For those familiar with the GUI interface for Exchange Server 2003 diagnostic logging the new Exchange Server 2007 diagnostic logging cmdlets might seem a little daunting at first.  But with a little PowerShell understanding they become much easier to manage.  Lets take a look at a few examples.

First of all the two shell cmdlets we are going to use are Get-EventLogLevel and Set-EventLogLevel.  Each does what the name suggests, and can be combined to manage multiple diagnostic logging items quickly and easily. The -Level parameter of each cmdlet determines what level of diagnostic logging is displayed. The levels you can choose are 0 (Lowest), 1 (Low), 3 (Medium), 5 (High), and 7 (Expert). Usually level 5 (High) is adequate but sometimes you will want level 7 (Expert). The default level is 0 (Lowest) and should always be reset once your troubleshooting is complete.

Running Get-EventLogLevel on its own will output a long list of diagnostic logging items.

[PS] C:\>Get-EventLogLevel

Identity                                                             EventLevel
--------                                                             ----------
MSExchange ActiveSyncRequests                                       Lowest
MSExchange ActiveSyncConfiguration                                  Lowest
MSExchange AntispamGeneral                                          Lowest
MSExchange AutodiscoverCore                                         Lowest
MSExchange AutodiscoverWeb                                          Lowest
...

To change the diagnostic logging level for one of these items we use Set-EventLogLevel.

[PS] C:\>Set-EventLogLevel "MSExchange ActiveSyncRequests" -Level 5

You can see the outcome of this by running Get-EventLogLevel again.

[PS] C:\>Get-EventLogLevel

Identity                                                             EventLevel
--------                                                             ----------
MSExchange ActiveSyncRequests                                       High
MSExchange ActiveSyncConfiguration                                  Lowest
MSExchange AntispamGeneral                                          Lowest
MSExchange AutodiscoverCore                                         Lowest
...

Changing the level back is the same command with a different -Level value used.

[PS] C:\>Set-EventLogLevel "MSExchange ActiveSyncRequests" -Level 0

Now lets say you are troubleshooting a Public Folder issue and want to turn up all of the diagnostic logging items for Public Folders. You could run the Set-EventLogLevel cmdlet for each of the Public Folder logging items but that would be quite tedious as there are quite a few.

MSExchangeIS9001 PublicTransport General                           Lowest
MSExchangeIS9001 PublicGeneral                                     Lowest
MSExchangeIS9001 PublicReplication DS Updates                      Lowest
MSExchangeIS9001 PublicReplication Incoming Messages               Lowest
MSExchangeIS9001 PublicReplication Outgoing Messages               Lowest
MSExchangeIS9001 PublicReplication NDRs                            Lowest
MSExchangeIS9001 PublicTransport Sending                           Lowest
MSExchangeIS9001 PublicTransport Delivering                        Lowest
MSExchangeIS9001 PublicMTA Connections                             Lowest
MSExchangeIS9001 PublicLogons                                      Lowest
MSExchangeIS9001 PublicAccess Control                              Lowest
MSExchangeIS9001 PublicSend On Behalf Of                           Lowest
MSExchangeIS9001 PublicSend As                                     Lowest
MSExchangeIS9001 PublicRules                                       Lowest
MSExchangeIS9001 PublicStorage Limits                              Lowest
MSExchangeIS9001 PublicReplication Site Folders                    Lowest
MSExchangeIS9001 PublicReplication Expiry                          Lowest
MSExchangeIS9001 PublicReplication Conflicts                       Lowest
MSExchangeIS9001 PublicReplication Backfill                        Lowest
MSExchangeIS9001 PublicBackground Cleanup                          Lowest
MSExchangeIS9001 PublicReplication Errors                          Lowest
MSExchangeIS9001 PublicDS Synchronization                          Lowest
MSExchangeIS9001 PublicViews                                       Lowest
MSExchangeIS9001 PublicReplication General                         Lowest
MSExchangeIS9001 PublicDownload                                    Lowest
MSExchangeIS9001 PublicLocal Replication                           Lowest

With a little PowerShell syntax we can set the logging level of all of these items in a single command.

