Introduction to Exchange 2003 Server SMTP Logs
In Exchange 2003 server, SMTP (Simple Mail Transport Protocol) has many shades of meaning. On this page I use the word SMTP in the context of understanding logs. These SMTP logs contain records of each server’s email conversations. However, bear in mind that the acronym SMTP has other connotations, for example, SMTP Virtual Server, the SMTP service in IIS and SMTP routing connections.
Topics for Exchange 2003 SMTP Logs
- Creating SMTP logs
- Choice of 4 log formats
- W3C Extended Log File Format
- Finding the Log Output
- Summary Exchange SMTP Logs
♠
Creating SMTP logs
Let us take the situation where one server is collecting email, but only intermittently. We would like to understand the SMTP conversation between Exchange 2003 servers and so discover the cause of the problem. This is a classic job for SMTP protocol logging.
There are two ways of navigating to the diagram opposite, either visit IIS, or launch the Exchange System Manager and navigate to Protocols folder and then to the SMTP server icon.
Choice of 4 SMTP log formats
You have 4 methods for collecting SMTP conversations:
- W3C Extended Log File Format
- NCSA Common Log File Format
- ODBC Logging
- Microsoft IIS Log File Format
The default log format is W3C Extended. This format is a great way to get started with SMTP logging. However, if you need more extensive search capabilities and you have a database such as SQL, then select ODBC Logging.
I have to admit that I have yet to find a use for NCSA common log file format. The Microsoft IIS Log File Format is O.K. but lacks the flexibility and customization of the W3C format.
Guy Recommends: SolarWinds Network Topology Mapper (NTM)
NTM will produce a neat diagram of your network topology. But that’s just the start;Network Topology Mapper can create an inventory of the hardware and software of your machines and network devices. Other neat features include dynamic update for when you add new devices to your network. I also love the ability to export the diagrams to Microsoft Visio.
Finally, Guy bets that if you test drive the Network Topology Mapper then you will find a device on your network that you had forgotten about, or someone else installed without you realizing!
Download your 14 day free trial ofSolarWinds Network Topology Mapper
W3C Extended Log File Format
The W3C format is my favourite SMTP logging method. In particular, I like the flexibility provided by extended properties on the advanced tab. Here is the output of log where I chose to record the client IP, the SMTP method, and the reply code or sc-status.
#Software: Internet Information Services 6.0
#Version: 1.0
#Date: 2005-02-03 12:40:23
#Fields: time c-ip cs-method cs-uri-stem sc-status
Explanation:
#Software: IIS v 6.0 (Probably from a Windows Server 2003)
#Version: 1.0 Means W3C Extended log format (Not ODBC)
#Date: Probably USA day month format.
#Fields: As the name field suggests the column heading for the data recorded. Example, cs-uri-stem means the resource requested.
Understanding the SMTP codes
s- means server, whereas sc- means server to client. For example sc-bytes means the number of bytes sent by the server. c- I expect that you have already guessed, c- means client.
Mail Transfer conversation
#Fields: time c-ip cs-method sc-status
14:13:11 10.1.1.9 HELO 250
14:13:13 10.1.1.9 MAIL 250
14:13:19 10.1.1.9 RCPT 250
14:13:29 10.1.1.9 DATA 250
14:13:31 10.1.1.9 QUIT 240
Possible SMTP methods found under cs-method: HELO, MAIL, RCPT, DATA and QUIT.
sc-status value of 250. Server to client transactions, which return a value 250, means O.K. (421 would mean service not available, or 554 would mean transaction failed).
Guy Recommends: The SolarWinds Exchange Monitor
Here is a free tool to monitor your Exchange Server. Download and install the utility, then inspect your mail queues, monitor the Exchange server’s memory, confirm there is enough disk space and check the CPU utilization.
This is the real deal – there is no catch. SolarWinds provides this fully-functioning freebie, as part of their commitment to supporting the network management community.
Free Download of SolarWinds Exchange Monitor
Finding the Log Output
Finding the SMTP logs is not trivial. Whereas many programs output their events to the Application log, SMTP Logs are to be found under the "%windir%\system32\logfiles\SMTPSVC1*. Typically, you get a one log for each day, so double click the file that you are interested in and notepad will open the log and display the data.
All W3C Extended Log File Format files begin with ex, for example exyyddmm.log
* Corrected by Juha (Guy thought it was %windir%\system32\logfiles\W3SVC1)
If you click Start (Menu), Run, Logfiles (Type), now you should see the Windows Explorer open the correct directory to find your SMTP logs.
What to look out for
Open Relaying – Symptoms your server is sending mail that you do not recognise to an external server. Moreover it’s not just one email but a whole load of possible spam messages.
SMTP Microsoft Exchange Server 2003 – SMTP Logs
This page is to designed to help you understand SMTP logs. Exchange relies on IIS to provide protocol logging. Of the four formats available, W3C Extended Log File Format provides the greatest choice of output. ODBC logging is useful if you have a SQL database and need to query a large amount of data. To check your SMTP logs, click Start (menu), run, logfiles.
Download your Exchange 2003 Disaster Recovery and Troubleshooting eBook for only $9.95
The extra features you get in your eBook include: ‘How to…’ sections with screen shots. Checklists to prepare your migration plan.
Lots of tips, recommendations and troubleshooting advice. Printer friendly pages in both PDF and Word format.
See Also
- Exchange 2007 SMTP Connectors
- Exchange 2010 SMTP Connectors
- SMTP Raw Commands
- SMTP Logs
- Exchange Logs
- Free SolarWinds Exchange Monitor
- Diagnostic Logging
- Free Kiwi Syslog Analyzer
- Winroute
- Troubleshooting Tips
