LogParsing with Exchange SMTP Protocol Logs

SMTP Protocol logs are not enabled by default.  In Both Exchange 2003 and Exchange 2007 SMTP Protocol logs need to be manually enabled.

In Exchange 2003 SMTP protocol logging is enabled on the SMTP Virtual Servers

SMTPVirtualServer

Please download log parser from following link

http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Below log parser command help you to get list of servers connecting to Exchange 2003 server through SMTP

logparser “Select cs-username,count (*) as Hits from N:\ex0910.log GROUP BY cs-username ORDER BY Hits Desc” -o:DATAGRID

Below is the output it provides the list of server name and number of hits from that specific servers

Logparset

Below mentioned article describes on how to enabled smtp protocol logging on Exchange 2007 and log files path

https://smtpport25.wordpress.com/2009/10/

Below command helps you to get the list of servers connect to the exchange server for sending emails

logparser “select REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as RemoteSendingHost, count(*) as Hits from RECV*.log group by RemoteSending Host order by Hits DESC” -i:CSV -nSkipLines:4  -o:DATAGRID

related articles

http://msexchangeteam.com/archive/2007/09/12/446982.aspx
http://msexchangeteam.com/archive/2007/11/12/447515.aspx
http://msexchangeteam.com/archive/2007/11/28/447598.aspx
http://linuxlore.blogspot.com/2006/11/howto-use-microsofts-logparser-to.html

One thought on “LogParsing with Exchange SMTP Protocol Logs

  1. Pingback: Exchange 2010 SMTP Protocol Logging | Jason (Izzy) Sherry's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s