Exchange 2013 log list

Can someone point me to a complete list of all of the Exchange 2013 logs that can be enabled? Trying to find information on what logs are enabled, and what information each log contains.
Thx,
Jeff

Hi Jeff,
Thank you for your question.
There are many logs we could enable it for our troubleshooting, for example:
Transport logs included agent log, connectivity log, protocol log and so on, we could refer to the following link:
https://technet.microsoft.com/en-us/library/dd302434(v=exchg.150).aspx
We could learn about mailbox audit logging by the following link:
https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx
We could refer to the following link to learn more various of logs:
http://blogs.technet.com/b/rischwen/archive/2013/02/21/exchange-2013-logging-and-space-requirements.aspx
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support

Similar Messages

Need help regarding the location of Exchange 2013 Logs for parsing

Hi, I am trying to create reports based on the logs that are created on my exchange server. I am using
exchange 2013. My problem is that I cannot handle every log, and instead want specific types of logs.
I need help finding the specific locations of the following types of logs (If they even exist), so that I can parse them and use them effectively:
Audit Logs (Mailbox logons, Mailbox permission changes, Mailbox property changes,
Exchange store changes)
Mail Report Logs (Mailbox size and growth, Mailbox storage growth, Enabled users, Expired and Soon-to-Expire Mailboxes)
Exchange Traffic Reports (Details on size and amount of messages sent and recieved, Internet traffic [to and from], Traffic between exchange users)
I understand this might sound like a huge undertaking, but any help that can be provided would be appreciated.
Again, I need information on the locations of these types of logs on the exchange server, so that I can parse them. Collecting them all and searching through them is not practical for my available resources.
Thanks,
Matt

Audit Logs (Mailbox logons, Mailbox permission
changes, Mailbox property changes, Exchange
store changes) ---- these are two type of logs, 1. mailbox audit logs and that is stored in each mailbox under dumpster
http://technet.microsoft.com/en-us/library/ff461930(v=exchg.150).aspx however you need to
enable
it for individual mailboxes... 2. admin audit log, this is stored into a system mailbox dumpster.... http://technet.microsoft.com/en-us/library/dd335052(v=exchg.141).aspx
Mail Report Logs (Mailbox size and growth, Mailbox
storage growth, Enabled users, Expired and Soon-to-Expire Mailboxes) ---- there isn't any specific log for this, you would need to create some time of script to collect this every day for you and store it somewhere... This is a good start... http://www.stevieg.org/2011/06/exchange-environment-report/
Exchange Traffic Reports (Details on size and
amount of messages sent and recieved, Internet traffic [to and from], Traffic between exchange users) ----- This you can get from message tracking log... http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx

Exchange 2013 - Logging folder - huge size

friends i have exchange 2013 SP1... my logging folder is growing like anything .. can some one advise the best practices around it .. i am not sure how i can clean this ... same is happening with inetpub log .. is this related???.. in few months its around
22 GB ...
Please advise
Thanks
Happiness Always
Jatin

This is by design due to the architectural changes in the product. However have seen cases where it caused issues. you can:
Move Logging folders to another drive in Exchange 2013 via Powershell:
http://social.technet.microsoft.com/wiki/contents/articles/22479.move-logging-in-exchange-2013-via-powershell.aspx
Or alternatively you can disable some of the tasks under Windows\PLA in the Task Scheduler Manager.
You can also do a clean-upand delete some of the files older than a specified day.
Get-ChildItem 'C:\Program Files\Microsoft\Exchange Server\V15\Logging','C:\inetpub\logs' -Directory | get-childitem -Include '*.log' -Recurse | ? LastWriteTime -lt (Get-Date).AddDays(-XX) | Remove-Item
CK

RE: Exchange 2013 log

Hi,
In Exchange 2013 environment, can we check if a message was sent from phone or computer? or can any log display sender's ip address?
Thanks,
Edmond

If you look at the messages in the SentItems folder of the Mailbox then you can use the x-ms-exchange-organization-originalclientipaddress property to get the IPAddress of the sending client eg here's one example of using that http://gsexdev.blogspot.com.au/2012/10/geolocating-users-last-send-location.html
Depending on the type of phone being used sometimes they will leave tell tale marks eg my Samsung phone always set the MessageId to <[email protected]>
but this is device dependant.
Cheers
Glen

Exchange 2013 logging event 15004 daily 5-10 times per day causing email delay?