[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS9001 Public*"} | Set-EventLogLevel -Level 5

Get-EventLogLevel will show us the outcome of this.

[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS9001 Public*"}

Identity                                                             EventLevel
--------                                                             ----------
MSExchangeIS9001 PublicTransport General                           High
MSExchangeIS9001 PublicGeneral                                     High
MSExchangeIS9001 PublicReplication DS Updates                      High
MSExchangeIS9001 PublicReplication Incoming Messages               High
MSExchangeIS9001 PublicReplication Outgoing Messages               High
MSExchangeIS9001 PublicReplication NDRs                            High
MSExchangeIS9001 PublicTransport Sending                           High
MSExchangeIS9001 PublicTransport Delivering                        High
MSExchangeIS9001 PublicMTA Connections                             High
MSExchangeIS9001 PublicLogons                                      High
MSExchangeIS9001 PublicAccess Control                              High
MSExchangeIS9001 PublicSend On Behalf Of                           High
MSExchangeIS9001 PublicSend As                                     High
MSExchangeIS9001 PublicRules                                       High
MSExchangeIS9001 PublicStorage Limits                              High
MSExchangeIS9001 PublicReplication Site Folders                    High
MSExchangeIS9001 PublicReplication Expiry                          High
MSExchangeIS9001 PublicReplication Conflicts                       High
MSExchangeIS9001 PublicReplication Backfill                        High
MSExchangeIS9001 PublicBackground Cleanup                          High
MSExchangeIS9001 PublicReplication Errors                          High
MSExchangeIS9001 PublicDS Synchronization                          High
MSExchangeIS9001 PublicViews                                       High
MSExchangeIS9001 PublicReplication General                         High
MSExchangeIS9001 PublicDownload                                    High
MSExchangeIS9001 PublicLocal Replication                           High

To reset the logging levels when we are finished troubleshooting just use the same command string with the value for Lowest.

[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS9001 Public*"} | Set-EventLogLevel -Level 0

Now lets say you have a server with several different diagnostic logging items set to High, filling up your Application event log with entries. Some are Public Folder related, some are Transport related, and resetting them all would mean several individual commands. You also don’t want to touch any of the items set to other levels such as Low.

[PS] C:\>Get-EventLogLevel | where {$_.EventLevel -ne "Lowest" -and $_.EventLevel -ne "Low"}

By piping that command to the Set-EventLogLevel cmdlet you can reset any logging item that is now already set to Lowest or Low.

[PS] C:\>Get-EventLogLevel | where {$_.EventLevel -ne "Lowest" -and $_.EventLevel -ne "Low"} | Set-EventLogLevel -Level 0

Now all of the various items that were set to Medium, High, or Expert levels have been reset to Lowest.

I hope that helps demystify Exchange Server 2007 diagnostic logging commands and helps you make use of this feature when troubleshooting any servers issues you are having.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Shaul

    Useless info, why do I need to fill my HDD with bunch of logs if I don’t know where they are and how to read them…

    1. Paul Cunningham

      They’re in the event log, which any Google search for “exchange diagnostic logging” would have told you. And you read them like any other event log entry.

  2. Nawaz

    Thanks very helpful article.

    I want to know that
    is it possible to enable administrator auditing?.
    So if he do some changes in a user mail box, like enhance his mailbox quota etc then an event will be popup in exchange auditing in event viewer.
    I asking about exchange 2007 SP3.

  3. Lars Panzerbjørn

    Thanks, but how do I see which log logs what.
    For example, I would like to see who has moved/renamed/deleted/created a Public folder, but none of the logs shown seem to be obviously the one that contain that information.
    Possibly ‘General’ I suppose, but that just seems too generic…

  4. MSM

    thanks Paul

    Can I know if any Exchange admin changed the logging level ?

    is there’s any log wrote in the event log when this happen?

  5. Paul

    Hi Frank,

    Once you have enabled diagnostic logging the log entries will appear in the Application Event Log on the server.

  6. Frank

    Now where do I go to view the logs?

Leave a Reply