Exchange Server diagnostics: An introduction to application and system logs

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

Introduction

When something goes wrong, it's important to know where to look to begin the troubleshooting process. Exchange Server 2003 offers a wealth of diagnostic logging options, but the logs aren't all in one place. In this article, I explain how to find and use the diagnostic information available in your application and system logs.

The application log

Exchange Server writes the majority of its diagnostic information to the application log. You can access this log directly through the Windows Event Viewer. The application log contains information from Exchange, the Windows operating system and sometimes other applications. So finding what you're looking for can be like hunting for a needle in a haystack.

Filtering the application log

The easiest way to locate the information you need is to filter the application log:

1. Select the Filter command from the Event Viewer's View menu. Windows will display the Application properties sheet.

2. Select the appropriate option from the Event Source dropdown list and click OK. You will now see application events from the selected source.

If you try this on your own, you will notice that there are about a hundred different event source choices. Unfortunately, there isn't one filter for Exchange-related Events. Exchange is simply too complex with too many individual pieces to have one dedicated filter. Instead, there are 26 different filters directly related to Exchange Server, and many more that are related to underlying components, such as IIS.

Filters that are directly related to Exchange Server start with MSExchange. Some of the more commo...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Microsoft Exchange Server 2003 Remove Exchange 2003 objects from AD to install Exchange 2010 Leapfrogging from Exchange 2003 to Exchange 2010 Top 5 Exchange ActiveSync tips Exchange Mailbag: POP3 settings and Outlook issues Migrating to Exchange 2007 with correct permissions Problems receiving email from outside a Exchange Server 2003 domain Exchange admins: Is it time to rethink your email address policy? Exchange Server 2003 collects email from only specific POP3 domains Changing email address formats in Exchange Server 2003 Should you remove .STM files from Exchange Server 2003? Microsoft Exchange Server 2003 Research Microsoft Exchange Server Monitoring and Logging Analyzing Exchange ActiveSync data from .CSV report files Top Exchange Server performance monitoring and troubleshooting tools Extracting Exchange ActiveSync data from IIS log files How effective is tracking the IP address of an email hacker? Error message: 'ID no: 8004100e Exchange System Manager' How to generate HTML reports with the Exchange Management Shell (EMS) IMAP list command only returns a list of Exchange public folders A network connection problem or an offline server prevented delivery of the message Monitor and search Exchange mailboxes for music and video files How much bandwidth is required to send email in Exchange 2003?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nly used ones are:

• MSExchangeAL: Information from the Exchange Address List Manager.
• MSExchangeIS: Information related to the Exchange information store.
• MSExchangeSA: Information regarding the Exchange System Attendant.
• MSExchangeTransport: Information pertaining to message routing and delivery.
• POP3Svc: Not really an MSExchange filter, but used by Exchange to log information related to the Post Office Protocol.

Since there are 26 different Exchange-related filters, imagine the volume of logging data that can potentially be written to the application log. To prevent Exchange from filling up the logs, the logging level is either disabled or set to minimum by default. If you ever have a problem with Exchange and you need more comprehensive logging information, you can temporarily configure Exchange to provide you with more verbose logging.

Adjusting Exchange's logging level

1. Open Exchange System Manager.

2. Navigate through the console tree to Administrative Groups -> your administrative group -> Servers -> your server.

3. Right click on your server and select Properties.

4. The properties sheet's Diagnostic Logging tab contains references to about half of the Exchange-related filters (the other filters are controlled by the system).

5. You can now adjust the logging levels for any of these filters. To do so, just select the desired filter.

   There are multiple categories associated with the filter. For example, the POP3Svc filter contains categories such as Connection, Authentication and Client Action. There is also usually a General category.

6. Select the category that meets your needs and then choose the logging level you want to use. Your choices are None, Minimum, Medium and Maximum.

You can adjust the logging levels of as many filters and categories as you like, but return the filters to a minimum logging level (or disable logging completely) when you are done to avoid filling up the application log.

The system log

Exchange rides on top of the Windows operating system. So if Windows isn't healthy, Exchange can experience problems too. That's why the Event Viewer's system log is also a valuable source of information. You won't find any filters directly related to Exchange in the system log, but it does contain valuable information about the OS.

I cannot walk you through the process of troubleshooting Windows by referencing entries in the system log here -- the process is just too complicated. What I can tell you though is that some of the system log filters are more closely related to Exchange than others. For example, the SMTPSVC filter logs information related to SMTP. Another useful filter is the W3SVC filter, which contains IIS-related logging information.

Conclusion

There are a number of mechanisms through which Exchange writes information to the event logs. If you are having Exchange problems, I recommend that you begin the troubleshooting process by searching the event logs for Exchange-related issues. You can then cross-reference the Event IDs against the Microsoft Knowledge Base to find a solution.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Exchange administration tools

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.