Managing Protocol Logging
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Protocol logging records the Simple Mail Transfer Protocol (SMTP) conversations that occur between e-mail servers as part of message delivery. These SMTP conversations occur on Send connectors and Receive connectors that are configured on Microsoft Exchange Server 2007 servers that have the Hub Transport server role or the Edge Transport server role installed. You can use protocol logging to diagnose mail flow problems.
By default, protocol logging is disabled on all Send connectors and Receive connectors. Protocol logging is enabled or disabled on a per connector basis. Other protocol logging options are set on a per connector type basis for the whole server. All the Receive connectors on a Hub Transport server or an Edge Transport server share the same protocol log files and protocol log options. These protocol log files and protocol log options are completely separate from the Send connector protocol log files and protocol log options on the same server.
The following options are available for the protocol logs of all Send connectors or all Receive connectors on an Edge Transport server or a Hub Transport server:
Specify the location of the Send connector or the Receive connector protocol log files.
Specify a maximum size for the Send connector or the Receive connector protocol log files. The default size is 10 MB.
Specify a maximum size for the directory that contains the Send connector or Receive connector protocol log files. The default size is 250 MB.
Specify a maximum age for the Send connector or Receive connector protocol log files. The default age is 30 days.
By default, the Exchange 2007 server uses circular logging to limit the protocol logs based on file size and file age to help control the hard disk space that is used by the log files.
You can use the following methods to enable or disable protocol logging:
The Set-ReceiveConnector cmdlet or the Set-ReceiveConnector cmdlet in the Exchange Management Shell
The Send connector properties or the Receive connector properties in the Exchange Management Console
You use the Set-TransportServer cmdlet in the Exchange Management Shell to perform all other protocol logging configuration tasks.
Note
In Microsoft Exchange Server 2007 Service Pack 1 (SP1), you can also use the Exchange Management Console to specify the location of the Send connector protocol log files and the Receive connector protocol log files.
A special Send connector named the intra-organization Send connector exists on every Hub Transport server. This connector is implicitly created, invisible, and requires no management. The intra-organization Send connector is used to relay messages to the following destinations:
To other Hub Transport servers in the Exchange organization
To Exchange Server 2003 servers in the Exchange organization
To Edge Transport servers in the Exchange organization
By default, protocol logging for the intra-organization Send connector is disabled. You can enable or disable protocol logging for the intra-organization Send connector by using the IntraOrgConnectorProtocolLoggingLevel parameter on the Set-TransportServer cmdlet. If you enable protocol logging for the intra-organization Send connector, logging occurs in the Send connector protocol logs that are configured on the Hub Transport server.
Structure of the Protocol Log Files
By default, the protocol log files exist in the following locations:
Receive connector protocol log files: C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
Send connector protocol log files: C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend
The naming convention for log files in each protocol log directory is prefixyyyymmdd-nnnn.log. The placeholders represent the following information:
The placeholder prefix is SEND for Send connectors or RECV for Receive connectors.
The placeholder yyyymmdd is the coordinated universal time (UTC) date on which the log file was created. yyyy = year, mm = month, and dd = day.
The placeholder nnnn is an instance number that starts at the value of 1 for each day.
Information is written to the log file until the file size reaches its maximum specified value, and a new log file that has an incremented instance number is opened. This process is repeated throughout the day. Circular logging deletes the oldest log files when the protocol log directory reaches its maximum specified size, or when a log file reaches its maximum specified age.
The protocol log files are text files that contain data in the comma separated value (CSV) format. Each protocol log file has a header that contains the following information:
#Software: The name of the software that created the protocol log file. Typically, the value is Microsoft Exchange Server.
#Version: The version number of the software that created the protocol log file. Currently, the value is 8.0.0.0.
#Log-Type: The value of this field is either SMTP Receive Protocol Log or SMTP Send Protocol Log.
#Date: The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
#Fields: The comma-delimited field names that are used in the protocol log files.
Information That Is Written to the Protocol Log
The protocol log stores each SMTP protocol event on a single line in the protocol log. The information that is on each line is organized by fields, which are separated by commas. The fields that are used to classify each protocol event are explained in Table 1.
Table 1 Fields that are used to classify each protocol event
| Field name | Description |
|---|---|
date-time |
The UTC date-time of the protocol event, which is represented in the ISO 8601 format. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC. |
connector-id |
The distinguished name (DN) of the connector that is associated with the SMTP event. |
session-id |
A GUID that is unique for each SMTP session but is the same for each event that is associated with that SMTP session. |
sequence-number |
A counter that starts at 0 and is incremented for each event in the same SMTP session. |
local-endpoint |
The local endpoint of an SMTP session. This consists of an IP address and TCP port number that is formatted as <IP address>:<port>. |
remote-endpoint |
The remote endpoint of an SMTP session. This consists of an IP address and TCP port number that is formatted as <IP address>:<port>. |
event |
A single character that represents the protocol event. The possible values for event are as follows:
|
data |
Text information that is associated with the SMTP event. |
context |
Additional contextual information that may be associated with the SMTP event. |
A single SMTP conversation that represents the sending or receiving of a single e-mail message generates multiple SMTP events. These SMTP events cause multiple lines to be written to the protocol log. Multiple SMTP conversations that represent the sending or receiving of multiple e-mail messages can occur at the same time. This creates protocol log entries from different SMTP conversations that are interspersed. However, it is easy to use the session-id and sequence-number fields to sort the protocol log entries by SMTP conversation.
For More Information
For more information about how to configure protocol logging in Exchange 2007, see How to Configure Protocol Logging.