Using Exchange 2013 Logs to Troubleshoot Migration Issues

15/08/16 3:22 PM

During a Quest Migration for Exchange, you may run into problems that can delay or even halt the migration.  Quickly pinpointing the issue can get your migration back on track.  One way of achieving this is to review the logs of the affected systems.  Exchange 2013 has an enhanced set of logging capabilities that can assist you with troubleshooting issues that might arise during your migration.  The three Transport services can each log information over and above the normal event messages they might register in the system’s Windows application event log. Some of these activities are common to all three services, while other logs are maintained by specific services.  Most likely, these logs won’t be used on a daily basis, but can prove useful when troubleshooting connectivity.

There are three types of logs that all of the Transport services can independently maintain:

  • Connectivity logs capture information of all connections to a server. Logging is on by default. The default path Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity will log entries for ordinary SMTP delivery and every other significant server-to-server connectivity event. Other components might log different data in the con­nectivity logs, too, although connectivity logs don’t show the details of protocol-level conversations.
  • Receive protocol and send protocol logs show the details of conversations: which party to the conversation said what and what the response was. The default setting for these logs are off. You would enable them only if you suspect problems with a specific protocol’s connectivity because the logs are quite verbose. It’s a good practice to note when they are enabled so they can be turned off after troubleshooting.

In addition, individual services maintain a number of logs. The following table summarizes the log types by component.

Service Log type Notes
Front End Transport Agent log Logs actions and configurations taken by agents.
Mailbox Transport Mailbox delivery agent Records actions taken by the Mailbox delivery agent only.
Mailbox submission agent Records actions taken by the submission agent.
Transport Active user statistics This log records user activity, including the number of messages and bytes sent or received. You can’t disable this log type.
Agent Logs agent actions for the Transport service.
Information Rights Management This log shows activity related to trans­port decryption of information rights management (IRM) messages.
Message tracking These logs are used to power Get-MessageTrackingLog and the rest of the message tracking functionality in EMS and EAC.
Queue These logs record queue actions, such as freezing or resuming queues.  You can’t turn queue logging off.
Routing table The routing table logs are a set of XML files that outline the routing topology Exchange uses; the logs are updated periodically. They used to be viewable with the Routing Log Viewer in Exchange 2010, but that tool was dropped in Exchange 2013.
Server statistics The server statistics log contains detailed information about the server’s activity, including the number and size of mes­sages sent and received, the number of DSNs generated, and the calculated end-to-end latency for message transport.

Logging Control

The Exchange Admin Center (EAC) has a very limited set of controls for logging behavior. Use the Transport Logs tab of the server properties dialog box to enable message tracking and connectivity logging and to change the paths for those logs and the send and receive protocol logs.

The Transport Logs section of the Organization Transport Settings dialog box allows you to control message tracking and connectivity logging.

The Exchange Management Shell (EMS) allows for more control of logging. Each of the services’ log­ging behavior for a service can be changed with the appropriate Set- cmdlet for the target service. For example, if you want to change how FET logs events, you’d use Set-FrontEndTransportService with the parameters to specify the options you want. Each of the logs supports parameters that control whether logging is enabled, how big log files may grow before a new log is created, and how long logs are kept. Each of these parameters has a name that begins with the type of log (AgentLog, ConnectivityLog, IRMLog, et cetera), followed by the parameter name (MaxAge, Path, and so on). When you know this, it is fairly easy to construct commands to do what you want done. For example, you might customize the connectivity logging behavior as follows:

Get-TransportService | Set-TransportService –ConnectivityLogEnabled $true –ConnectivityLogPath c:\logs\Connectivity –IrmLogEnabled $true –IrmLogPath c:\logs\ADRMS

Logs are named with a prefix (CONNECT, RECV, and ACTVUSRSTAT are examples) plus the date; some logging subsystems also include other items. The first log created on a day is named using a convention of YYYYMMDD-1.log where YYYYMMDD represents the year, month, and day. For example, the first active user statistics log created on March 2, 2014 is named ACTVUSRSTAT1.020140302-1.log. By default, Exchange creates a new log after it captures 10 MB of data in that log file. (You can adjust this with the LogMaxSize parameter.)

Each log type has a maximum size which defaults to 250 MB. A circular logging scheme keeps the logs in the directory under this size by removing the old­est logs to free up space for new logs. You can increase the amount of storage assigned to connectivity logs by setting the value like this:

Set-TransportService –Identity <Exchange Server>  –ConnectivityLogMaxDirectorySize 500MB

Assuming the directory storage threshold is not exceeded, logs are normally retained for 30 days. Because only the most recent logs are typically used to debug connectivity problems, you might decide to reduce this period. For example, here’s how you would set the reten­tion period for the connectivity logs on a server to 15 days:

Set-TransportService –Identity <Exchange Server> –IRMLogMaxAge 15.00:00:00

Protocol Logging

Combing through protocol logs can be tedious. It’s easy to miss fine details, and the process of correlating log entries across multiple servers is painful unless you can automate it, which might be easier than you think. Microsoft has a tool called LogParser (available from http://www.microsoft.com/en-us/download/details.aspx?id=24659) that gives you a query engine that works against several flavors of log file. You construct queries using an SQL-like syntax, and LogParser runs them against the log sets you specify.

If you’re familiar with SQL, then LogParser will be easy to understand. If you’re not, there are many examples of various queries and reports of use for Exchange on the Internet, and a few web searches will quickly find samples that you can adapt to get the data you want.

That’s it for this installment of Troubleshooting Exchange 2013.  Utilizing these logs in conjunction with the logs from the Quest Migration Tool should help you to quickly pinpoint and resolve any issues you may encounter during your migration.

Posted by LeadThem Consulting | in Migration Manager for Exchange | No Comments »

Leave a Reply

logos

LeadThem Consulting
20418 SE Hwy 212
Damascus, OR 97089