Logging SMTP Protocol Activity in Exchange 2010 and Exchange
2007
by BHARAT SUNEJA on MAY 3, 2007
I wrote about SMTP logging in Exchange Server 2003/2000 in
what is one of the most popular posts on Exchangepedia [read previous post -
"Logging SMTP protocol activity"]. Exchange Server 2007 has its own
SMTP stack, and what I like to think of as smarter or more intelligent Receive
Connectors (these are protocol listeners, roughly equivalent or comparable to
the SMTP Virtual Server we’ve known from Exchange Server 2003/2000 – Bharat).
Not enabled by default
I hoped to see (SMTP) protocol logging turned on by default
on these connectors, but this is one aspect that hasn’t changed. Yes, SMTP
logging is still not enabled by default! You have to remember to enable SMTP
logging on transport servers.
Enable protocol logging on a Receive Connector
To enable protocol logging on Receive Connectors, use the
following command:
Set-ReceiveConnector “Connector Name” -ProtocolLoggingLevel
verbose
If you’re wondering whether there are any choices for the
logging level – there aren’t. It’s either verbose or none.
To enable protocol logging from the Exchange console (EMC):
Expand the Server Configuration | Hub Transport node
Select the Hub Transport server you want to configure, and
then select the Receive Connector -> Properties
On the General tab, change the Protcol logging level to
Verbose, as shown in the screenshot below.
Figure 1: Enabling SMTP logging on a Receive Connector
Enable protocol logging on a Send Connector
Unlike Exchange Server 2003/2000, you have to enable logging
separately for Send Connectors (used to send mail outside the Exchange
organization, Send Connectors are equivalent of SMTP Connectors in Exchange
2003/2000), using the following command:
Set-SendConnector “Send Connector Name”
-ProtocolLoggingLevel verbose
To enable protocol logging on a Send Connector using the
EMC:
Expand the Organization Configuration | Hub Transport node
On the Send Connectors tab, select the Send Connector ->
properties
On the General tab, change the Protocol logging level to
verbose, as shown in the following screenshot.
Figure 2: Enabling SMTP logging on a Send Connector
Besides the visible Receive and Send connectors, an
invisible Send Connector lurks under the hood – used to transport messages
within the organization, between Hub Transport servers, Edge Transport servers,
and Exchange Server 2003/2000 servers. It’s the Intra-Organization Send
Connector. You won’t see it in the console, or in the shell if you use the get-SendConnector
command. To configure protocol logging for this Intra-Organization Send
Connector:
Set-TransportServer “TRANSPORT SERVER NAME”
-IntraOrgConnectorProtocolLoggingLevel verbose
Where do protocol logs reside?
Unlike Exchange Server 2003/2000, which maintain separate
protocol logs for each SMTP Virtual Server, all Receive Connectors share SMTP
receive logs. Similarly, Send Connectors share SMTP send logs.
Receive Connector logs are located in:
Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
Exchange 2007: \Exchange
Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
Send Connector logs are located in:
Exchange 2010: \Exchange
Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend
Exchange 2007: \Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend
Change SMTP log paths
It’s generally a good idea to not locate Exchange data,
including Exchange mailbox and public folder databases, transaction logs, and
all other logs on the system drive.
To change the path of SmtpReceive logs:
Set-TransportServer “TRANSPORT SERVER NAME”
-ReceiveProtocolLogPath “C:\New SmtpReceive Log File Directory”
To change the path of SmtpSend logs:
Set-TransportServer “TRANSPORT SERVER NAME”
-SendProtocolLogPath “C:\New SmtpSend Log File Directory”
Permissions on the log directory
If you do decide to change the path, ensure the new
directories/folders exist with appropriate permissions:
Administrator: Full Control
System: Full Control
Network Service: Read, Write, and Delete Subfolders and
Files
For more details, see “How to Configure Protocol Logging” in
the product documentation.
Controlling protocol log size
Since SMTP support was provided by IIS, SMTP logging options
were also controlled in IIS. IIS did not provide a way to control the disk
space occupied by SMTP logs. As a a result, you had to archive or clean up the
log directory manually, or automate it using a script. SMTP logging was one of
the culprits that contributed to disk volumes on Exchange 2003/2000 servers
running out of disk space.
In Exchange 2010/2007, you can control the following
options:
ReceiveProtocolLogMaxAge: the maximum age of a receive log.
Files older than the specified age are removed.
ReceiveProtocolLogMaxDirectorySize: the maximum size of the
directory. This ensures the protocol logs for a Receive Connector do not exceed
a fixed size.
ReceiveProtocolLogMaxFileSize: the maximum size of a single
log file. When the active log file reaches this size, it’s rolled over and a
new log file created.
Similarly, protocol logs for Send Connectors can be
controlled using the following parameters:
SendProtocolLogMaxAge
SendProtocolLogMaxDirectorySize
SendProtocolLogMaxFileSize
The default parameters work for most deployments, and
ensures you don’t have to worry about purging the logs manually over time, or
scheduling a script to do this periodically. You may want to observe the logs
created in your environment to determine if these are sufficient, depending on
the traffic and number of days worth of logs you want to keep around for
troubleshooting.
SMTP logs are an important troubleshooting tool – enabling
SMTP logging after the fact isn’t any help when troubleshooting SMTP mail flow.
0 Comments