Observing following event in the Servers (3 Servers having multi role with Exchange 2013 CU5)
Log Name: Application
Source: MSExchangeTransport
Date: 15/10/2014 3:20:16 PM
Event ID: 15004
Task Category: ResourceManager
Level: Warning
Keywords: Classic
User: N/A
Computer: SERVER.COM
Description:
The resource pressure increased from Medium to High.
The following resources are under pressure:
Version buckets = 203 [High] [Normal=80 Medium=120 High=200]
Physical memory load = 92% [limit is 94% to start dehydrating messages.]
The following components are disabled due to back pressure:
Inbound mail submission from Hub Transport servers
Inbound mail submission from the Internet
Mail submission from Pickup directory
Mail submission from Replay directory
Mail submission from Mailbox server
Mail delivery to remote domains
Content aggregation
Mail resubmission from the Message Resubmission component.
Mail resubmission from the Shadow Redundancy Component
The following resources are in normal state:
Queue database and disk space ("C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que") = 61% [Normal] [Normal=95% Medium=97% High=99%]
Queue database logging disk space ("C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\") = 75% [Normal] [Normal=95% Medium=97% High=99%]
Private bytes = 2% [Normal] [Normal=71% Medium=73% High=75%]
Submission Queue = 0 [Normal] [Normal=2000 Medium=4000 High=10000]
Temporary Storage disk space ("C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Temp") = 75% [Normal] [Normal=95% Medium=97% High=99%]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeTransport" />
<EventID Qualifiers="32772">15004</EventID>
<Level>3</Level>
<Task>15</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-10-15T09:50:16.000000000Z" />
<EventRecordID>36645321</EventRecordID>
<Channel>Application</Channel>
<Computer>SERVER.COM</Computer>
<Security />
</System>
<EventData>
<Data>Medium</Data>
<Data>High</Data>
<Data>
The following resources are under pressure:
Version buckets = 203 [High] [Normal=80 Medium=120 High=200]
Physical memory load = 92% [limit is 94% to start dehydrating messages.]
The following components are disabled due to back pressure:
Inbound mail submission from Hub Transport servers
Inbound mail submission from the Internet
Mail submission from Pickup directory
Mail submission from Replay directory
Mail submission from Mailbox server
Mail delivery to remote domains
Content aggregation
Mail resubmission from the Message Resubmission component.
Mail resubmission from the Shadow Redundancy Component
The following resources are in normal state:
Queue database and disk space ("C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que") = 61% [Normal] [Normal=95% Medium=97% High=99%]
Queue database logging disk space ("C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\") = 75% [Normal] [Normal=95% Medium=97% High=99%]
Private bytes = 2% [Normal] [Normal=71% Medium=73% High=75%]
Submission Queue = 0 [Normal] [Normal=2000 Medium=4000 High=10000]
Temporary Storage disk space ("C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Temp") = 75% [Normal] [Normal=95% Medium=97% High=99%]
</Data>
</EventData>
</Event>
Manju Gowda

hi manju.. this is because of your resource utilization being very high. please check below two links to check the logs and take appropriate actions
http://exchangeserverpro.com/exchange-transport-server-back-pressure/
http://technet.microsoft.com/en-us/library/bb201658%28v=exchg.150%29.aspx
Mark as useful or answered if my replies helped you solving your query.
Thanks, Happiness Always
Jatin
Skype: jatider2jatin, Email: [email protected]

Exchange Server 2013 Logs Out of Control

I have a fairly new install of Exchange Server 2013 running in full production. Everything has been great except for the high level of log files that are generated on a daily basis. I am able to truncate the Transaction logs everyday with a Server Backup,
but that still does not help me with the other constantly growing log files in C:\Program Files\Microsoft\Exchange Server\V15\Logging. Is there any way to set these to automatically purge after a set amount of days? I have found resources that discuss setting
up a powershell script that will delete everything after a set amount of days, but I want to know if anything in Exchange 2013 will allow me to do this. I am getting tired of expanding my VM disk. Any help would be greatly appreciated.

