Home » Exchange Server » Generate SMTP Error Statistics using Log Parser and Exchange Server 2010 Protocol Logs

Generate SMTP Error Statistics using Log Parser and Exchange Server 2010 Protocol Logs

The Exchange Server 2010 protocol logs can reveal some interesting information to you about the number of SMTP errors that are occurring for connections to or from your server.

This information is useful for scenarios such as checking whether your outbound mail may experiencing a high rate of failure, or discovering whether someone is continually trying to relay through your email server (in which case you could then look at the top sender IP addresses to investigate further).

Remember that protocol logging is not enabled by default on Exchange 2010, and must be enabled on a per-connector basis if you want to use it.

For SMTP error statistics we can use Log Parser to check the protocol logs for instances of SMTP status codes starting with “5” (which are permanent failures). The Log Parser query for this is as follows:

When run from the folder containing the protocol logs it will be as follows:

This will give you output similar to this:

You can also report on the number of SMTP errors occurring each day to get a baseline, which will help when you need to identify whether a sudden spike in SMTP errors has occurred. This Log Parser query will be as follows:

When run from the protocol log directory it will be as follows:

And of course, provided you have the Office Web Components installed, you can generate a graph of this same data.

Which will give you a graph similar to this:

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

11 comments

  1. Mike says:

    Hi Paul- thanks for the great write-up. I have one question. My output has some odd things in it, I think it’s picking up numbers in the data column that are not indicative of SMTP errors, many of them are 6 digits. My output is below. Am I misunderstanding or is logparser picking up 5’s that are not SMTP errors?

    Status Code Hits
    —————————————————————————— —-
    550003 803
    547710 753
    554271 620
    556009 557
    556436 404
    552224 217
    550725 128
    559783 57
    519658271A49FFA3E619EE416620EF524552103F 47
    51F7900806F0783F09D45D5017A89322AFEB3FC3 39
    558912 23
    555756 23
    550 5.1.1 Host 63.250.236.234 error: B1.1.1 20
    556487 13
    559347 12
    559342 11
    556250 9
    557094 8
    554 rejected due to spam content 8
    559324 8
    559246 8
    550 5.7.1 Recipients have complained about included content (B-URL) 7
    564148 6
    559625 6
    559433 6
    557062 6
    562798 6
    559628 6
    557161 6
    557431 6
    534E5E0F2AE22351F9A6D5D12931B5081D60FD47 6
    563211 6
    563217 5
    550 No Such User Here 5
    550 #5.1.0 Address rejected. 5
    556914 5
    550 5.1.1 User unknown 5
    561213 5
    561798 5
    503 need MAIL FROM first 5
    559114 5
    559746 5
    559328 5
    558814 4
    559758 4
    556824 4
    556868 4
    500 5.3.3 Unrecognized command 4
    550-5.1.1 The email account that you tried to reach does 4
    550-5.1.1 unnecessary spaces. Learn more at 4

    Statistics:
    ———–
    Elements processed: 140056
    Elements output: 50
    Execution time: 0.17 seconds

  2. Mike says:

    I think it’s picking up on lines such as these:

    2012-08-28T13:28:25.935Z,To_Internet,08CF52B5572C1755,14,192.168.84.3:49949,REMOTE_IP:25,*,563579,sending message
    2012-08-28T13:28:30.185Z,To_Internet,08CF52B5572C1757,34,192.168.84.3:49950,REMOTE_IP:25,*,563581,sending message
    2012-08-28T13:30:57.064Z,To_Internet,08CF52B5572C1780,34,192.168.84.3:49976,REMOTE_IP:25,*,563595,sending message

  3. Muzi says:

    thanks for the awesome post Paul… like always :), is it possible to fetch the failed count for specific time, e.g. for past one day or one hour,

    thanks in advance.

  4. mano says:

    Hi

    Can you please let me how i get the TLS email traffic from Exchange 2010 edge server SMTP protocol send log.

    Logparser or Powershell… Please sugget and share some example.

  5. Ed Steele says:

    Just some feedback on the tagged content – it is so annoying that one cannot select the text beyond the horizontal scroll!!! It is maddening. You have to use notepad to piece together the pieces that are visible until you get the whole string. IE 11.

    Unless I am missing something, I have been absolutely unable to select the entire text of the items in one shot.

    For example: “C:Program Files (x86)Log Parser 2.2logparser.exe” “SELECT TO_LOCALTIME(TO_TIMESTAMP(EXTRACT

    and that is as good as it gets.

    • A double-click to “select all” works pretty well for me. Easier than trying to drag/scroll across anyway.

      I’ve considered publishing script and command examples with line breaks but I suspect that will just create a whole different problem for some folks.

Leave a Reply

Your email address will not be published. Required fields are marked *