Message Tracking tool, click Go To Welcome Screen, and you'll see the Message Tracking Parameters page, shown in Figure 17-1.

Figure 17-1: Use the Message Tracking tool to search for user messages, system messages, and postings to public folders.
Set the search criteria using the following options:
- q Recipients Sets the name of a recipient listed on the To, Cc, or Bcc fields of the message. Click Resolve Recipient to obtain the full e-mail address of the recipient.
- q Sender Sets the name of the sender listed in the From field of the message. Click Resolve Sender to obtain the full e-mail address of the recipient.
- q Server Sets the name of the Transport server that processed the message within the organization. Click Server From Sender to obtain the full server name.
- q Event ID Specifies the ID of the event for which you want to search, such as a RECEIVE, SEND, or FAIL event.
- q Message ID Specifies the ID of the message for which you want to search.
- q Subject Specifies the subject of the message for which you want to search.
- q Reference Specifies a reference within the message for which you want to search.

You can search for messages from a starting date and time to an ending date and time. Click the Start Selection list to display a calendar. Locate and then click the desired start date on the calendar. Then click the End Selection list to display a calendar. Locate and then click the desired end date on the calendar.

Note

To search for messages, you're required to identify only the name of a server that processed the message within the organization and the search interval. All other search parameters are optional. Keep in mind that only messages that match all of the search criteria you've specified are displayed. If you want to perform a broader search, specify a limited number of parameters. If you want to focus the search precisely, specify multiple parameters.

Scroll down, and then click Next to begin the search. Messages matching the search criteria are displayed.
Select a message, and then click Next to view its message tracking history.

Reviewing Message Tracking Logs Manually

Exchange Server creates message tracking logs daily and stores them in the C:∖Program Files∖Microsoft∖Exchange Server∖TransportRoles∖Logs∖MessageTracking directory. Each log file is named by the date on which it was created, using the format MSGTRKYYYYMMDD-N.log, such as MSGTRK20070925-1.log for the first log created on September 25, 2007.

The message tracking log stores each message event on a single line. The information on a particular line is organized by comma-separated fields. Logs begin with a header that shows the following information:

A statement that identifies the file as a message tracking log file
The version of the Exchange Server that created the file
The date on which the log file was created

A comma-delimited list of fields contained in the body of the log file

Table 17-1 summarizes message event fields and their meanings. Not all of the fields are tracked for all message events.

Table 17-1: Message Tracking Log Fields
Open table as spreadsheet
Log Field	Description
Date-Time	The connection date and time
Client-ip	The IP address of the client making the request
Client-hostname	The hostname of the client making the request
Server-hostname	The server on which the log entry was generated
Server-ip	The IP address of the server on which the log entry was generated
Source-context	The context of the event source
Connector-id	The identity of the connector used
Source	The messaging component for which the event is being logged, such as StoreDriver
Event-id	The type of event being logged, such as Submit
Internal-message-id	The internal identifier used by Exchange to track the message
Message-id	The message identifier
Recipient-address	The e-mail addresses of the message recipients
Recipient-status	The status of the recipient e-mail address
Total-bytes	The total size of the message in bytes
Recipient-count	The total number of recipients
Related-recipient-address	The e-mail addresses of any related recipients
Reference	The references, if any
Message-subject	The subject of xThe message
Sender-address	The name of the sender's e-mail address
Return-path	The return path on the message
Security-info	Any related security information on the message

You can view the message tracking log files with any standard text editor, such as Microsoft Notepad. You can also import the message tracking log files into a spreadsheet or a database. Follow these steps to import a message-tracking log file into Microsoft Office Excel 2007:

Start Microsoft Office Excel 2007. Click the Microsoft Office Button, and then click Open. Use the Open dialog box to select the message-tracking log file you want to open. Click Open.
The Text Import Wizard starts automatically. The wizard should detect all the appropriate settings, so click Finish immediately.
The log file should now be imported. You can view, search, and print the message-tracking log as you would any other spreadsheet.

