An Exchange organization may have send connectors that are believed to be no longer in use, for example a send connector used for shared SMTP namespace.
However when you are planning the removal of a send connector there is the concern that some email traffic may still be using that send connector, and so you want to investigate this further before making your change.
One way of determining send connector usage is to analyze protocol logs. If you’re not already familiar with protocol logging I wrote an article about it here that is a good starting place.
To begin with you should check whether your send connector has protocol logging enabled.
1 2 3 | [PS] C:>Get-SendConnector "Name of Send Connector" | fl ProtocolLoggingLevel ProtocolLoggingLevel : Verbose |
There are two possible values; None (off) or Verbose (on). If protocol logging is not already set to Verbose you can turn it on using Set-SendConnector.
1 | [PS] C:>Set-SendConnector "Name of Send Connector" -ProtocolLoggingLevel Verbose |
A default protocol logging configuration will retain 30 days worth of logs, but you can start analyzing them after a day or so if that is all the time you think you will need to discover any systems still using the connector. Obviously for less used connectors the longer you wait the more chance you’ll capture something.
Using Log Parser to View Send Connector Hits in Protocol Logs
We can use a Log Parser query to search through the protocol logs and count the “hits” for each connector, because one of the fields in the log file is the “connector-id”.
1 2 3 4 5 6 | SELECT connector-id, Count(*) as Hits from *.log WHERE data LIKE '%EHLO%' GROUP BY connector-id ORDER BY Hits DESC |
To run this query open Log Parser, navigate to the folder containing the send connector protocol logs (C:Program FilesMicrosoftExchangeV14TransportRolesLogsProtocolLogSmtpSend by default on an Exchange 2010 server. Refer to the protocol logging article if you need more help finding the path on your server), and then run the command:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | "C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT connector-id,Count(*) as Hits from *.log WHERE data LIKE '%EHLO%' GROUP BY connector-id ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1 connector-id Hits --------------------- ----- Internet 70556 Shared Domains 152 Fax Gateway 4 Statistics: ----------- Elements processed: 1469279 Elements output: 4 Execution time: 4.52 seconds |
Using Log Parser to Analyze Email Traffic on a Send Connector
As you can see in the output above the “Shared Domains” connector has registered a small number of hits. To dig into that further we can use Log Parser again to query the logs for information such as the “RCPT TO” command being used in the SMTP transaction, which will tell us the recipient email address.
1 2 3 4 5 6 7 | SELECT data, Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%RCPT TO%' GROUP BY data ORDER BY Hits DESC |
Again, running from Log Parser after navigating to the SmtpSend folder:
1 | "C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%RCPT TO%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1 |
You should see output similar to this.
1 2 3 4 5 6 7 8 9 10 | data Hits ------------------------------------------------------------------------------------------- ---- RCPT TO:<noreply@domain.org.au> 18 RCPT TO:<david@domain.com.au> ORCPT=rfc822;david@domain.com.au 6 RCPT TO:<peter@domain.com.au> ORCPT=rfc822;peter@domain.com.au 5 RCPT TO:<cathy@domain.com.au> ORCPT=rfc822;cathy@domain.com.au 4 RCPT TO:<michael@domain.com.au> ORCPT=rfc822;michael@domain.com.au 4 RCPT TO:<michelle@domain.com.au> ORCPT=rfc822;michelle@domain.com.au 4 RCPT TO:<donna@domain.com.au> ORCPT=rfc822;donna@domain.com.au 3 RCPT TO:<jacinta@domain.com.au> ORCPT=rfc822;jacinta@domain.com.au 3 |
Knowing which recipients are still receiving email that is going over a particular send connector can be very useful in tracking down any stragglers among the mailboxes or applications that the connector was originally set up for, but that have not been migrated properly.
You could do the same analysis using a search for “MAIL FROM” instead, which will show you the senders of the emails, which is also useful in some cases.
1 | "C:Program Files (x86)Log Parser 2.2logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%MAIL FROM%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1 |
Summary
As you can see in the examples above there is some very useful information contained within protocol logging that can help you determine whether a send connector is still being used in your Exchange Server organization.
Does it work on Win 2003 R2 server. I’m getting below error, please advise
Unexpected token ‘SELECT data,Count(*) as Hits from *.log WHERE connector-id =
‘Quest_Internet’ AND data LIKE ‘%RCPT TO%’ GROUP BY data ORDER BY Hits DESC’ in
expression or statement.
At line:1 char:190
+ “C:Program Files (x86)Log Parser 2.2logparser.exe” “SELECT data,Count(*) as H
its from *.log WHERE connector-id = ‘Quest_Internet’ AND data LIKE ‘%RCPT TO%’
GROUP BY data ORDER BY Hits DESC” <<< “C:\Suma
n\MWNHUBP00smtpsend.csv”
+ CategoryInfo : ParserError: (SELECT data,Cou…ER BY Hits DESC:
String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
I used some of your examples to create: “Exchange SMTP Log Sent last 30 minutes”
SELECT [#Fields: date-time],[data],
EXTRACT_PREFIX(remote-endpoint,0,’:’) as IP,
REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,’:’)) as Name,
TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING[#Fields: date-time],0,’.’),’yyyy-MM-ddThh:mm:ss’)) as [LogDateTime],
SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP(‘0000-01-01 01:00’, ‘yyyy-MM-dd HH:mm’)) as [ThirtyMinutesAgo],
TO_LOCALTIME(SYSTEM_TIMESTAMP()) as [CurrentDateTime]
FROM ‘[LOGFILEPATH]’
WHERE [data] LIKE ‘%EHLO%’
AND [LogDateTime]
BETWEEN [ThirtyMinutesAgo]
AND [CurrentDateTime]
ORDER BY [#Fields: date-time] DESC
* Point [LOGFILEPATH] to your: ‘C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\*.LOG’
Thought it might help someone else along the way.
Sorry old code:
TIMESTAMP(‘0000-01-01 01:00’, (1 hour)
TIMESTAMP(‘0000-01-01 00:30’, (30 mins)
You get the idea.. 🙂
Hi Paul,
Thanks a lot, I’m trying to get, IP SOURCE, IP DEST, FROM TO.
Can you help me?
Thanks
Tomás
Hello,
Is it supposed to work for Exchange 2010?
I get the following:
C:\ProgramFiles\Microsoft\ExchangeServer\V14\TransportRoles\Logs\ProtocolLog\SmtpSend>”C:\Program Files (x86)\Log Parser 2.2\logparser.exe” “SELECT connector-id, Count(*) as Hits FROM *log WHERE data LIKE ‘%EHLO%’ GROUP BY connector-id ORDER BY Hits DESC”
WARNING: Input format not specified – using TEXTLINE input format.
Error: SELECT clause: Syntax Error: unknown field ‘connector-id’
Hi Paul,
Need small help, i need to check whether connection was TLS or Non TLS. Few application relay emails using TLS and few non TLS, how can determine this from logpraser, can you help with this please.
Thanks for this – really going to help me move off my my 2007 relays and onto 2013. I did find it easier to track down the offending devices by changing the %RCPT TO% to %MAIL FROM%. Appreciate the write up!
When i try running the command i get the following error.
What am i doing wrong?
Thanks,
Edit: removed due to page breaking
Use a CMD prompt to run it, not PowerShell.
The Parser software is not working on Windows 2008 Enterprise. Please recommend an alternate. I get message that it is not a valid Win 32 application.
Maybe you have a corrupt file? Try download and reinstall. It’s always worked fine for me on 2008.
Hi Paul,
thank you for sharing the SQL queries for SMTP protocol logs.
It’s very much appreciated.
Best regards,
Georgi Petkov