Share via


Understanding Protocol Logging

Applies to: Exchange Server 2010

Protocol logging records the SMTP conversations that occur between e-mail servers as part of message delivery. These SMTP conversations occur on Send connectors and Receive connectors configured on servers running Microsoft Exchange Server 2010 that have the Hub Transport server role or the Edge Transport server role installed. You can use protocol logging to diagnose mail flow problems.

By default, protocol logging is disabled on all Send connectors and Receive connectors. Protocol logging is enabled or disabled on a per-connector basis. Other protocol logging options are set on a per-connector type basis for the whole server. All the Receive connectors on a Hub Transport server or an Edge Transport server share the same protocol log files and protocol log options. These protocol log files and protocol log options are separate from the Send connector protocol log files and protocol log options on the same server.

The following options are available for the protocol logs of all Send connectors or all Receive connectors on an Edge Transport server or a Hub Transport server:

  • Specify the location of the Send connector or the Receive connector protocol log files.
  • Specify a maximum size for the Send connector or the Receive connector protocol log files. The default size is 10 megabytes (MB).
  • Specify a maximum size for the directory that contains the Send connector or Receive connector protocol log files. The default size is 250 MB.
  • Specify a maximum age for the Send connector or Receive connector protocol log files. The default age is 30 days.

By default, the Exchange 2010 server uses circular logging to limit the protocol logs based on file size and file age to help control the hard disk space used by the log files.

A special Send connector named the intra-organization Send connector exists on every Hub Transport server. This connector is implicitly created, invisible, and requires no management. The intra-organization Send connector is used to relay messages to the following destinations:

  • To other Hub Transport servers in the Exchange organization, including Exchange 2007 Hub Transport servers
  • To Exchange Server 2003 servers in the Exchange organization
  • To Edge Transport servers in the Exchange organization

By default, protocol logging for the intra-organization Send connector is disabled. You can enable or disable protocol logging for the intra-organization Send connector by using the IntraOrgConnectorProtocolLoggingLevel parameter on the Set-TransportServer cmdlet. If you enable protocol logging for the intra-organization Send connector, logging occurs in the Send connector protocol logs configured on the Hub Transport server.

Looking for management tasks related to protocol logging? See Managing Transport Servers.

Structure of the Protocol Log Files

By default, the protocol log files exist in the following locations:

  • Receive connector protocol log files   C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
  • Send connector protocol log files   C:\Program Files\Microsoft\Exchange Server\V14TransportRoles\Logs\ProtocolLog\SmtpSend

The naming convention for log files in each protocol log directory is prefixyyyymmdd-nnnn.log. The placeholders represent the following information:

  • The placeholder prefix is SEND for Send connectors or RECV for Receive connectors.
  • The placeholder yyyymmdd is the Coordinated Universal Time (UTC) date on which the log file was created. The placeholder yyyy = year, mm = month, and dd = day.
  • The placeholder nnnn is an instance number that starts at the value of 1 for each day.

Information is written to the log file until the file size reaches its maximum specified value, and a new log file that has an incremented instance number is opened. This process is repeated throughout the day. Circular logging deletes the oldest log files when the protocol log directory reaches its maximum specified size, or when a log file reaches its maximum specified age.

The protocol log files are text files that contain data in the comma-separated value file (CSV) format. Each protocol log file has a header that contains the following information:

  • #Software   Name of the software that created the protocol log file. Typically, the value is Microsoft Exchange Server.
  • #Version   Version number of the software that created the protocol log file. Currently, the value is 14.0.0.0.
  • #Log-Type   Log type value of this field, which is either SMTP Receive Protocol Log or SMTP Send Protocol Log.
  • #Date   UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
  • #Fields   Comma-delimited field names used in the protocol log files.

Information Written to the Protocol Log

The protocol log stores each SMTP protocol event on a single line in the protocol log. The information stored on each line is organized by fields. These fields are separated by commas. The following table describes the fields used to classify each protocol.

Fields used to classify each protocol event

Field name Description

date-time

UTC date-time of the protocol event, which is represented in the ISO 8601 format. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

connector-id

Distinguished name (DN) of the connector associated with the SMTP event.

session-id

GUID that's unique for each SMTP session but is the same for each event associated with that SMTP session.

sequence-number

Counter that starts at 0 and is incremented for each event in the same SMTP session.

local-endpoint

Local endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>:<port>.

remote-endpoint

Remote endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>:<port>.

event

Single character that represents the protocol event. The possible values for the event are as follows:

  • +   Connect
  • -   Disconnect
  • >   Send
  • <   Receive
  • *   Information

data

Text information associated with the SMTP event.

context

Additional contextual information that may be associated with the SMTP event.

A single SMTP conversation that represents the sending or receiving of a single e-mail message generates multiple SMTP events. These SMTP events cause multiple lines to be written to the protocol log. Multiple SMTP conversations that represent the sending or receiving of multiple e-mail messages can occur at the same time. This creates protocol log entries from different SMTP conversations that are interspersed. You can use the session-id and sequence-number fields to sort the protocol log entries by SMTP conversation.