Microsoft Exchange 2010 Log Analizi

Microsoft Exchange 2010 – Message Tracking Logs

Exchange 2010 üzerinde gerçekleşen birçok olay farklı katgorilerde log dosyalarına yazılmaktadır. Connectivity Log, Message Tracking Log, Protokol Log bunlardan bazılarıdır.

 

Mesaage Tracking Logs; forensics, mail akış analizi, raporlama ve sorun giderme için kullanılabilir.

Bu loglar varsayılan olarak Exchange kurulduğunda açık olarak ayarlanmıştır.

İlgili log dosyaları “C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking” isimli dizin altına kaydedilmektedir.

 

Exchange 2010 Message Tracking Log Format

date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data

 

Exchange 2010 Message Tracking Örnek Log

2012-05-18T14:54:11.296Z,,server2008-1,,server2008-1,08CF031D375D19B6;2012-05-18T14:54:11.109Z;0,,STOREDRIVER,DELIVER,1,<93261797ED93524E874890F39F284C31019975@server2008-1.logtest.com>,Administrator@logtest.com,,4380,1,,,test,Administrator@logtest.com,Administrator@logtest.com,2012-05-18T14:54:09.843Z;SRV=server2008-1.logtest.com:TOTAL=0;SRV=server2008-1.logtest.com:TOTAL=1,Originating,,,,S:RuleCacheCorruptions=SMTP:Administrator@logtest.com:Gelen Kutusu;S:MailboxDatabaseName=mailbox database 1029395776;S:DatabaseHealth=-1

Field name

Description

date-time*

The date and time of the message tracking event. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day,hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

client-ip

The TCP/IP address of the messaging server or messaging client that submitted the message.

client-hostname

The name of the messaging server or messaging client that submitted the message.

server-ip

The TCP/IP address of the source or destination server running Microsoft Exchange Server.

server-hostname

The name of the destination server.

source-context

Extra information associated with the source field.

connector-id

The name of source or destination Send connector or Receive connector.

source*

The Exchange transport component responsible for the message tracking event. The possible values for this field are as follows:

  • ADMIN (for Replay directory submission)
  • AGENT
  • DSN
  • GATEWAY (for Foreign connector submission)
  • PICKUP
  • ROUTING
  • SMTP
  • STOREDRIVER

event-id*

The message event type. These events are described fully in the table earlier in this topic. The possible values are BADMAIL, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.

internal-message-id*

A message identifier that is assigned by the Exchange Server 2007 server that is currently processing the message. A specific message's value of internal-message-id is different in the message tracking log of every Exchange Server 2007 server that is involved in the delivery of the message.

message-id

The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.

recipient-address*

A message was submitted by a server running Exchange Server 2007 computer that has the Mailbox server role installed to an Exchange 2007 computer that has the Hub Transport server role or Edge Transport server role installed.

recipient-status

The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;).

total-bytes*

The number of recipients in the message.

recipient-count*

The number of recipients in the message.

related-recipient-address

This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.

reference

This field contains additional information for specific types of events:

  • DSN - The Reference field contains the Internet-Message-Id of the message that caused the DSN.
  • SEND - The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages.
  • TRANSFER - The Reference field contains the Internal-Message-Id of the message that is being forked.

For all other types of events, the Reference field is blank.

message-subject

The message's subject found in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet for Hub Transport servers and Edge Transport servers, or in the Set-MailboxServer cmdlet for Mailbox servers. By default, message subject tracking is enabled. Message subject logging can be disabled by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $false.

sender-address

The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.

return-path*

The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.

message-info

This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

Exchange 2010 EventID

Event name

Description

BADMAIL

A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned.

DELIVER

A message was delivered to a mailbox.

DSN

A delivery status notification (DSN) was generated.

EXPAND

A distribution group was expanded.

FAIL

A message delivery failed.

POISONMESSAGE

A message is put in the poison message queue or removed from the poison message queue.

SUSPEND

Indicates that replication has been halted for the passive copy. This state prevents the database from advancing, and logs from being copied. Possible values are True and False.

RECEIVE

A message was received and committed to the database.

REDIRECT

A message was redirected to an alternative recipient after an Active Directory directory service lookup.

RESOLVE

A message's recipients were resolved to a different e-mail address after an Active Directory lookup.

SEND

A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.

SUBMIT

A message was submitted by an Exchange Server 2007 computer that has the Mailbox server role installed to an Exchange Server 2007 computer that has the Hub Transport server role or Edge Transport server role installed.

TRANSFER

Recipients were moved to a forked message because of content conversion, message recipient limits, or agents.

 

 

Başka sorularınız var mı? Bir talep gönder

Yorumlar