Using Protocol Logging

Protocol logging allows you to track Simple Mail Transfer Protocol (SMTP) communications that occur between Exchange servers as part of message routing and delivery. You use protocol logging to troubleshoot problems with the Send and Receive connectors that are configured on Hub Transport and Edge Transport servers. However, you shouldn't use protocol logging to monitor Exchange activity. This is primarily because protocol logging is process-and resource-intensive, which means that an Exchange server has to perform a lot of work to log protocol activity.

Configuring Protocol Logging

By default, Hub Transport and Edge Transport servers do not perform protocol logging. As long as you know the identity of the connector with which you want to work, you can configure protocol logging for a specified connector. To retrieve a list of available Send and Receive connectors for a server, use the Get-SendConnector and Get-ReceiveConnector cmdlets, respectively. If you run either cmdlet without specifying additional parameters, a list of all available Send or Receive connectors is returned.

You enable or disable protocol logging on a per-connector basis. For Send connectors, you use the Set-SendConnector cmdlet to enable protocol logging. For Receive connectors, you use the Set-ReceiveConnector cmdlet to enable protocol logging. Both cmdlets have a ProtocolLoggingLevel parameter that can either be set to Basic to enable protocol logging or None to disable protocol logging, as shown in this example:

set-ReceiveConnector -Identity 'Corpsvr127∖Custom Receive Connector' -ProtocolLoggingLevel 'Basic'

Although you enable protocol logging on a per-connector basis, you configure the other protocol logging parameters on a per-server basis for either all Send connectors or all Receive connectors. As with message tracking logs, Exchange Server uses circular logging to delete the oldest protocol logs automatically when tracking logs reach a maximum age or when the maximum log directory size is reached. If you decide to move the protocol log directories, you should create the directories you want to use and then set the following required permissions:

Full Control For Administrator
Full Control For Local System
Read, Write, And Delete Subfolders And Files For Network Service

Because the parameters are similar to those used for message tracking, I'll summarize the available parameters. Table 17-2 shows the Send connector parameters for configuring protocol logging. Table 17-3 shows the Receive connector parameters for configuring protocol logging.

Table 17-2: Send Connector Parameters for Protocol Logging
Open table as spreadsheet
Parameter	Description	Default
SendProtocolLogPath	Sets the local file path for protocol logging of Send connectors	C:∖Program Files∖ Microsoft∖ Exchange Server∖ Transport-Roles∖ Logs∖ ProtocolLog∖ SmtpSend
SendProtocolLogMax-FileSize	Sets the maximum size for Send connector protocol logs	10 MB
SendProtocolLogMax-DirectorySize	Sets the maximum size for the Send connector protocol directory	250 MB
SendProtocolLogMax-Age	Sets the maximum age for Send connector protocol logs	30.00:00:00

Table 17-3: Receive Connector Parameters for Protocol Logging
Open table as spreadsheet
Parameter	Description	Default
ReceiveProtocolLog-Path	Sets the local file path for protocol logging of Receive connectors	C:∖Program Files∖ Microsoft∖ Exchange Server∖ Transport-Roles∖ Logs∖ ProtocolLog∖ SmtpReceive
ReceiveProtocolLog-MaxFileSize	Sets the maximum size for Receive connector protocol logs	10 MB
ReceiveProtocolLog-MaxDirectorySize	Sets the maximum size for the Receive connector protocol directory	250 MB
SendProtocolLogMax-Age	Sets the maximum age for Send connector protocol logs	30.00:00:00

Working with Protocol Logging Properties and Fields

Exchange Server creates protocol logs daily and stores them in either the C:∖Program Files∖Microsoft∖Exchange Server∖TransportRoles∖Logs∖ProtocolLog∖SmtpSend or C:∖Program Files∖Microsoft∖Exchange Server∖TransportRoles∖Logs∖Protocol-Log∖SmtpReceive directory as appropriate for the type of connector being logged. Each log file is named by the date on which it was created, using the format SENDYYYYMMDD-N.log or RECVYYYYMMDD-N.log, such as SEND20070925-1.log for the first Send connector log created on September 25, 2007.

