SMTP mail flow logging with Exchange 2007/2010
Purpose of this document
There are many reasons why you may need to log the mail flow arriving at your Exchange connectors. You have the ability to record a good deal of detail regarding the SMTP conversations that are occuring in your organisation.
The process to turn the logging feature on and to specify the location for the log files is very straighforward, but if you plan on retaining logs for an extended period of time and therefore wish to keep a lot of log file data, or would like to alter the file size of each log file, you will need to use the Exchange Management Shell. The process is simple. This guide hopes to focus on the main configuration requirements.
Turning Logging ON/OFF
To turn logging on or off can be controlled using either EMC or EMS.
To use the console, simply navigate to the Receive or Send Connector and then on the main page select ‘Verbose’ for Protocol Logging Level.
Using the shell, simply find the connector information using the following:
Get-ReceiveConnector | fl Id*,Pr*
Get-SendConnector | fl Id*,Pr*
Then you can use the Identity to turn logging on if required, using the following:
Set-ReceiveConnector “IDENTITY” -ProtocolLoggingLevel Verbose
Set-SendConnector “IDENTITY” -ProtocolLoggingLevel Verbose
Set Location, Directory size and file size for logging
The location of the files can be controlled using either EMC or EMS.
To use the console, if you have the Hub Role installed navigate to Server Config –> Hub Transport –> Action pane on right hand side –> Servername –> Properties –> Log Settings –> Send connector/Receive connector log file path.(Note that when selecting properties on right hand side ‘Actions’ pane, it is the server properties, not the receive connector properties)
Using the shell, simply find the connector log file location using the following:
Get-TransportServer | fl Id*,*pro*log*
Then you can use the Identity to change the paramters as required (change ReceiveProtocol to SendProtocol for send connector logging):
Set-TransportServer “IDENTITY” -ReceiveProtocolLogPath “PATH”
Set-TransportServer “IDENTITY” -ReceiveProtocolLogMaxDirectorySize “250MB”
Set-TransportServer “IDENTITY” -ReceiveProtocolLogMaxAge “DAY.HH:MM:SS”
Set-TransportServer “IDENTITY” -ReceiveProtocolLogMaxFileSize “10MB”
Setting Intra-organisation connector protocol logging (the hidden SMTP connector):
In order for your log files to record intra-organisation SMTP activity you will need to enable this using the shell. You cannot configure this using EMC. The intra-org logging will log activity from a hidden SMTP connector used to communicate with other Hub servers in your org, to communicate with your edge server or for legacy Exchange 2000\2003 systems.
Set-TransportServer “IDENTITY” -IntraOrgConnectorProtocolLoggingLevel “Verbose”
Reading the Log Files
It’s all well and good configuring logging, but how do you use this information? What can it be used for?
The great thing about the log files is that they are full accounts of the SMTP conversation for every mail item in and out of your Exchange organisation. You will be able to see any SMTP level rejections and evaluate at what stage the rejection is sent.
I would advise that once logging is enabled, always try to get the log file in a more readable format, such as Excel, or other text delimited file capable program, this way you can more easily see the data to start analysis.
http://technet.microsoft.com/en-us/library/bb124531.aspx – Configuring Protocol Logging