Unfortunately Exchange 2013 creates alot of log files that it does not clean up on it's own. While there isn't a way to tell Exchange to clean up the files after X number of days, there is a very helpful script someone else has already written that does
the work for you. He has 2 versions, 1 that you have to put on each individual server (I like that one in case I lose the server I put the script on) or 1 that you can run on 1 server that takes care of all of your Exchange Servers.
http://www.c7solutions.com/2013/04/removing-old-exchange-2013-log-files-html
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

Exchange 2013 database dismounts unexpectedly

Errors logged on Exchange 2013:
Log Name: Application
Source: MSExchangeIS
Date: 12/09/2013 8:22:28 AM
Event ID: 1001
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Microsoft Exchange Server Information Store has encountered an internal logic error. Internal error text is (Unable to apply maintenance insert, index corruption?
Log Name: Application
Source: MSExchangeIS
Date: 12/09/2013 8:22:29 AM
Event ID: 1002
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Unhandled exception (Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: Unable to apply maintenance insert, index corruption?
Log Name: Application
Source: MSExchange Common
Date: 12/09/2013 8:22:37 AM
Event ID: 4999
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Watson report about to be sent for process id: 11204, with parameters: E12, c-RTL-AMD64, 15.00.0712.024, M.E.Store.Worker, M.E.S.Storage.LazyIndexing, M.E.S.S.L.LogicalIndex.HandleIndexCorruptionInternal, M.E.Diagnostics.ExAssertException, 213a, 15.00.0712.000.
ErrorReportingEnabled: True
KB2846288 appeared to be related but we are already on CU2:
Name : XXXXXXXX
Edition : Standard
AdminDisplayVersion : Version 15.0 (Build 712.24)
Anyone else?
Ramu V Ramanan

Randomly approx once per week. Always on the same mailbox database.
Drives have plenty of space, memory and pagefile are fine.
Log Name: Application
Source: MSExchangeIS
Date: 7/05/2014 11:46:53 a.m.
Event ID: 1001
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Microsoft Exchange Server Information Store has encountered an internal logic error. Internal error text is (Unable to apply maintenance insert, index corruption?
Log Name: Application
Source: MSExchangeIS
Date: 7/05/2014 11:46:53 a.m.
Event ID: 1002
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Unhandled exception (Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: Unable to apply maintenance insert, index corruption?
Log Name: Application
Source: MSExchangeIS
Date: 7/05/2014 11:46:53 a.m.
Event ID: 1013
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
The mailbox with mailboxguid "xxxxxxxxxxxxxx" caused crash or resource outage on database (GUID="xxxxxxxxxxxxxxx")
Log Name: Application
Source: MSExchange Common
Date: 7/05/2014 11:46:53 a.m.
Event ID: 4999
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Watson report about to be sent for process id: 18108, with parameters: E12, c-RTL-AMD64, 15.00.0775.038, M.E.Store.Worker, M.E.S.Storage.LazyIndexing, M.E.S.S.L.LogicalIndex.HandleIndexCorruptionInternal, M.E.Diagnostics.ExAssertException, 213a, 15.00.0775.008.
ErrorReportingEnabled: False

Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server.
I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online).
I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me).
Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
Issue 1)
After each reboot I get a Kernel-EventTracing 2 error. I cannot find anything on this on the internet so I have no idea what it is.
Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
Issue 2)
I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
https://support.microsoft.com/kb/2870416?wa=wsignin1.0
One of the perf counters fails to register using the script from the link above.
66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
New-PerfCounters : The performance counter definition file is invalid.
At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
+    New-PerfCounters -DefinitionFileName $f
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
: InvalidData: (:) [New-PerfCounters], TaskException
    + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
   12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
But that one seems unrelated to the ones that still throw errors.
Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Issue 3)
I appear to have some issues related to the healthmailboxes.
I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
I reran setup /prepareAD to try and remedy this but I am still getting some.
Issue 4)
I am getting an MSExchange RBAC 74 error.
(Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
Issue 5)
I am getting MSExchange Assistants 9042 warnings on both databases.
Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server.
If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
Issue 6)
At boot I am getting an MSExchange ActiveSync warning 1033
The setting SupportedIPMTypes in the Web.Config file was missing.
Using default value of System.Collections.Generic.List`1[System.String].
I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

