Protocol Logging, Event Logging, and Message Tracking
Topic Last Modified: 2005-05-23
The SMTP transport subsystem of Exchange Server 2003 implements the following event sinks to keep a history of all activities in the SMTP service:
- Exchange SMTP Protocol Logging Sink This event sink is implemented in Protolog.dll and registered for the protocol OnServerResponse and OnInboundCommand events to keep track of all inbound SMTP commnads and server responses. The protocol logging sink is called for the following SMTP commands: RCPT, QUIT, EHLO, X-EXPS, STARTTLS, TLS, X-LINK2STATE, HELO, XEXCH50, MAIL, RCPT, QUIT, EHLO, X-EXPS, STARTTLS, TLS, X-LINK2STATE, HELO, XEXCH50, MAIL.
- SMTP Eventlog Sink This event sink is implemented in Tranmsg.dll and registered for StoreDriver and OnEventLog system events.
- MsgTrackLog Sink This event sink is implemented in Msgtrack.dll and registered for the OnMsgTrackLog system event.
When you keep a history of all SMTP protocol activities, you can prove whether a particular message left your server, verify whether the SMTP virtual server is performing its work as expected or is experiencing communication problems, and identify attacks from the Internet.
The following protocol logging can be configured for an SMTP virtual server in Exchange System Manager, on the General tab, in the virtual server's properties:
- No Logging The event sink does not track SMTP protocol activities.
- Microsoft IIS Log File Format The event sink keeps track of SMTP protocol activities in a comma-separated plain-text file. This format includes the remote host's IP address, the host name if specified, the date and time of the request, the status code, the number of bytes received, the elapsed time of the request, the number of bytes sent, and the action taken. The items are separated by commas and the list cannot be customized. You can configure the path to the log files in Exchange System Manager. The default path to the log file directory is Windows\System32\LogFiles.
Note: For most detailed logging in text files, select Microsoft IIS Log File Format.
- NCSA Common Log File Format The event sink keeps track of SMTP protocol activities in a comma-separated plain-text file. This is a fixed, non-customizable ASCII format that includes basic information, such as the remote host name, user name, date, time, command type, status code, and the number of bytes received. The items are separated by spaces.
- ODBC Logging The event sink keeps track of SMTP protocol activities in an open database connectivity (ODBC)-compliant database, such as Microsoft Access or Microsoft SQL Server. For troubleshooting purposes, you might find it sufficient to log protocol activities in an ASCII text file instead of an ODBC-compliant database.
Note: IIS includes an SQL template file, which can be run in an SQL database to create a table that accepts log entries from IIS.
- W3C Extended Log File Format The event sink keeps track of SMTP protocol activities in a customizable plain-text file. When you choose this format, you can exclude all those fields from the log file that do not have meaningful information for SMTP protocol activities, such as user name in anonymous SMTP communications. This can help to limit log size by omitting unwanted fields. Fields are separated by spaces.
Exchange Server 2003 uses the SMTP Eventlog Sink to record events for internal SMTP service components in the application event log. An event in this sense is any significant occurrence in the system that might require administrator attention. Event logs can help you identify and diagnose the source of current system problems, or help you predict potential issues. By default, only minimum information is written to the event log. However, you can increase the amount of information using the diagnostics logging settings available in Exchange System Manager.
|To reduce the amount of information written to the application event log during typical operation, Exchange Server 2003 might only log a single event hourly for events that occur multiple times per hour.|
For detailed instructions about how to enable diagnostic logging, see How to Enable Diagnostics Logging for the SMTP Service in Exchange System Manager.
Logging levels control the amount of data logged in Application Log. The more events logged, the more transport-related events you can view in the application event log, and the better your chance of determining the cause of the message flow issue. To acquire the most detailed information about the SMTP service, you can set the diagnostics logging level for the internal SMTP service components to Field Engineering to enable the logging of trace level events. Field Engineering is not exposed in Exchange System Manager and can only be set using Registry Editor.
For detailed instructions about how to set the diagnostics logging level for MSExchangeTransport categories to Field Engineering, see How to Set the Diagnostics Logging Level for MSExchangeTransport Categories to Field Engineering.
For more information about Field Engineering logging, see Microsoft Knowledge Base article 262308, "XCON: How to Generate Application Log Events for Non-Delivery Report Failures."
Message tracking is a feature that you can use to track messages across an Exchange organization. You can track all types of messages, including system messages and regular e-mail messages that are going to or coming from a non-Exchange messaging system. An example of system messages are public folder replication messages that the Exchange stores on multiple servers exchange with each other to keep public folder instances on separate servers synchronized. You can use Message Tracking Center to locate messages that failed to arrive in your users' mailboxes, such as messages that are stuck in a connector's message queue.
By default, message tracking is not enabled. You must enable this feature on each server for which you want to track messages. When enabled, Exchange Server 2003 uses MsgTrackLog Sink in the SMTP service to add tracking information about messages routed through the server to the message tracking logs. To enable message tracking for multiple servers, you can use a server policy.
For detailed instructions about how to enable message tracking, see How to Enable Message Tracking in Exchange System Manager. You can also configure how Exchange Server 2003 maintains message tracking log files. For example, you can prevent the removal of log files or modify the length of time the log files are kept. The default period that tracking logs are kept is seven days. For more information about how to use message tracking, see Microsoft Knowledge Base article 262162, "XADM: Using the Message Tracking Center to Track a Message."
|Message tracking logs can grow quickly on bridgehead servers that process many inbound and outbound messages. Make sure that you have adequate disk space for tracking log files.|