Microsoft Exchange Server 2010 Logs

Location of Exchange Logs

Whenever you get a problem in Exchange 2010 I guarantee that one of the logs will provide vital clues to find the root cause.  The hidden agenda of this page is to open your eyes to the numerous types of Exchange logs, and show you where to find them.

Topics for Exchange Server 2010 Logs


Location and Types of Exchange Logs

Microsoft is not perfect.  However, I have always felt that from the earliest Windows operating systems Microsoft provides lots of troubleshooting information in their logs. 

The reason that Exchange 2010 has so many logs in so many locations is simply because it has so many components.  On an Exchange server there are database logs for the mailstore, Windows 2008 application logs, SMTP protocol logs and virus logs.  If that is not enough, you can create your own performance logs.

Unfortunately there is no central location to view all these Exchange related logs, therefore you have to start exploring locations such as the \exchsrvr folder, Event Viewer and even the root of the C:\ or D:\ drive.

Event Viewer: Application Log

Whenever I get an email problem, I try and make myself look in the Event Viewer earlier, rather than later in the troubleshooting process.  Therefore in the case of Exchange 2010, I urge you to begin with the Application Log.  People often say ‘finding the problem is like looking for a needle in a haystack’.  My reply is: ‘ master Event Viewer’s Filter ‘.  Click on the View Menu, Filter and select one of these from the Event Source box.

  • MSExchangeAL – Addressing Email
  • MSExchangeIS – IIS Access
  • MSExchangeSA – Active Directory related
  • MSExchangeTransport – SMTP Routing
  • POP3Svc

Event Viewer: System Log

Using the same technique that I described above for the Application log, investigate these categories, remember the key menu is Filter source:

  • SMTPSVC – SMTP Service
  • W3SVC – IIS
  • MSExchangeIS Mailbox Store
  • ClusSvc – Cluster Service

Setup.log and Exchange Server Setup Progress.log

Exchange also has two setup logs to troubleshoot install programs.  These files are created in the root of the drive where the Exchange 2010 binaries are installed.  For example look in C:\ or D:\.   These files give reasons why setup failed.  Perhaps Exchange 2010 could not extend the schema, or encountered problems overwriting priv1.edb in the MDBDATA folder.  I once used the progress log to solve a replication problem when migrating from Exchange 5.5.

Guy Recommends:  SolarWinds’ Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Exchange 2010 Server SMTP Logs

In Exchange 2010 server, SMTP (Simple Mail Transport Protocol) has several shades of meaning.  On this page I use the word SMTP in the context of understanding logs.  These SMTP logs contain records of each server’s email conversations.  However, bear in mind that the acronym SMTP has other connotations, for example, SMTP Virtual Server, the SMTP service in IIS and SMTP routing connections.

Creating SMTP logsExchange 2010 Logs

Let us take the situation where one server is collecting email, but only intermittently.  We would like to investigate the SMTP conversation between two Exchange 2010 servers and thus discover the cause of the problem.  Here is a classic job for SMTP protocol logging.

There are two ways of locating the diagram opposite, either visit IIS, or launch the Exchange System Manager, navigate to Protocols folder and click on the SMTP server icon.

Choice of SMTP Log Formats

You have 4 methods for collecting SMTP conversations:

  • W3C Extended Log File Format
  • NCSA Common Log File Format
  • ODBC Logging
  • Microsoft IIS Log File Format

The default log format is W3C Extended.  This format is the best way to get started with SMTP logging.  However, when you need more extensive search capabilities, such as investigating a SQL database, then select ODBC Logging.


W3C Extended Log File FormatSMTP Logs W3C Format

The W3C format is my favourite SMTP logging method.  In particular, I like the flexibility provided by extended properties on the advanced tab.  Here is the output of log where I chose to record the client IP, the SMTP method, and the reply code or sc-status.

#Software: Internet Information Services 6.0
#Version: 1.0
#Date: 2006-02-03 15:18:43
#Fields: time c-ip cs-method cs-uri-stem sc-status


#Software: IIS v 6.0 (Probably from a Windows Server 2010)

#Version: 1.0 Means W3C Extended log format (Not ODBC)

#Date: Probably USA day month format.
#Fields: As the name field suggests the column heading for the data recorded. Example, cs-uri-stem means the resource requested.

Understanding the SMTP codes

s- means server, whereas sc- means server to client.  For example sc-bytes means the number of bytes sent by the server.  c- I expect that you have already guessed, c- means client.


Mail Transfer conversation

#Fields: time    c-ip    cs-method  sc-status
     15:18:11    HELO      250
     15:18:13    MAIL      250
     15:18:19    RCPT      250
     15:18:29    DATA     250
     15:18:31    QUIT      240

Possible SMTP methods found under cs-method: HELO, MAIL, RCPT, DATA and QUIT.

sc-status value of 250.  Server to client transactions, which return a value 250, means O.K.  (421 would mean service not available, or 554 would mean transaction failed).

Locating the Log Output

Finding the location of the SMTP logs is not trivial.  Whereas many programs output their events to the Application log, SMTP Logs are to be found under the "%windir%\system32\logfiles\SMTPSVC1*.  Typically, you get a one log for each day, so double click the file that you are interested in and notepad will open the log and display the data.

All W3C Extended Log File Format files begin with ex, for example exyyddmm.log

* Corrected by Juha (Guy thought it was %windir%\system32\logfiles\W3SVC1)

SMTP Logs Exchange Server  If you click Start (Menu), Run, Logfiles (Type), now you should see the Windows Explorer open the correct directory to find your SMTP logs.

What to look out for
Open Relaying – Symptoms your server is sending mail that you do not recognise to an external server.  Moreover it’s not just one email but a whole load of possible spam messages.

Guy Recommends: SolarWinds Network Topology Mapper (NTM)SolarWinds Network Topology Mapper

NTM will produce a neat diagram of your network topology.  But that’s just the start;Network Topology Mapper can create an inventory of the hardware and software of your machines and network devices.  Other neat features include dynamic update for when you add new devices to your network.  I also love the ability to export the diagrams to Microsoft Visio.

Finally, Guy bets that if you test drive the Network Topology Mapper then you will find a device on your network that you had forgotten about, or someone else installed without you realizing!

Download your 14 day free trial ofSolarWinds Network Topology Mapper

SMTP Microsoft Exchange Server 2010 – SMTP Logs

This page is designed to help you understand SMTP logs.  Exchange relies on IIS to provide protocol logging.  Of the four formats available, W3C Extended Log File Format provides the greatest choice of output.  ODBC logging is useful if you have a SQL database and need to query a large amount of data.  To check your SMTP logs, click Start (menu), run, logfiles.  Try SolarWinds Storage and Response Time Manager

Summary of Exchange Server 2010 Logs

When you are troubleshooting Exchange 2010, collect the evidence by going first to the event logs.  Also explore the variety of locations and types of logs that Exchange 2010 has to offer.  Find out where to turn the logs on, and discover how to interpret the output data.

If you like this page then please share it with your friends


See more Microsoft Exchange Server 2010 topics:

Exchange Home  • Exchange 2010 Transition  • Exchange 2010 Migration  • Exchange 2010 SP1

• Exchange MX Records  • Exchange 2010 Logs  • Exchange 2010 Circular Logging  • Exchange Stores

Exchange 2010 GAL  • Exchange 2010 SMTP Connector  • Free Exchange Monitor  • Home