For those familiar with the GUI interface for Exchange Server 2003 diagnostic logging the new Exchange Server 2007 diagnostic logging cmdlets might seem a little daunting at first. But with a little PowerShell understanding they become much easier to manage. Lets take a look at a few examples.
First of all the two shell cmdlets we are going to use are Get-EventLogLevel and Set-EventLogLevel. Each does what the name suggests, and can be combined to manage multiple diagnostic logging items quickly and easily. The -Level parameter of each cmdlet determines what level of diagnostic logging is displayed. The levels you can choose are 0 (Lowest), 1 (Low), 3 (Medium), 5 (High), and 7 (Expert). Usually level 5 (High) is adequate but sometimes you will want level 7 (Expert). The default level is 0 (Lowest) and should always be reset once your troubleshooting is complete.
Running Get-EventLogLevel on its own will output a long list of diagnostic logging items.
[PS] C:\>Get-EventLogLevel Identity EventLevel -------- ---------- MSExchange ActiveSyncRequests Lowest MSExchange ActiveSyncConfiguration Lowest MSExchange AntispamGeneral Lowest MSExchange AutodiscoverCore Lowest MSExchange AutodiscoverWeb Lowest ...
To change the diagnostic logging level for one of these items we use Set-EventLogLevel.
[PS] C:\>Set-EventLogLevel "MSExchange ActiveSyncRequests" -Level 5
You can see the outcome of this by running Get-EventLogLevel again.
[PS] C:\>Get-EventLogLevel Identity EventLevel -------- ---------- MSExchange ActiveSyncRequests High MSExchange ActiveSyncConfiguration Lowest MSExchange AntispamGeneral Lowest MSExchange AutodiscoverCore Lowest ...
Changing the level back is the same command with a different -Level value used.
[PS] C:\>Set-EventLogLevel "MSExchange ActiveSyncRequests" -Level 0
Now lets say you are troubleshooting a Public Folder issue and want to turn up all of the diagnostic logging items for Public Folders. You could run the Set-EventLogLevel cmdlet for each of the Public Folder logging items but that would be quite tedious as there are quite a few.
MSExchangeIS9001 PublicTransport General Lowest MSExchangeIS9001 PublicGeneral Lowest MSExchangeIS9001 PublicReplication DS Updates Lowest MSExchangeIS9001 PublicReplication Incoming Messages Lowest MSExchangeIS9001 PublicReplication Outgoing Messages Lowest MSExchangeIS9001 PublicReplication NDRs Lowest MSExchangeIS9001 PublicTransport Sending Lowest MSExchangeIS9001 PublicTransport Delivering Lowest MSExchangeIS9001 PublicMTA Connections Lowest MSExchangeIS9001 PublicLogons Lowest MSExchangeIS9001 PublicAccess Control Lowest MSExchangeIS9001 PublicSend On Behalf Of Lowest MSExchangeIS9001 PublicSend As Lowest MSExchangeIS9001 PublicRules Lowest MSExchangeIS9001 PublicStorage Limits Lowest MSExchangeIS9001 PublicReplication Site Folders Lowest MSExchangeIS9001 PublicReplication Expiry Lowest MSExchangeIS9001 PublicReplication Conflicts Lowest MSExchangeIS9001 PublicReplication Backfill Lowest MSExchangeIS9001 PublicBackground Cleanup Lowest MSExchangeIS9001 PublicReplication Errors Lowest MSExchangeIS9001 PublicDS Synchronization Lowest MSExchangeIS9001 PublicViews Lowest MSExchangeIS9001 PublicReplication General Lowest MSExchangeIS9001 PublicDownload Lowest MSExchangeIS9001 PublicLocal Replication Lowest
With a little PowerShell syntax we can set the logging level of all of these items in a single command.
[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS9001 Public*"} | Set-EventLogLevel -Level 5
Get-EventLogLevel will show us the outcome of this.
[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS9001 Public*"} Identity EventLevel -------- ---------- MSExchangeIS9001 PublicTransport General High MSExchangeIS9001 PublicGeneral High MSExchangeIS9001 PublicReplication DS Updates High MSExchangeIS9001 PublicReplication Incoming Messages High MSExchangeIS9001 PublicReplication Outgoing Messages High MSExchangeIS9001 PublicReplication NDRs High MSExchangeIS9001 PublicTransport Sending High MSExchangeIS9001 PublicTransport Delivering High MSExchangeIS9001 PublicMTA Connections High MSExchangeIS9001 PublicLogons High MSExchangeIS9001 PublicAccess Control High MSExchangeIS9001 PublicSend On Behalf Of High MSExchangeIS9001 PublicSend As High MSExchangeIS9001 PublicRules High MSExchangeIS9001 PublicStorage Limits High MSExchangeIS9001 PublicReplication Site Folders High MSExchangeIS9001 PublicReplication Expiry High MSExchangeIS9001 PublicReplication Conflicts High MSExchangeIS9001 PublicReplication Backfill High MSExchangeIS9001 PublicBackground Cleanup High MSExchangeIS9001 PublicReplication Errors High MSExchangeIS9001 PublicDS Synchronization High MSExchangeIS9001 PublicViews High MSExchangeIS9001 PublicReplication General High MSExchangeIS9001 PublicDownload High MSExchangeIS9001 PublicLocal Replication High
To reset the logging levels when we are finished troubleshooting just use the same command string with the value for Lowest.
[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS9001 Public*"} | Set-EventLogLevel -Level 0
Now lets say you have a server with several different diagnostic logging items set to High, filling up your Application event log with entries. Some are Public Folder related, some are Transport related, and resetting them all would mean several individual commands. You also don’t want to touch any of the items set to other levels such as Low.
[PS] C:\>Get-EventLogLevel | where {$_.EventLevel -ne "Lowest" -and $_.EventLevel -ne "Low"}
By piping that command to the Set-EventLogLevel cmdlet you can reset any logging item that is now already set to Lowest or Low.
[PS] C:\>Get-EventLogLevel | where {$_.EventLevel -ne "Lowest" -and $_.EventLevel -ne "Low"} | Set-EventLogLevel -Level 0
Now all of the various items that were set to Medium, High, or Expert levels have been reset to Lowest.
I hope that helps demystify Exchange Server 2007 diagnostic logging commands and helps you make use of this feature when troubleshooting any servers issues you are having.
Useless info, why do I need to fill my HDD with bunch of logs if I don’t know where they are and how to read them…
They’re in the event log, which any Google search for “exchange diagnostic logging” would have told you. And you read them like any other event log entry.
Thanks very helpful article.
I want to know that
is it possible to enable administrator auditing?.
So if he do some changes in a user mail box, like enhance his mailbox quota etc then an event will be popup in exchange auditing in event viewer.
I asking about exchange 2007 SP3.
Thanks, but how do I see which log logs what.
For example, I would like to see who has moved/renamed/deleted/created a Public folder, but none of the logs shown seem to be obviously the one that contain that information.
Possibly ‘General’ I suppose, but that just seems too generic…
thanks Paul
Can I know if any Exchange admin changed the logging level ?
is there’s any log wrote in the event log when this happen?
Hi Frank,
Once you have enabled diagnostic logging the log entries will appear in the Application Event Log on the server.
Now where do I go to view the logs?
Pingback: David Dan