You are here: Blog

Exchange 2013 Logs

Friday, 17 October 2014 13:30

I'm so used to Centos being so easy that it's difficult for me to wrap my head around MS thinking. Typically in Centos, front-end mail logs would be in:
/var/log/qpsmtpd

With internal/external delivery being in:
/var/log/qmail

Well from the following link from MS, I was able to piece together a little more info on how it routes the email through the system:
https://technet.microsoft.com/en-us/library/aa996349%28v=exchg.150%29.aspx

High-level logs (general connection status) are documented here:
http://technet.microsoft.com/en-us/library/aa997624%28v=exchg.150%29.aspx

Low-level logs (specific connection status) are documented here:
https://technet.microsoft.com/en-us/library/dd302434%28v=exchg.150%29.aspx

QPSMTPD

In MS EXCHANGE, the logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog

There you will find 2 directories that are hopefully self explanatory:
SmtpRecieve
SmtpSend

This will show the details of the data transfer including what email address it came from and what email address it's going to. This would be equivalent to the qpsmtpd.

CONNECTIVITY

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity

This is for sending email. It will show the SMTP responses such as "Failed connection to...." It will not show the DATA transfer details.

QMAIL

This shows delivery of internal email which skips the external QPSMTPD. Here is another spot:
%ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive

INDIVIDUAL MESSAGE TRACKING

This is going a little overboard as it tracks details of every single message.

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

This will show the following:
#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data

That's a bunch of information. In my mind, this is equivalent to the qmail logs.

If you want to look through the logs, this is the place to do it! Want to make it easier? Find my article on installing GNUWIN32 so that you can grep through the logs. Sweet!

ENABLE LOGGING

Since logging is disabled by default, we have to turn it on. This is turning the logging on for the FRONT-END/QPSMTPD:

-login to EXCHANGE MANAGEMENT SHELL.
-type: Get-ReceiveConnector "FOO\Default Frontend Foo" |fl *
(This will show the details for the connector.)
-type: Set-ReceiveConnector "FOO\Default Frontend Foo" -ProtocolLoggingLevel Verbose

SEARCHING THROUGH THE MESSAGE TRACKING LOGS

http://exchangeserverpro.com/exchange-2010-message-tracking-log-search-powershell/

The above link helped me here. Searching through the message logs is the only way to see if a TRANSPORT RULE or MAIL FLOW RULE has been triggered. To see the whole message log, it's like this:

Get-MessageTrackingLog | fl *

If a message has been block by a TRANSPORT RULE or MAIL FLOW RULE, it will give an EVENTID of "FAIL" and the STATUS will say "550 5.2.1 Message deleted by the transport rules agent."

MAIL FLOW RULES (TRANSPORT RULES) AND MESSAGE TRACKING

From a SENDER
Get-MessageTrackingLog -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it

To a RECIPIENT:
Get-MessageTrackingLog -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it

On a DATE
Get-MessageTrackingLog -Start "06/13/2016"

A specific EVENT (Such as FAIL):
Get-MessageTrackingLog -EventId FAIL

Shows the FAILED messages for the day (including messages that fail due to MAIL FLOW RULES (TRANSPORT RULES):
Get-MessageTrackingLog -EventId FAIL -Start "01/01/2000"

Adding them together to find an email that didn't go through (EVENT FAIL) FROM a USER, TO a USER on a certain DATE:
Get-MessageTrackingLog -EventId FAIL -Start "06/01/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited

See the expanded details about the messages:
Get-MessageTrackingLog -EventId FAIL -Start "06/13/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited | fl

Show me everything about the item by using the InternalMessageId:
Get-MessageTrackingLog -InternalMessageId 89279485181957 | fl

Event Parameters can be the following: BadMail, Defer Deliver, DSN, Expand, Fail, PoisonMessage, Receive, Redirect, Resolve, Send, Submit, and Transfer.

Contact Dak Networks

We are not taking on new clients at this time.

Contact: click to contact us.
Website: www.daknetworks.com

Top

daknetworks.com