Understanding Information Rights Management Logging
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-12-01
In Microsoft Exchange Server 2010 Service Pack 1 (SP1), Information Rights Management (IRM) operations performed on Exchange 2010 Mailbox, Client Access, Hub Transport, and Unified Messaging servers are logged in IRM logs. IRM logs help you monitor and troubleshoot interactions between the Rights Management Services (RMS) client on an Exchange 2010 SP1 server and the Active Directory Rights Management Services (AD RMS) cluster in your organization.
To learn about IRM, see Understanding Information Rights Management.
Looking for management tasks related to IRM? See Managing Information Rights Management.
By default, IRM logs are located in C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs.
The naming convention for IRM log files is <Process>_<Process identifier or IIS AppPool identifier>_IRMLOGyyyymmdd-nnnn.log, where:
<Process> = process that creates the log file. For example, on Hub Transport servers, this will be EdgeTransport.
<Process identifier or IIS AppPool identifier> = numerical ID of the process.
- yyyymmdd = Coordinated Universal Time (UTC) date when the log file was created.
- nnnn = instance number, which starts at 1 for each day.
An example IRM log file name is EdgeTransport_1056_IRMLOG20101201-1.log.
The following table shows the logs generated on different server roles.
Logs on server roles
|Server role||IRM log file name||Description|
This log is used to record all RMS transactions made by the transport pipeline on Hub Transport servers (for example, transport protection rules and journal report decryption). The process identifier (PID) of the edgetransport.exe process is used to generate the log file name.
This log is used to record all RMS transactions that occur during search and index requests. Exchange 2010 Mailbox servers use the msftefd.exe process for content indexing. The PID of the msftefd.exe process is used to generate the log file name.
This log is used to record all transactions for IRM in Microsoft Office Outlook Web App.
All Exchange 2010 server roles except Edge Transport
This log is used to record all IRM RMS transactions issued from Windows PowerShell, for example, when issuing the Test-IRMConfiguration cmdlet.
Information is written to the log file until the file size reaches its maximum specified value. When the maximum size is reached, a log file that has an incremental instance number is created. This process is repeated throughout the day. Circular logging deletes the oldest log files when the IRM log directory reaches its maximum specified size or when a log file reaches the maximum age specified in the IRM logging configuration on each server.
IRM log files are text files that contain data in comma-separated value (CSV) format. Each IRM log has a header that contains the following information:
- #Software Name of the software that created the IRM log file. Typically, the value is
Microsoft Exchange Server.
- #Version Version number of the software that created the IRM log file.
- #Log-type Log type value, which is
Rms Client Manager Log.
- #Date The UTC date and time when the log file was created. The UTC date and time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where:
yyyy = year
- mm = month
- dd = day
T = time designator used to show the start of the time component
- hh = hour
- mm = minute
- ss = second
- fff = fractions of a second
Z = Zulu, which is another way to denote UTC
- yyyy = year
- #Fields Comma-delimited field names used in IRM log files.
The IRM log stores each RMS transaction event on a single line, organized in comma-separated fields. The following table lists the fields in IRM logs for all server roles that have IRM features enabled.
Fields used in IRM logs
Lists the UTC timestamp.
Lists the RMS client feature used. Valid values include:
Lists the event type. Valid values include:
AcquireAn RMS license or template is requested.
SuccessAn RMS license or template is acquired successfully.
ExceptionAn error has occurred.
QueuedA request is pending.
Reserved for internal Microsoft use.
Lists the RMS server URL accessed during the operation.
Used by the calling process to tie multiple RMS transactions together. Valid values include:
MessageID: <Actual message ID>
MailboxGuid: <Mailbox GUID>
AttachmentFileName: <File name>
Identifies a unique transaction. All events that occur during one transaction have the same transaction ID.
On each server role that has IRM features enabled, IRM logging is enabled by default. For each server role, you can modify the following IRM log configuration by using the server role's corresponding Set cmdlet. For example, to configure IRM logging on a Mailbox server, you use the Set-MailboxServer cmdlet.
Configuration parameters for IRM logs
Enables logging of IRM transactions. IRM logging is enabled by default. To disable IRM logging for a server role, set the parameter to
Specifies the maximum age for an IRM log file. Files older than the specified age are deleted. The default value is
Specifies the maximum size of all IRM logs in the connectivity log directory. When a directory reaches its maximum file size, the server deletes the oldest log files first. The default value is
Specifies the maximum file size for a single log file. When a file reaches the specified size, a log file is created, and the instance number is incremented. The default value is
Specifies the IRM log location. The default path is C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs.
For detailed syntax and parameter information, see the following topics: