Exchange Server diagnostics: An introduction to application and system logs

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

Introduction

When something goes wrong, it's important to know where to look to begin the troubleshooting process. Exchange Server 2003 offers a wealth of diagnostic logging options, but the logs aren't all in one place. In this article, I explain how to find and use the diagnostic information available in your application and system logs.

The application log

Exchange Server writes the majority of its diagnostic information to the application log. You can access this log directly through the Windows Event Viewer. The application log contains information from Exchange, the Windows operating system and sometimes other applications. So finding what you're looking for can be like hunting for a needle in a haystack.

Filtering the application log

The easiest way to locate the information you need is to filter the application log:

1. Select the Filter command from the Event Viewer's View menu. Windows will display the Application properties sheet.

2. Select the appropriate option from the Event Source dropdown list and click OK. You will now see application events from the selected source.

If you try this on your own, you will notice that there are about a hundred different event source choices. Unfortunately, there isn't one filter for Exchange-related Events. Exchange is simply too complex with too many individual pieces to have one dedicated filter. Instead, there are 26 different filters directly related to Exchange Server, and many more that are related to underlying components, such as IIS.

Filters that are directly related to Exchange Server start with MSExchange. Some of the more commonly used ones are:

• MSExchangeAL: Information from the Exchange Address List Manager.
• MSExchangeIS: Information related to the Exchange information store.
• MSExchangeSA: Information regarding the Exchange System Attendant.
• MSExchangeTransport: Information pertaining to message routing and delivery.
• POP3Svc: Not really an MSExchange filter, but used by Exchange to log information related to the Post Office Protocol.

Since there are 26 different Exchange-related filters, imagine the volume of logging data that can potentially be written to the application log. To prevent Exchange from filling up the logs, the logging level is either disabled or set to minimum by default. If you ever have a problem with Exchange and you need more comprehensive logging information, you can temporarily configure Exchange to provide you with more verbose logging.

Adjusting Exchange's logging level

1. Open Exchange System Manager.

2. Navigate through the console tree to Administrative Groups -> your administrative group -> Servers -> your server.

3. Right click on your server and select Properties.

4. The properties sheet's Diagnostic Logging tab contains references to about half of the Exchange-related filters (the other filters are controlled by the system).

5. You can now adjust the logging levels for any of these filters. To do so, just select the desired filter.

   There are multiple categories associated with the filter. For example, the POP3Svc filter contains categories such as Connection, Authentication and Client Action. There is also usually a General category.

6. Select the category that meets your needs and then choose the logging level you want to use. Your choices are None, Minimum, Medium and Maximum.

You can adjust the logging levels of as many filters and categories as you like, but return the filters to a minimum logging level (or disable logging completely) when you are done to avoid filling up the application log.

The system log

Exchange rides on top of the Windows operating system. So if Windows isn't healthy, Exchange can experience problems too. That's why the Event Viewer's system log is also a valuable source of information. You won't find any filters directly related to Exchange in the system log, but it does contain valuable information about the OS.

I cannot walk you through the process of troubleshooting Windows by referencing entries in the system log here -- the process is just too complicated. What I can tell you though is that some of the system log filters are more closely related to Exchange than others. For example, the SMTPSVC filter logs information related to SMTP. Another useful filter is the W3SVC filter, which contains IIS-related logging information.

Conclusion

There are a number of mechanisms through which Exchange writes information to the event logs. If you are having Exchange problems, I recommend that you begin the troubleshooting process by searching the event logs for Exchange-related issues. You can then cross-reference the Event IDs against the Microsoft Knowledge Base to find a solution.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Exchange administration tools

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Server Administration Tips Third-party Exchange Server 2007 backup and restore tools Repairing damaged OWA virtual directories in Exchange Server 2003 Exchange Server 2007 hardware planning for continuous replication Benefits of SAN-based storage in Microsoft Exchange Server 2007 How to generate HTML reports with the Exchange Management Shell (EMS) Hosted Exchange Server adoption to infiltrate the enterprise Using ActiveSync without a front-end Exchange server Use the Exchange Management Shell Set command to block senders Why boot an Exchange server from a storage area network (SAN)? Grant or deny permissions to access a user's Exchange 2007 mailbox Microsoft Exchange Server 2003 Repairing damaged OWA virtual directories in Exchange Server 2003 Configure a mobile device to receive POP3 email from Exchange Server Customizing an Outlook Web Access 2003 email signature Why Exchange ActiveSync fails with NAT firewalls Is it time to upgrade users' Windows Mobile devices? Top 10 Microsoft Exchange Server 2003 registry hacks Use Performance Monitor to detect Exchange 2003 message queue problems How to set up email disclaimers on a single, back-end Exchange server How to customize OWA authentication logon in Exchange Server 2003 Can a deleted transaction log be restored in Exchange Server 2003? Microsoft Exchange Server 2003 Research Microsoft Exchange Server Monitoring and Logging Error message: 'ID no: 8004100e Exchange System Manager' How to generate HTML reports with the Exchange Management Shell (EMS) IMAP list command only returns a list of Exchange public folders A network connection problem or an offline server prevented delivery of the message Monitor and search Exchange mailboxes for music and video files How much bandwidth is required to send email in Exchange 2003? Monitoring Outlook Web Access usage via IIS log files What event log tracks user access to Exchange Server? How to determine when an Exchange Server mailbox was last accessed by the owner How to set up Microsoft Operations Manager (MOM) for Exchange Server monitoring RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.