• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Using Log Parser and Protocol Logs to Analyze Send Connector Usage

Using Log Parser and Protocol Logs to Analyze Send Connector Usage

January 28, 2014 by Paul Cunningham 12 Comments

An Exchange organization may have send connectors that are believed to be no longer in use, for example a send connector used for shared SMTP namespace.

However when you are planning the removal of a send connector there is the concern that some email traffic may still be using that send connector, and so you want to investigate this further before making your change.

One way of determining send connector usage is to analyze protocol logs. If you’re not already familiar with protocol logging I wrote an article about it here that is a good starting place.

To begin with you should check whether your send connector has protocol logging enabled.

1
2
3
[PS] C:>Get-SendConnector "Name of Send Connector" | fl ProtocolLoggingLevel
 
ProtocolLoggingLevel : Verbose

There are two possible values; None (off) or Verbose (on). If protocol logging is not already set to Verbose you can turn it on using Set-SendConnector.

1
[PS] C:>Set-SendConnector "Name of Send Connector" -ProtocolLoggingLevel Verbose

A default protocol logging configuration will retain 30 days worth of logs, but you can start analyzing them after a day or so if that is all the time you think you will need to discover any systems still using the connector. Obviously for less used connectors the longer you wait the more chance you’ll capture something.

Using Log Parser to View Send Connector Hits in Protocol Logs

We can use a Log Parser query to search through the protocol logs and count the “hits” for each connector, because one of the fields in the log file is the “connector-id”.

1
2
3
4
5
6
SELECT connector-id,
       Count(*) as Hits
from *.log
WHERE data LIKE '%EHLO%'
GROUP BY connector-id
ORDER BY Hits DESC

To run this query open Log Parser, navigate to the folder containing the send connector protocol logs (C:Program FilesMicrosoftExchangeV14TransportRolesLogsProtocolLogSmtpSend by default on an Exchange 2010 server. Refer to the protocol logging article if you need more help finding the path on your server), and then run the command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT connector-id,Count(*) as Hits from *.log WHERE data LIKE '%EHLO%' GROUP BY connector-id ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1
 
 
connector-id          Hits
--------------------- -----
Internet              70556
Shared Domains        152
Fax Gateway           4
 
Statistics:
-----------
Elements processed: 1469279
Elements output:    4
Execution time:     4.52 seconds

Using Log Parser to Analyze Email Traffic on a Send Connector

As you can see in the output above the “Shared Domains” connector has registered a small number of hits. To dig into that further we can use Log Parser again to query the logs for information such as the “RCPT TO” command being used in the SMTP transaction, which will tell us the recipient email address.

1
2
3
4
5
6
7
SELECT data,
       Count(*) as Hits
from *.log
WHERE connector-id = 'Shared Domains'
AND data LIKE '%RCPT TO%'
GROUP BY data
ORDER BY Hits DESC

Again, running from Log Parser after navigating to the SmtpSend folder:

1
"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%RCPT TO%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1

You should see output similar to this.

1
2
3
4
5
6
7
8
9
10
data                                                                                        Hits
------------------------------------------------------------------------------------------- ----
RCPT TO:<noreply@domain.org.au>                                                             18
RCPT TO:<david@domain.com.au> ORCPT=rfc822;david@domain.com.au                              6
RCPT TO:<peter@domain.com.au> ORCPT=rfc822;peter@domain.com.au                              5
RCPT TO:<cathy@domain.com.au> ORCPT=rfc822;cathy@domain.com.au                              4
RCPT TO:<michael@domain.com.au> ORCPT=rfc822;michael@domain.com.au                          4
RCPT TO:<michelle@domain.com.au> ORCPT=rfc822;michelle@domain.com.au                        4
RCPT TO:<donna@domain.com.au> ORCPT=rfc822;donna@domain.com.au                              3
RCPT TO:<jacinta@domain.com.au> ORCPT=rfc822;jacinta@domain.com.au                          3

Knowing which recipients are still receiving email that is going over a particular send connector can be very useful in tracking down any stragglers among the mailboxes or applications that the connector was originally set up for, but that have not been migrated properly.

You could do the same analysis using a search for “MAIL FROM” instead, which will show you the senders of the emails, which is also useful in some cases.

1
"C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%MAIL FROM%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1

Summary

As you can see in the examples above there is some very useful information contained within protocol logging that can help you determine whether a send connector is still being used in your Exchange Server organization.

