Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win
When something goes wrong, it's important to know where to look to begin the troubleshooting process. Exchange Server 2003 offers a wealth of diagnostic logging options, but the logs aren't all in one place. In this article, I explain how to find and use the diagnostic information available in your application and system logs.
The application log
Exchange Server writes the majority of its diagnostic information to the application log. You can access this log directly through the Windows Event Viewer. The application log contains information from Exchange, the Windows operating system and sometimes other applications. So finding what you're looking for can be like hunting for a needle in a haystack.
Filtering the application log
The easiest way to locate the information you need is to filter the application log:
- Select the Filter command from the Event Viewer's View menu. Windows will display the Application properties sheet.
- Select the appropriate option from the Event Source dropdown list and click OK. You will now see application events from the selected source.
If you try this on your own, you will notice that there are about a hundred different event source choices. Unfortunately, there isn't one filter for Exchange-related Events. Exchange is simply too complex with too many individual pieces to have one dedicated filter. Instead, there are 26 different filters directly related to Exchange Server, and many more that are related to underlying components, such as IIS.
Filters that are directly related to Exchange Server start with MSExchange. Some of the more commonly used ones are:
- MSExchangeAL: Information from the Exchange Address List Manager.
- MSExchangeIS: Information related to the Exchange information store.
- MSExchangeSA: Information regarding the Exchange System Attendant.
- MSExchangeTransport: Information pertaining to message routing and delivery.
- POP3Svc: Not really an MSExchange filter, but used by Exchange to log information related to the Post Office Protocol.
Since there are 26 different Exchange-related filters, imagine the volume of logging data that can potentially be written to the application log. To prevent Exchange from filling up the logs, the logging level is either disabled or set to minimum by default. If you ever have a problem with Exchange and you need more comprehensive logging information, you can temporarily configure Exchange to provide you with more verbose logging.
Adjusting Exchange's logging level
- Open Exchange System Manager.
- Navigate through the console tree to Administrative Groups -> your administrative group -> Servers -> your server.
- Right click on your server and select Properties.
- The properties sheet's Diagnostic Logging tab contains references to about half of the Exchange-related filters (the other filters are controlled by the system).
- You can now adjust the logging levels for any of these filters. To do so, just select the desired filter.
There are multiple categories associated with the filter. For example, the POP3Svc filter contains categories such as Connection, Authentication and Client Action. There is also usually a General category.
- Select the category that meets your needs and then choose the logging level you want to use. Your choices are None, Minimum, Medium and Maximum.
You can adjust the logging levels of as many filters and categories as you like, but return the filters to a minimum logging level (or disable logging completely) when you are done to avoid filling up the application log.
The system log
Exchange rides on top of the Windows operating system. So if Windows isn't healthy, Exchange can experience problems too. That's why the Event Viewer's system log is also a valuable source of information. You won't find any filters directly related to Exchange in the system log, but it does contain valuable information about the OS.
I cannot walk you through the process of troubleshooting Windows by referencing entries in the system log here -- the process is just too complicated. What I can tell you though is that some of the system log filters are more closely related to Exchange than others. For example, the SMTPSVC filter logs information related to SMTP. Another useful filter is the W3SVC filter, which contains IIS-related logging information.
There are a number of mechanisms through which Exchange writes information to the event logs. If you are having Exchange problems, I recommend that you begin the troubleshooting process by searching the event logs for Exchange-related issues. You can then cross-reference the Event IDs against the Microsoft Knowledge Base to find a solution.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:
This was first published in July 2005