The Exchange Server 2010 protocol logs can reveal some interesting information to you about the number of SMTP errors that are occurring for connections to or from your server.
This information is useful for scenarios such as checking whether your outbound mail may experiencing a high rate of failure, or discovering whether someone is continually trying to relay through your email server (in which case you could then look at the top sender IP addresses to investigate further).
Remember that protocol logging is not enabled by default on Exchange 2010, and must be enabled on a per-connector basis if you want to use it.
For SMTP error statistics we can use Log Parser to check the protocol logs for instances of SMTP status codes starting with “5” (which are permanent failures). The Log Parser query for this is as follows:
SELECT data as [Status Code], Count(*) as Hits FROM *.log WHERE data LIKE '5%' GROUP BY data ORDER BY Hits DESC
When run from the folder containing the protocol logs it will be as follows:
"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data as [Status Code],Count(*) as Hits FROM *.log WHERE data LIKE '5%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1
This will give you output similar to this:
Status Code Hits ------------------------------------------------- ---- 500 5.3.3 Unrecognized command 3632 501 5.1.3 Invalid address 1411 501 5.1.7 Invalid address 200 554 5.4.6 Hop count exceeded - possible mail loop 100 503 5.5.2 Send hello first 20 503 5.5.2 Sender already specified 4 501 5.5.4 Unrecognized parameter 2 504 5.7.4 Unrecognized authentication type 1 Statistics: ----------- Elements processed: 13113294 Elements output: 8 Execution time: 150.15 seconds (00:02:30.15)
You can also report on the number of SMTP errors occurring each day to get a baseline, which will help when you need to identify whether a sudden spike in SMTP errors has occurred. This Log Parser query will be as follows:
SELECT TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING([#Fields: date-time]),0,'T'), 'yyyy-MM-dd')) AS Date, COUNT(*) AS Hits FROM *.log WHERE (data LIKE '5%') GROUP BY Date ORDER BY Date ASC
When run from the protocol log directory it will be as follows:
"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING([#Fields: date-time]),0,'T'), 'yyyy-MM-dd')) AS Date, COUNT(*) AS Hits from *.log where (data LIKE '5%') GROUP BY Date ORDER BY Date ASC" -i:CSV -nSkipLines:4 -rtp:-1
And of course, provided you have the Office Web Components installed, you can generate a graph of this same data.
"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING([#Fields: date-time]),0,'T'), 'yyyy-MM-dd')) AS Date, COUNT(*) AS [SMTP Errors] INTO DailySMTPErrors.gif from *.log where (data LIKE '5%') GROUP BY Date ORDER BY Date ASC" -i:CSV -nSkipLines:4 -chartType:Column3D
Which will give you a graph similar to this:
I would like to extract all anonymous access from smtp logs.
I have a receive connector with anonynous users enabled in permission groups tab.
Do you know if there is a way to do it ?
Thank you very much.
You should be able to get that info from the protocol logs.
I can find only some “autheticated” connection between all log rows.
What is the exactly value I have to search inside logs to find anonymous authentications ?
Thank’s a lot.
How can I fix a ‘5.1.3 Invalid address’ error? My outbound email are not being sent.
Just some feedback on the tagged content – it is so annoying that one cannot select the text beyond the horizontal scroll!!! It is maddening. You have to use notepad to piece together the pieces that are visible until you get the whole string. IE 11.
Unless I am missing something, I have been absolutely unable to select the entire text of the items in one shot.
For example: “C:Program Files (x86)Log Parser 2.2logparser.exe” “SELECT TO_LOCALTIME(TO_TIMESTAMP(EXTRACT
and that is as good as it gets.
A double-click to “select all” works pretty well for me. Easier than trying to drag/scroll across anyway.
I’ve considered publishing script and command examples with line breaks but I suspect that will just create a whole different problem for some folks.
Thanks Paul. After a few retries I was actually able to get it to select all. It must have been something wrong with the operator valve. Thanks again. Ed
Can you please let me how i get the TLS email traffic from Exchange 2010 edge server SMTP protocol send log.
Logparser or Powershell… Please sugget and share some example.
Not sure what you mean. Turn on protocol logging for that send connector, and the traffic will be logged.
Pingback: Troubleshooting Email Delivery with Exchange Server Protocol Logging
thanks for the awesome post Paul… like always :), is it possible to fetch the failed count for specific time, e.g. for past one day or one hour,
thanks in advance.
I think it’s picking up on lines such as these:
I guess so. My own output was pretty clean so I guess you’ve got some stuff in your logs that I don’t 🙂
In my examples, the bad lines are all 6 digit codes or longer that start with 5. Is there a way to tell logparser to only pick up codes that start with 5 and are 3 digits long?
Hi Paul- thanks for the great write-up. I have one question. My output has some odd things in it, I think it’s picking up numbers in the data column that are not indicative of SMTP errors, many of them are 6 digits. My output is below. Am I misunderstanding or is logparser picking up 5’s that are not SMTP errors?
Status Code Hits
550 5.1.1 Host 188.8.131.52 error: B1.1.1 20
554 rejected due to spam content 8
550 5.7.1 Recipients have complained about included content (B-URL) 7
550 No Such User Here 5
550 #5.1.0 Address rejected. 5
550 5.1.1 User unknown 5
503 need MAIL FROM first 5
500 5.3.3 Unrecognized command 4
550-5.1.1 The email account that you tried to reach does 4
550-5.1.1 unnecessary spaces. Learn more at 4
Elements processed: 140056
Elements output: 50
Execution time: 0.17 seconds