Hi Eric
Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3<sup>rd</sup> time.
I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”.
If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering.
Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users.
I then applied an address policy to them and gave it the highest priority.
Then I set a default email address policy for the entire organization.
After reinstalling Exchange all of my system mailboxes were created with the internal domain name.
So issue number 3 above has not come up.
For issue number one above I have created a new thread:
https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
For issue number four I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
Issue number Five I have managed to recreate and get rid of in more than one way.
If I create a new database in ECP and set the database and log paths where I want, then this error will appear.
If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear.
The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service.
If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away.
So my off hand guess is that these are caused by orphaned system mailboxes.
For issue number six I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
So for the remainder of this thread we can try and tackle issue number two which is the perf counters.
The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7.
Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five.
Using all of your suggestions so far has not removed these 5 remaining errors either. Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
to make them go away if possible.

Exchange 2013 Realtime Block List is Kind of Working

Hi Everyone.
I've been setting up a RBL in exchange 2013 using zen.spamhaus.org. The IPBlockListProviders require that the connection filtering agent be enabled. By default when running the installantispamagents.ps1, this script will not install that connection filtering
agent because it only installs on an "edge" server and since exchange 2013 did away with the "edge" role, it did not get installed. I had to modify the script so it installed that connection filtering agent with all the other anti-spam agents. (We are a one
exchange server shop so the CAS and Mailbox roles are on one box.)
I'm having a very weird response. The RBL list works and when I get a test email sent to me using the service at '[email protected]', I can see the Reject message getting sent back out in the agent logs and the SMTP logs. This is the message
I see in the logs. Notice that the originating IP and the RBL triggering IP are the same: 192.203.178.107.
2012-12-14T01:59:04.970Z,08CFA71A75A19B4B,10.10.3.50:2525,192.203.178.107:55186,192.203.178.107
,,<>,,t***********e@*****.org,1,Connection Filtering Agent,OnRcptCommand,RejectCommand,550
5.7.1 zen.spamhaus.org has blocked your IP address (192.203.178.107) using the list
'zen.spamhaus.org'. Please see http://www.spamhaus.org/query/bl?ip=192.203.178.107 for further
information. This organization has no control over this RBL (Realtime Blo,BlockListProvider,
zen.spamhaus.org,,,,Undefined
This is a correct message and that IP address matches the Test RBL IP address spamhaus has blacklisted to check RBL filters. The IP address is added dynamically to the message with a variable in the reject message settings and should list the IP address
of the SMTP server that triggered the RBL hit.
The VERY strange thing is when I trigger the RBL with the test message, exchange rejects all incoming mail for my account from any source for several minutes and rejects with that same message. I send a test message from my google account and I can clearly
see in the agent log that the SMTP connection is coming from a google IP but it still rejects and issues the message that was sent in response to my test using the nelson-'[email protected]'
This is the reject message sent to my google account after I sent myself an email following the RBL test message. Notice that the originating IP is a google IP and does not match the IP the the reject message claims the message came from. The log
shows the originating IP as 74.125.82.179 (A google IP) but im rejecting the message because 192.203.178.107 is blocked??? The message didn't come from that IP. :
2012-12-14T02:00:06.318Z,08CFA71A75A19B4B,10.10.3.50:2525,74.125.82.179:50654,74.125.82.179,,
t***t@******.net,,t*******te@******.org,1,Connection Filtering Agent,OnRcptCommand,
RejectCommand,550 5.7.1 zen.spamhaus.org has blocked your IP address (192.203.178.107) using
the list 'zen.spamhaus.org'. Please see http://www.spamhaus.org/query/bl?ip=192.203.178.107
for further information. This organization has no control over this RBL
(Realtime Blo,BlockListProvider,zen.spamhaus.org,,,,Undefined
After a couple minutes, it clears up and I can get mail again. I just can not for the life of me figure out why all messages are rejected for several minutes after I have an RBL hit and the reject message is always referencing the the SMTP transaction
that originally triggered the hit. Which in this case, is blocking my Gmail message thinking its coming forom the crynwr.com test even when the smtp logs show a completely different SMTP originating IP and Connection.
Here is my IPBlockListProvider:
RunspaceId : 068b87d2-9c34-4ce9-ab05-eedef928cb27
RejectionResponse : {1} has blocked your IP address ({0}) using the list '{2}'. Please see
http://www.spamhaus.org/query/bl?ip={0} for further information. This organization has no control
over this RBL (Realtime Block List).
LookupDomain : zen.spamhaus.org
Enabled : True
AnyMatch : True
BitmaskMatch :
IPAddressesMatch : {}
Priority : 1
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : zen.spamhaus.org
DistinguishedName : CN=zen.spamhaus.org,CN=IPBlockListProviderConfig,CN=Message Hygiene,CN=Transport
Settings,CN=Bel******ch,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=b******rk,DC=net
Identity : zen.spamhaus.org
Guid : 0c9b5eec-b19a-4ab5-9c6a-cb1666cf68d6
ObjectCategory : beltwaypark.net/Configuration/Schema/ms-Exch-Message-Hygiene-IP-Block-List-Provider
ObjectClass : {top, msExchMessageHygieneIPBlockListProvider}
WhenChanged : 12/12/2012 10:02:36 PM
WhenCreated : 12/12/2012 10:02:36 PM
WhenChangedUTC : 12/13/2012 4:02:36 AM
WhenCreatedUTC : 12/13/2012 4:02:36 AM
OrganizationId :
OriginatingServer : Lucas.*****.net
IsValid : True
ObjectState : Unchanged