Exchange Server Exchange 2010, Exchange 2013, Log Parser, Protocol Logging, Protocol Logs, Send Connector

Comments

  1. Suman Mankala says

    January 12, 2022 at 10:51 am

    Does it work on Win 2003 R2 server. I’m getting below error, please advise

    Unexpected token ‘SELECT data,Count(*) as Hits from *.log WHERE connector-id =
    ‘Quest_Internet’ AND data LIKE ‘%RCPT TO%’ GROUP BY data ORDER BY Hits DESC’ in
    expression or statement.
    At line:1 char:190
    + “C:Program Files (x86)Log Parser 2.2logparser.exe” “SELECT data,Count(*) as H
    its from *.log WHERE connector-id = ‘Quest_Internet’ AND data LIKE ‘%RCPT TO%’
    GROUP BY data ORDER BY Hits DESC” <<< “C:\Suma
    n\MWNHUBP00smtpsend.csv”
    + CategoryInfo : ParserError: (SELECT data,Cou…ER BY Hits DESC:
    String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

    Reply
  2. Jeffrey Hagedorn says

    November 25, 2020 at 10:47 am

    I used some of your examples to create: “Exchange SMTP Log Sent last 30 minutes”

    SELECT [#Fields: date-time],[data],
    EXTRACT_PREFIX(remote-endpoint,0,’:’) as IP,
    REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as Name,
    TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING[#Fields: date-time],0,’.’),’yyyy-MM-ddThh:mm:ss’)) as [LogDateTime],
    SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP(‘0000-01-01 01:00’, ‘yyyy-MM-dd HH:mm’)) as [ThirtyMinutesAgo],
    TO_LOCALTIME(SYSTEM_TIMESTAMP()) as [CurrentDateTime]
    FROM ‘[LOGFILEPATH]’
    WHERE [data] LIKE ‘%EHLO%’
    AND [LogDateTime]
    BETWEEN [ThirtyMinutesAgo]
    AND [CurrentDateTime]
    ORDER BY [#Fields: date-time] DESC

    * Point [LOGFILEPATH] to your: ‘C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\*.LOG’

    Thought it might help someone else along the way.

    Reply
    • Jeffrey Hagedorn says

      November 25, 2020 at 10:50 am

      Sorry old code:
      TIMESTAMP(‘0000-01-01 01:00’, (1 hour)
      TIMESTAMP(‘0000-01-01 00:30’, (30 mins)

      You get the idea.. 🙂

      Reply
  3. Tomas Esteban Corey says

    June 9, 2020 at 1:22 am

    Hi Paul,
    Thanks a lot, I’m trying to get, IP SOURCE, IP DEST, FROM TO.

    Can you help me?

    Thanks
    Tomás

    Reply
  4. Francis says

    September 12, 2019 at 5:12 am

    Hello,

    Is it supposed to work for Exchange 2010?

    I get the following:

    C:\ProgramFiles\Microsoft\ExchangeServer\V14\TransportRoles\Logs\ProtocolLog\SmtpSend>”C:\Program Files (x86)\Log Parser 2.2\logparser.exe” “SELECT connector-id, Count(*) as Hits FROM *log WHERE data LIKE ‘%EHLO%’ GROUP BY connector-id ORDER BY Hits DESC”

    WARNING: Input format not specified – using TEXTLINE input format.
    Error: SELECT clause: Syntax Error: unknown field ‘connector-id’

    Reply
  5. Naveenkumar says

    October 12, 2018 at 11:21 pm

    Hi Paul,

    Need small help, i need to check whether connection was TLS or Non TLS. Few application relay emails using TLS and few non TLS, how can determine this from logpraser, can you help with this please.

    Reply
  6. Greg Fisher says

    October 17, 2017 at 5:34 am

    Thanks for this – really going to help me move off my my 2007 relays and onto 2013. I did find it easier to track down the offending devices by changing the %RCPT TO% to %MAIL FROM%. Appreciate the write up!

    Reply
  7. Seve says

    October 27, 2016 at 4:41 am

    When i try running the command i get the following error.
    What am i doing wrong?

    Thanks,

    Edit: removed due to page breaking

    Reply
    • Paul Cunningham says

      October 27, 2016 at 9:17 am

      Use a CMD prompt to run it, not PowerShell.

      Reply
  8. Jojp23 says

    March 23, 2016 at 12:49 am

    The Parser software is not working on Windows 2008 Enterprise. Please recommend an alternate. I get message that it is not a valid Win 32 application.

    Reply
    • Paul Cunningham says

      March 23, 2016 at 2:00 pm

      Maybe you have a corrupt file? Try download and reinstall. It’s always worked fine for me on 2008.

      Reply
  9. Georgi Petkov says

    December 9, 2014 at 12:59 am

    Hi Paul,
    thank you for sharing the SQL queries for SMTP protocol logs.
    It’s very much appreciated.

    Best regards,
    Georgi Petkov

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell
  • Microsoft Releases May 2022 Exchange Server Security Updates
  • New Future of Work for Microsoft 365, IOT and more: Practical 365 Podcast S3 Ep. 2

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland