Exchange 2010 SMTP Protocol Logging

Posted on 01/15/2012 by Jason Sherry

Exchange 2007/2010 SMTP log format differs greatly from Exchange 2003, which used IIS for SMTP.  There are now only nine fields in the logs and the last field, data, contains multiple parts of data that used to be in their own fields.

Example 1:

logparser “select REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as RemoteSendingHost,data from RECV*.log Where data like’550%'” -i:csv -nSkipLines:4 -o:datagrid

·         This example will return all entries that have an SMTP code of 550, using the GUI datagrid for output.

Example 2:

logparser “select REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as RemoteSendingHost,data from RECV*.log Where data NOT like ‘250%’ AND data NOT like ‘220%’ AND Data NOT Like ‘221%’ AND event = ‘>'” -i:csv -nSkipLines:4 -o:datagrid

·         This example returns results for any receive command, data line, that doesn’t start with 220, 221, or 250.

Results:

date-time – UTC date-time of the protocol events = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

connector-id – Distinguished name (DN) of the connector associated with the SMTP event.

session-id – GUID that’s unique for each SMTP session but is the same for each event associated with that SMTP session.

sequence-number – Counter that starts at 0 and is incremented for each event in the same SMTP session.

local-endpoint – This consists of an IP address and TCP port number formatted as <IP address>:<port>.

remote-endpoint – This consists of an IP address and TCP port number formatted as <IP address>:<port>.

event – Single character that represents the protocol event. The possible values for the event are as follows:

 +   Connect

 –   Disconnect

 >   Send

 <   Receive

 *   Information

data – Text information associated with the SMTP event.

context – Additional contextual information that may be associated with the SMTP event.

From: TechNet: Understanding Protocol Logging

Additional info

·         EHLO: Advanced Exchange 2007 Transport Logs Troubleshooting using Log Parser – Part 1

·         Using the Logparser Utility to Analyze Exchange/IIS Logs

·         LogParsing with Exchange SMTP Protocol Log

·         SMTP Log Parsing – Includes a script that ask for basic info and then calls LogParser and then color codes the output

·         Examples: LogParser from MS – Format/fields have changed from 2003 & 2007, so these examples may not work on 2010

·         Links and other info: Issues & Tips: MS log parser tool – Get data out of logs quickly!

This entry was posted in Exchange, Microsoft and tagged . Bookmark the permalink.

1 Response to Exchange 2010 SMTP Protocol Logging

  1. gumboots says:
    04/27/2012 at 3:50 AM

    salutations from across the world. interesting post I shall return for more.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s