When you install the Antispam agents on Exchange 2013 servers you get all of them installed like you did for previous versions of Exchange server. most of them will get installed on the mailbox role but not the Connection filtering agent aka. RBL, DNS Block
List etc.
The powershell script: install-AntispamAgents.ps1 will look for which server role is installed and will not install Connection filtering if the server hold the mailbox role. This is understandable since SMTP connection should come in from the CAS server
and then the original sending IP will not be show since CAS do Source-NAT. So the logic would be to install the connection filtering agent on CAS but the install script will not let you do that either. Connection Filtering will only install on Edge role.
I can only speculate why this is, but either Microsoft want it to be like this or they have found some trouble with the Connection Filtering Agent running on CAS.
I figured I will give this a try anyway, and here is how you get it to work.
Start Exchange Management Shell as administrator.
Change Directory to scripts folder.
cd $exscripts
Install the agent.
Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"
If you have multiple agents running on the frontend transport you must set them in the correct order with the priority parameter
Add a IPBlocklistprovider of your choice
Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true
You can add more than one provider if you like. If you Don’t provide a custom response it will be “Recipient not authorized, your IP has been found on a block list”
Enable the agent
Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
Restart FrontEnd transport service
Restart-Service MSExchangeFrontEndTransport
Now the agent should be live and kicking. Logging for the frontend agent is here
“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog” instead of the directory for the backend transport “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\AgentLog”
Since the script don’t install the Connection filtering agent on CAS it is probably unsupported to install the agent manually, but I had it running for months without any problem so make your own judgment.

Exchange 2013 Window Backup failure - fails to clean up log files - error FFFFFFFC

Hello,
We currently have an Exchange 2013 - Exchange 2007 coexistence setup.
1x Windows Server 2008 R2 with Exchange 2007 CAS/HUB
1x Windows Server 2008 R2 with Exchange 2007 MBX
1x Windows Server 2008 R2 with Exchange 2013 CU 3 (all roles)
Since our current backup solution (Symantec Backup Exec 2010 R3) does not support backing up Exchange 2013 CU3 databases, we are using the builtin Windows Backup feature to backup the Exchange 2013 CU3 databases.
This has functioned for a while, until all of a sudden, the log files are not cleared anymore, causing our log disk to fill up.
Our Exchange 2013 server looks like this:
C: Windows + Exchange installation
D: Databases
E: Database Log Files
F: Archive Databases
G: Archive Database Log Files
S: Dedicated backup volume
The backup is scheduled to run every day at 21:00 hours, performing a full VSS backup of D:,E:,F: and G: to the volume S:
Windows backup log says the backup completed with exceptions, leaving the Exchange logs untouched and filling the drive.
The Windows Backup Command Line tools are NOT installed since they are not compatible with Exchange 2013.
In the eventvwr we can see the following error:
The Microsoft Exchange Replication service VSS Writer (Instance a33ec440-7f12-4c50-806b-1bc5ceaf8aad) failed with error FFFFFFFC when processing the backup completion event.
The command VSSADMIN LIST WRITERS displays the following:
Writer name: 'Microsoft Exchange Writer'
   Writer Id: {76fe1ac4-15f7-4bcd-987e-8e1acb462fb7}
   Writer Instance Id: {cf84a907-76dc-428c-90e0-c18a3f9db493}
   State: [1] Stable
   Last error: Retryable error
Restarting the Microsoft Exchange Replication (MSExchangeRepl) clears the writer error, same with a reboot, however the error comes backup after the next backup.
Any thoughts on how to resolve this issue?
Thanks.

Hello,
Here is a blog for your reference.
http://blogs.technet.com/b/timmcmic/archive/2012/03/11/exchange-and-vss-my-exchange-writer-is-in-a-failed-retryable-state.aspx
If there is any useful information after you change the logging to expert, please free let me know.
Cara Chen
TechNet Community Support

Exchange 2013: Problem with Default Global Address List after migration

I just completed a migration from Exchange 2007 to Exchange 2013. The 2007 box has been decommissioned just last week. I have been seeing weird issues with our offline addressbook and global address list, since the migration, but always thought
it was related to Ex2007. Well the issues still exist and here's what i've found so far:
1. If any user goes to Schedule Appointment in Outlook, and they click the Rooms button (on the Scheduling Assistant page), we get a LONG wait (about 5 mins or more) and then an error that says: "The operation could not be completed because
an offline address book is not available. Download a copy of the offline address book." When i click OK, the address book is up, with the "All Rooms" list showing blank (we have 3 rooms in Exchange currently).
2. Now if I go to the Address Book in Outlook it opens to the GAL and it's up to date... I can also force an update to the offline address book after adding a new group or entry, so i know offline address books are being updated properly and
working. HOWEVER, if i go to any of the other address lists (besides Contacts and GAL) under All Address Lists (All Contacts, All Groups, All Rooms, All Users and Public Folders) I get the same error given above: "The operation could not be
completed because an offline address book is not available. Download a copy of the offline address book."
3. I went to the Exchange 2013 EAC and went to Organization -> Address Lists. Everything under here said 'NO' under the Up-to-Date column. When i looked at the properties on each list, and clicked save, I had to update to the new version.
After doing this, the Up-to-Date column said 'YES'. I could do all lists EXCEPT for the GAL. It still says 'NO'
4. The last thing i did was set my Outlook to NOT be in cached mode. This should give me a direct connection to the GAL and all lists, if I'm not mistaken... So when i do this, I cannot even open see the GAL. The ONLY option in the
Address Book that comes up is Contacts (which are my personal ones).
5. I just now ran Get-GlobalAddressList | fl in powershell on the Ex2013 server. I see some things that make me wonder... First; nothing in the RecipientFilter field, however, there is something in the LdapRecipientFilter field.
Second; the RecipientFilterType field says "Legacy". and Third; the RecipientFilterApplied field says "False".
Didn't know what these should all be, but it appears maybe this is the cause of all my issues?? Can someone help me out here.. even if i have to recreate a new GAL, i'm fine with that, I just don't know all the steps to do so. I just need it
to work!
Thanks
Jeff
-Jeff

