Understanding Information Rights Management Logging

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

In Microsoft Exchange Server 2010 Service Pack 1 (SP1), Information Rights Management (IRM) operations performed on Exchange 2010 Mailbox, Client Access, Hub Transport, and Unified Messaging servers are logged in IRM logs. IRM logs help you monitor and troubleshoot interactions between the Rights Management Services (RMS) client on an Exchange 2010 SP1 server and the Active Directory Rights Management Services (AD RMS) cluster in your organization.

To learn about IRM, see Understanding Information Rights Management.

Contents

Structure of IRM Logs

Logging Process

Information Written to IRM Logs

Managing IRM Logs

Looking for management tasks related to IRM? See Managing Information Rights Management.

Structure of IRM Logs

By default, IRM logs are located in C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs.

The naming convention for IRM log files is <Process>_<Process identifier or IIS AppPool identifier>_IRMLOGyyyymmdd-nnnn.log, where:

  • <Process> = process that creates the log file. For example, on Hub Transport servers, this will be EdgeTransport.

  • <Process identifier or IIS AppPool identifier> = numerical ID of the process.

  • yyyymmdd = Coordinated Universal Time (UTC) date when the log file was created.

  • nnnn = instance number, which starts at 1 for each day.

An example IRM log file name is EdgeTransport_1056_IRMLOG20101201-1.log.

The following table shows the logs generated on different server roles.

Logs on server roles

Server role IRM log file name Description

Hub Transport

EdgeTransport_<Process identifier>_IRMLOGyyyymmdd-nnnn.log

This log is used to record all RMS transactions made by the transport pipeline on Hub Transport servers (for example, transport protection rules and journal report decryption). The process identifier (PID) of the edgetransport.exe process is used to generate the log file name.

Mailbox

msftefd_<Process identifier>_IRMLOGyyyymmdd-nnnn.log

This log is used to record all RMS transactions that occur during search and index requests. Exchange 2010 Mailbox servers use the msftefd.exe process for content indexing. The PID of the msftefd.exe process is used to generate the log file name.

Client Access

w3wp_MSExchangeOWAAppOol_IRMLOGyyyymmdd-nnnn.log

This log is used to record all transactions for IRM in Microsoft Office Outlook Web App.

All Exchange 2010 server roles except Edge Transport

w3wp_MSExchangePowerShellAppPool_IRMLOGyyyymmdd-nnnn.log

This log is used to record all IRM RMS transactions issued from Windows PowerShell, for example, when issuing the Test-IRMConfiguration cmdlet.

Return to top

Logging Process

Information is written to the log file until the file size reaches its maximum specified value. When the maximum size is reached, a log file that has an incremental instance number is created. This process is repeated throughout the day. Circular logging deletes the oldest log files when the IRM log directory reaches its maximum specified size or when a log file reaches the maximum age specified in the IRM logging configuration on each server.

Return to top

Information Written to IRM Logs

IRM log files are text files that contain data in comma-separated value (CSV) format. Each IRM log has a header that contains the following information:

  • #Software   Name of the software that created the IRM log file. Typically, the value is Microsoft Exchange Server.

  • #Version   Version number of the software that created the IRM log file.

  • #Log-type   Log type value, which is Rms Client Manager Log.

  • #Date   The UTC date and time when the log file was created. The UTC date and time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where:

    • yyyy = year

    • mm = month

    • dd = day

    • T = time designator used to show the start of the time component

    • hh = hour

    • mm = minute

    • ss = second

    • fff = fractions of a second

    • Z = Zulu, which is another way to denote UTC

  • #Fields   Comma-delimited field names used in IRM log files.

    The IRM log stores each RMS transaction event on a single line, organized in comma-separated fields. The following table lists the fields in IRM logs for all server roles that have IRM features enabled.

    Fields used in IRM logs

    Field Description

    Date-time

    Lists the UTC timestamp.

    Feature

    Lists the RMS client feature used. Valid values include:

    • RacClc

    • Template

    • Prelicense

    • UseLicense

    • Signature verification

    • ServerInfo

    Event-Type

    Lists the event type. Valid values include:

    • Acquire   An RMS license or template is requested.

    • Success   An RMS license or template is acquired successfully.

    • Exception   An error has occurred.

    • Queued   A request is pending.

    Tenant-Id

    Reserved for internal Microsoft use.

    Server-url

    Lists the RMS server URL accessed during the operation.

    Context

    Used by the calling process to tie multiple RMS transactions together. Valid values include:

    • MessageID: <Actual message ID>

    • MailboxGuid: <Mailbox GUID>

    • AttachmentFileName: <File name>

    Transaction-id

    Identifies a unique transaction. All events that occur during one transaction have the same transaction ID.

Return to top

Managing IRM Logs

On each server role that has IRM features enabled, IRM logging is enabled by default. For each server role, you can modify the following IRM log configuration by using the server role's corresponding Set cmdlet. For example, to configure IRM logging on a Mailbox server, you use the Set-MailboxServer cmdlet.

Configuration parameters for IRM logs

Parameter Description

IrmLogEnabled

Enables logging of IRM transactions. IRM logging is enabled by default. To disable IRM logging for a server role, set the parameter to $false.

IrmLogMaxAge

Specifies the maximum age for an IRM log file. Files older than the specified age are deleted. The default value is 30.00:00:00 (30 days).

IrmLogMaxDirectorySize

Specifies the maximum size of all IRM logs in the connectivity log directory. When a directory reaches its maximum file size, the server deletes the oldest log files first. The default value is 250 MB.

IrmLogMaxFileSize

Specifies the maximum file size for a single log file. When a file reaches the specified size, a log file is created, and the instance number is incremented. The default value is 10 MB.

IrmLogPath

Specifies the IRM log location. The default path is C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs.

For detailed syntax and parameter information, see the following topics:

Return to top

 © 2010 Microsoft Corporation. All rights reserved.