The protocol log stores each SMTP protocol event on a single line. The information on a particular line is organized by comma-separated fields. Logs begin with a header that shows the following information:

A statement that identifies the file as either a Send connector protocol log or a Receive connector protocol log
The date on which the log file was created
The version of the Exchange Server that created the file
A comma-delimited list of fields contained in the body of the log file

Table 17-4 summarizes SMTP protocol event fields and their meanings. Not all of the fields are tracked for all protocol events. You can view the protocol log files with any standard text editor, such as Notepad. You can also import the protocol log files into a spreadsheet or a database, as discussed previously.

Table 17-4: Protocol Log Fields
Open table as spreadsheet
Log Fields	Description
Date-time	The date and time of the protocol event.
Connector-id	The distinguished name of the connector associated with the event.
Session-id	The globally unique identifier of the SMTP session. Each event for a particular session has the same identifier.
Sequence-number	The number of the event within an SMTP session. The first event has a sequence number of 0.
Local-endpoint	The local endpoint of the SMTP session, identified by the Internet Protocol (IP) address and Transmission Control Protocol (TCP) port.
Remote-endpoint	The remote endpoint of the SMTP session, identified by the IP address and TCP port.
Event	The type of protocol event: + for Connect, - for Disconnect, > for Send, < for Receive, and * for Information.
Data	The data associated with the SMTP event.
Context	The context for the SMTP event.

Enabling Protocol Logging for HTTP

You enable protocol logging on each virtual server separately. You use HTTP virtual servers to track protocol logging for Hypertext Transfer Protocol (HTTP), Outlook Web Access, Exchange ActiveSync, and Outlook Anywhere.

To enable protocol logging for HTTP, complete the following steps:

Start Internet Information Services (IIS) Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and select Internet Information Services (IIS) Manager.

Note

By default, IIS Manager connects to the services running on the local computer. If you want to connect to a different server, right-click Internet Information Services in the console tree, and then select Connect. In the Connect To Computer dialog box, type the name of the computer to which you want to connect, and then click OK.

In IIS Manager, each HTTP virtual server is represented as a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, and then double-click Web Sites.
Right-click the Web site that you want to manage, and then select Properties.

On the Web Site tab, if necessary, select the Enable Logging check box. Use the Active Log Format selection list to choose one of the following log formats:

q W3C Extended Log File Format Writes the log in ASCII text following the World Wide Web Consortium (W3C) extended log file format. Fields are space-delimited, and each entry is written on a new line. This style is the default.
q Microsoft IIS Log File Format Writes the log in ASCII text following the IIS log file format. Fields are tab-delimited, and each entry is written on a new line.
q NCSA Common Log File Format Writes the log in ASCII text following the National Center for Supercomputing Applications (NCSA) common log file format. Fields are space-delimited, and each entry is written on a new line.
q ODBC Logging Writes each entry as a record in the Open Database Connectivity (ODBC)–compliant database you specify.

Tip

W3C Extended Log File Format is the preferred logging format. Unless you're certain that another format meets your needs, you should use this format with HTTP, SMTP, and Network News Transfer Protocol (NNTP) protocol logging.

Click Properties to display a dialog box similar to the one shown in Figure 17-2. You can now set the log time period. In most cases, you'll want to create daily or weekly logs, so select either Daily or Weekly.

Figure 17-2: Use the Logging Properties dialog box to set the log time, directory, and other properties.
Use the Log File Directory text box to set the main folder for log files. By default, log files are written to a subdirectory of %SystemRoot%∖System32∖LogFiles.
Use the Log File Name field to determine the subdirectory and the name format used with the log files. The specific directory used for logging and the log file name depend on the type of virtual server you're configuring and the log time period. For example, if you're configuring the default SMTP virtual server with daily log files, the full path to the log file subdirectory is %SystemRoot% ∖System32∖LogFiles∖SmtpSvc1, and the log file is named using the format EXYYMMDD.log, such as EX070925.log.
If you selected W3C Extended Log File Format, on the Advanced tab, choose the fields that should be recorded in the logs. Click OK twice.

Working with HTTP Protocol Logs

HTTP protocol log files can help you detect and trace problems with HTTP, Outlook Web Access, Exchange ActiveSync, and Outlook Anywhere. By default, Exchange Server writes protocol log files to a subdirectory of %SystemRoot%∖System32∖Log-Files. You can use the logs to determine the following:

Whether a client was able to connect to a specified virtual server and, if not, what problem occurred
Whether a client was able to send or receive protocol commands and, if not, what error occurred
Whether a client was able to send or receive data
How long it took to establish a connection
How long it took to send or receive protocol commands
How long it took to send or receive data
Whether server errors are occurring and, if so, what types of errors are occurring
Whether server errors are related to Microsoft Windows or to the protocol itself
Whether a user is connecting to the server using the proper logon information

Most protocol log files are written as ASCII text. This means you can view them in Notepad or another text editor. You can import these protocol log files into Excel 2007 in much the same way as you import tracking logs.

Log files, written as space-delimited or tab-delimited text, begin with a header that shows the following information:

A statement that identifies the protocol or service used to create the file
The protocol, service, or software version
A date and timestamp
A space-delimited or tab-delimited list of fields contained in the body of the log file

If you recorded the log files in an ODBC database, you'll need to perform database queries to search for log entries. Contact your database administrator for assistance.

Using Connectivity Logging

Connectivity logging allows you to track the connection activity of outgoing message delivery queues. You use connectivity logging on Transport servers to troubleshoot problems with messages reaching their designated destination mailbox server, Send connector, or domain.

Configuring Connectivity Logging

By default, Hub Transport and Edge Transport servers do not perform connectivity logging. You can enable or disable message tracking on a per-server basis by setting the ConnectivityLogEnabled parameter of the Set-TransportServer cmdlet to $true or $false, as appropriate. The following example enables connectivity logging on MailServer16:

Set-TransportServer -Identity 'MailServer16' -ConnectivityLogEnabled: $false

Each Transport server in your organization can have different message tracking settings:

Use the ConnectivityLogPath parameter to move the log directory to a new location. The default location is C:∖Program Files∖Microsoft∖ExchangeServer ∖TransportRoles∖Logs∖Connectivity directory.
Use the ConnectivityLogMaxFileSize parameter to set the maximum log file size. The default maximum log file size is 10 MB.
Use the ConnectivityLogMaxDirectorySize parameter to set the maximum log directory size. The default maximum log directory size is 250 MB.
Use the ConnectivityLogMaxAge parameter to set the maximum log file age. The default maximum age is 30.00:00:00.

As with other logs, Exchange Server uses circular logging to delete the oldest Connectivity logs automatically when tracking logs reach a maximum age or when the maximum log directory size is reached. If you decide to move the protocol log directories, you should create the directories you want to use and set the following required permissions:

Full Control For Administrator
Full Control For Local System
Read, Write, And Delete Subfolders And Files For Network Service

Working with Connectivity Log Properties and Fields

Exchange Server creates connectivity logs daily and stores them in the C:∖Program Files∖Microsoft∖Exchange Server∖TransportRoles∖Logs∖Connectivity directory. Each log file is named by the date on which it was created, using the format CONNECTLOG-YYYYMMDD-N.log, such as CONNECTLOG20070925-1.log for the first connectivity log created on September 25, 2007.

The connectivity log stores outgoing queue connection events on a single line. The information on a particular line is organized by comma-separated fields. Logs begin with a header that shows the following information:

A statement that identifies the file as a connectivity log
The date on which the log file was created
The version of Exchange Server that created the file
A comma-delimited list of fields contained in the body of the log file

Table 17-5 summarizes connectivity logging fields and their meanings. Not all of the fields are tracked for all outgoing queue connection events. You can view the connectivity log files with any standard text editor, such as Notepad. You can also import the connectivity log files into a spreadsheet or a database, as discussed previously.

Table 17-5: Connectivity Log Fields
Open table as spreadsheet
Log Field	Description
Date-time	The date and time of the outgoing queue connection event.
Session	The globally unique identifier of the SMTP session. Each event for a particular session has the same identifier. For Messaging Application Programming Interface (MAPI) sessions, this field is blank.
Destination	The name of the destination mailbox server, smart host, or domain.
Direction	The direction of the event: + for Connect, - for Disconnect, > for Send, and < for Receive.
Description	The data associated with the event, including the number and size of messages transmitted, Domain Name Server (DNS) mail exchanger (MX) information, connection success messages, and connection failure messages.