Hi,
In my opinion, it is better to confirm whether the GAL is good, first.
How about the GAL working in OWA?
If GAL working well in OWA, it seems the issue on the Outlook Client or Connectivity side.
Please trying to run Outlook on the safe mode to avoid some AVs, add-ins and firewall for testing.
Please follow the steps as below to narrow down the OAB issue.
Following are the locations that .lzx files in CAS server and BMX server:
CAS:
C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB
MBX:
C:\Program Files\Micorosft\Exchange Server\V15\ExchangeOAB
Please verify whether the .lzx files update to the latest.
1. If the .lzx files in MBX server not update to the latest.
It should be an issue on the OAB generation side.
2. If the .lzx files in MBX server is latest, but CAS server not.
It should be a distribution issue.
1) Please run Get-OabVirtualDirectory command in EMS to verify whether at least one OAB VD exist in the org. If not, please create a new one.
2) Please make sure whether any setup for Web Distribution. Selecting the “Enabling an Offline Address Book for Web Distribution” checkbox.
3) Please force restart File Distribution services to distribute OAB files manually.
3. If the .lzx files in MBX server and CAS server are all update to the latest.
It should be the connectivity between CAS server and Client issue.
1)Please verify the network.
2)Please check DNS, MX, etc. configuration.
3)Please run “Test E-mail AutoConfiguration” to check the AutoDiscover details.
   Please make sure the OAB URLs are correct.
   If the OAB URLs are incorrect, please using following command to re-set them:
   Set-OABVirtualDirectory -Identity "ServerFQDN\OAB (Default Web Site)" -ExternalUrl
https://www.contoso.com/OAB -InternalUrl
https://mail.contoso.com/OAB
4)Please checking the App log and finding solutions from Microsoft Technet articles or KB, according to the Event ID.
5)If it still not working after performing the methods above unfortunately, please trying to re-build OAB Virtual Directory.
   Article for reference:
   Remove, Re-Create, and Reconnect an Offline Address Book Virtual Directory
http://technet.microsoft.com/en-us/library/bb123595(v=exchg.141).aspx
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support

Ms-exchange 2013 audit logs retrieving in csv format not working?

I need help regarding pulling specific information from exchange 2013. The information pertains to mail-exchange audit logs. The exchange in my environment is ms-exchange 2013. Steps performed so far are:-
**step#1**
Create test Environment on Exchange Server 2010 and Active Directory:
Two Mailboxes for testing (with dummy email messages) (i.e., test-mailbox-1, test-mailbox-2)
Two Active Directory Accounts for testing (testAcct01, testAcct02)
Assign Permission to Test Mailboxes: Owner of Email Box test-mailbox-1: testAcct01, Owner of Email Box test-mailbox-2: testAcct02
**step 2**
Enable Mailbox Auditing on the test-mailbox-1:
Use EMS to enable mailbox auditing on mailbox: test-mailbox-1
Commands:
o Set-Mailbox -Identity "test-mailbox-1" -AuditDelegate Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
o Set-Mailbox -Identity "test-mailbox-1" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
Note: You must have permission for Organization Management and Record Management if you want to enable mailbox auditing.
**step#3**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
 Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#4**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#5**
Perform test activities on mailbox “test-mailbox-1” using account id: testAcct02
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#6**
Perform test activities on mailbox “test-mailbox-1” using “Administrator” Account.
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#7**
Use EMS Cmdlet to retrieve Mailbox audit logs for mailbox “test-mailbox-1”
Command:
o Search-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014 | Export-Csv “c:\test-Audit-Results.csv”
o New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes " test-mailbox-1" -LogonTypes Admin,Delegate -StartDate mm/dd/2014 -EndDate mm/dd/2014 -StatusMailRecipients [email protected]
I'm unable to go past step#7, as I see nothing in csv file. I don't know why is this? any help.

Hi,
I will perform these steps in my lab and paste the result.
Beg your patient waiting.
Thanks
Mavis
Mavis Huang
TechNet Community Support

We have a Exchange 2013 server and the Mailbox Database folder is filling up with .log files.

We are migrating from Exchange 2010 to Exchange 2013. We have installed the Exchange 2013 but it only has a couple of mailboxes on this server, all the mailboxes are still on the Exchange 2010 server.
I have run a Windows Backup of the Exchange 2013 but I am still seeing a ton a log files in the mailbox folder.
Also the database file is only about 1.1 GB but the backup is now 40 GB.
Is there something that can be done to truncate these logs and make the backup smaller?

Hi ,
1.Does the full backup completed successfully ?
2.what about the status for the below mentioned command ? Does the mailbox database headers updated with the latest time and date ?
Get-MailboxDatabase -Status | ft name,*full* -au
3.Just check the application event logs for the event id
2046 and that should state that the log truncation for the mailbox databases has been initiated or not.
4.Before initiating the backup just make the exchange writer is not on error.
vssadmin list writers
In case if it on error state ,please restart the Microsoft exchange replication service and check the exchange writers status again by using the above mentioned command.
Thanks & Regards S.Nithyanandham

Exchange 2013 migrations logs deleted!

