An Exchange organization may have send connectors that are believed to be no longer in use, for example a send connector used for shared SMTP namespace.

However when you are planning the removal of a send connector there is the concern that some email traffic may still be using that send connector, and so you want to investigate this further before making your change.

One way of determining send connector usage is to analyze protocol logs. If you’re not already familiar with protocol logging I wrote an article about it here that is a good starting place.

To begin with you should check whether your send connector has protocol logging enabled.

[PS] C:>Get-SendConnector "Name of Send Connector" | fl ProtocolLoggingLevel

ProtocolLoggingLevel : Verbose

There are two possible values; None (off) or Verbose (on). If protocol logging is not already set to Verbose you can turn it on using Set-SendConnector.

[PS] C:>Set-SendConnector "Name of Send Connector" -ProtocolLoggingLevel Verbose

A default protocol logging configuration will retain 30 days worth of logs, but you can start analyzing them after a day or so if that is all the time you think you will need to discover any systems still using the connector. Obviously for less used connectors the longer you wait the more chance you’ll capture something.

Using Log Parser to View Send Connector Hits in Protocol Logs

We can use a Log Parser query to search through the protocol logs and count the “hits” for each connector, because one of the fields in the log file is the “connector-id”.

SELECT connector-id,
       Count(*) as Hits
from *.log
WHERE data LIKE '%EHLO%'
GROUP BY connector-id
ORDER BY Hits DESC

To run this query open Log Parser, navigate to the folder containing the send connector protocol logs (C:Program FilesMicrosoftExchangeV14TransportRolesLogsProtocolLogSmtpSend by default on an Exchange 2010 server. Refer to the protocol logging article if you need more help finding the path on your server), and then run the command:

"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT connector-id,Count(*) as Hits from *.log WHERE data LIKE '%EHLO%' GROUP BY connector-id ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1


connector-id          Hits
--------------------- -----
Internet              70556
Shared Domains        152
Fax Gateway           4

Statistics:
-----------
Elements processed: 1469279
Elements output:    4
Execution time:     4.52 seconds

Using Log Parser to Analyze Email Traffic on a Send Connector

As you can see in the output above the “Shared Domains” connector has registered a small number of hits. To dig into that further we can use Log Parser again to query the logs for information such as the “RCPT TO” command being used in the SMTP transaction, which will tell us the recipient email address.

SELECT data,
       Count(*) as Hits
from *.log
WHERE connector-id = 'Shared Domains'
AND data LIKE '%RCPT TO%'
GROUP BY data
ORDER BY Hits DESC

Again, running from Log Parser after navigating to the SmtpSend folder:

"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%RCPT TO%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1

You should see output similar to this.

data                                                                                        Hits
------------------------------------------------------------------------------------------- ----
RCPT TO:                                                             18
RCPT TO: ORCPT=rfc822;david@domain.com.au                              6
RCPT TO: ORCPT=rfc822;peter@domain.com.au                              5
RCPT TO: ORCPT=rfc822;cathy@domain.com.au                              4
RCPT TO: ORCPT=rfc822;michael@domain.com.au                          4
RCPT TO: ORCPT=rfc822;michelle@domain.com.au                        4
RCPT TO: ORCPT=rfc822;donna@domain.com.au                              3
RCPT TO: ORCPT=rfc822;jacinta@domain.com.au                          3

Knowing which recipients are still receiving email that is going over a particular send connector can be very useful in tracking down any stragglers among the mailboxes or applications that the connector was originally set up for, but that have not been migrated properly.

You could do the same analysis using a search for “MAIL FROM” instead, which will show you the senders of the emails, which is also useful in some cases.