Hi,
I migrated mailboxes from 2010 to 2013 one domain straight forward process that went successfully. The migration reports were deleted from the 2013 ECP. Any idea how to get logs or information on "when" mailboxes were moved to the 2013 servers?
Thank you
Ibby667

Hi,
I migrated mailboxes from 2010 to 2013 one domain straight forward process that went successfully. The migration reports were deleted from the 2013 ECP. Any idea how to get logs or information on "when" mailboxes were moved to the 2013 servers?
Thank you
Ibby667
You can get that information using Get-Mailboxstatistics.
Example:
Get-Mailbox | Get-MailboxStatistics -IncludeMoveReport | FL Displayname,MoveHistory
UPDATE: Exchange 2013 stores by default information about the latest
5 moves in the mailbox, so that is why you can get the information even if the migrationbatch or moverequest has been deleted (MaxMoveHistoryLength="5" in *\bin\MsExchangeMailboxReplication.exe.config)
Martina Miskovic
all suggestions in here will work, however i like & believe it is best to pull the moverequeststatistics vs the mailbox statistics.
as listed in my reply, this will help to user determine numerous things about the move that the mailboxstatistics will not show
I agree, but if the moverequests has been deleted (default setting: 30 days) and you want to know when a mailbox was moved, then you can with Get-Mailboxstatistics.
Martina Miskovic

Can no longer log into ECP on Exchange 2013

I am no longer able to log into my Exchange 2013 SP1 ECP site. Here are a few items to consider:
Installed replacement UC on 5/7/14. Configured services POP, IMAP, SMTP, IIS. Removed IIS from existing UC which still had 6 days of life. Both certs identical. I did no further changes for this new cert other than install it through ECP.
"Old" cert died 5/13/14 @ 8a. New cert took over without any problems.
Continued to use ECP through close of business 5/14/14. Late on 5/14/14 I attempted to log into ECP remotely thru a VPN to migrate users from our Exch 2007 server. Could not access ECP.
When I attempt to access ECP, I enter <domain>\<username> and password. When I hit "enter" or "sign in", the page flashes and the password field is empty.
I am still able to log into OWA
I cannot log into ECP using the server name, localhost or cert name.
Currently using default settings of FBA and Basic authentication
UC is correctly bound to both front and backend of IIS (443, 444)
Everything else is working correctly for the Exchange site. I have been continuing my migrations through Powershell. I just can't log into ECP.
I created a new Exchange Admin user only to find I still could not log into ECP.
Short Version: I was able to login and then, after a four hour stretch, I was not able to login. No errors on the web page or Event logs. Exchange is routing mail correctly.
I have scoured the web for that past couple of days looking for a solution but the issues I find are throwing up a web page with an error of some sort. Since I'm not experiencing that issue, I'm a bit stumped. I'm no expert, but I'm not a novice.
Since 2013 is a new rebuild, I thought it best to ask for a little assistance. Any advice/assistance would be appreciated.

You might consider rebuilding the ECP virtual directory:
http://technet.microsoft.com/en-us/library/ff629372.aspx
With the EMS, procedure should be the same for Exchange 2010 and 2013.
Since you state that everything else is working, other virtual directories included (OWA for ex.), it's most likely something with the ECP virtual directory.
But even before that, I would try to look at the (rather cryptic) IIS logs and see if you cannot find any useful information there:
http://social.technet.microsoft.com/Forums/exchange/en-US/935eeb5b-d996-4933-9cbd-0347ebad801d/how-can-i-view-exchange-iis-logs?forum=exchange2010
There were some ideas in this thread but i think you may have seen it already?
http://social.technet.microsoft.com/Forums/exchange/en-US/1736b5ab-e69b-4637-aa59-f2d9bd54ead2/unable-to-access-exchange-2013-eacecp-webpage?forum=exchangesvrdeploy
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Exchange 2013 log list

Similar Messages

Maybe you are looking for