"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%MAIL FROM%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1

Summary

As you can see in the examples above there is some very useful information contained within protocol logging that can help you determine whether a send connector is still being used in your Exchange Server organization.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Suman Mankala

    Does it work on Win 2003 R2 server. I’m getting below error, please advise

    Unexpected token ‘SELECT data,Count(*) as Hits from *.log WHERE connector-id =
    ‘Quest_Internet’ AND data LIKE ‘%RCPT TO%’ GROUP BY data ORDER BY Hits DESC’ in
    expression or statement.
    At line:1 char:190
    + “C:Program Files (x86)Log Parser 2.2logparser.exe” “SELECT data,Count(*) as H
    its from *.log WHERE connector-id = ‘Quest_Internet’ AND data LIKE ‘%RCPT TO%’
    GROUP BY data ORDER BY Hits DESC” <<< “C:\Suma
    n\MWNHUBP00smtpsend.csv”
    + CategoryInfo : ParserError: (SELECT data,Cou…ER BY Hits DESC:
    String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

  2. Jeffrey Hagedorn

    I used some of your examples to create: “Exchange SMTP Log Sent last 30 minutes”

    SELECT [#Fields: date-time],[data],
    EXTRACT_PREFIX(remote-endpoint,0,’:’) as IP,
    REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as Name,
    TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING[#Fields: date-time],0,’.’),’yyyy-MM-ddThh:mm:ss’)) as [LogDateTime],
    SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP(‘0000-01-01 01:00’, ‘yyyy-MM-dd HH:mm’)) as [ThirtyMinutesAgo],
    TO_LOCALTIME(SYSTEM_TIMESTAMP()) as [CurrentDateTime]
    FROM ‘[LOGFILEPATH]’
    WHERE [data] LIKE ‘%EHLO%’
    AND [LogDateTime]
    BETWEEN [ThirtyMinutesAgo]
    AND [CurrentDateTime]
    ORDER BY [#Fields: date-time] DESC

    * Point [LOGFILEPATH] to your: ‘C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\*.LOG’

    Thought it might help someone else along the way.

    1. Jeffrey Hagedorn

      Sorry old code:
      TIMESTAMP(‘0000-01-01 01:00’, (1 hour)
      TIMESTAMP(‘0000-01-01 00:30’, (30 mins)

      You get the idea.. 🙂

  3. Tomas Esteban Corey

    Hi Paul,
    Thanks a lot, I’m trying to get, IP SOURCE, IP DEST, FROM TO.

    Can you help me?

    Thanks
    Tomás

  4. Francis

    Hello,

    Is it supposed to work for Exchange 2010?

    I get the following:

    C:\ProgramFiles\Microsoft\ExchangeServer\V14\TransportRoles\Logs\ProtocolLog\SmtpSend>”C:\Program Files (x86)\Log Parser 2.2\logparser.exe” “SELECT connector-id, Count(*) as Hits FROM *log WHERE data LIKE ‘%EHLO%’ GROUP BY connector-id ORDER BY Hits DESC”

    WARNING: Input format not specified – using TEXTLINE input format.
    Error: SELECT clause: Syntax Error: unknown field ‘connector-id’

  5. Naveenkumar

    Hi Paul,

    Need small help, i need to check whether connection was TLS or Non TLS. Few application relay emails using TLS and few non TLS, how can determine this from logpraser, can you help with this please.

  6. Greg Fisher

    Thanks for this – really going to help me move off my my 2007 relays and onto 2013. I did find it easier to track down the offending devices by changing the %RCPT TO% to %MAIL FROM%. Appreciate the write up!

  7. Seve

    When i try running the command i get the following error.
    What am i doing wrong?

    Thanks,

    Edit: removed due to page breaking

  8. Jojp23

    The Parser software is not working on Windows 2008 Enterprise. Please recommend an alternate. I get message that it is not a valid Win 32 application.

    1. Avatar photo
      Paul Cunningham

      Maybe you have a corrupt file? Try download and reinstall. It’s always worked fine for me on 2008.

  9. Georgi Petkov

    Hi Paul,
    thank you for sharing the SQL queries for SMTP protocol logs.
    It’s very much appreciated.

    Best regards,
    Georgi Petkov

Leave a Reply