Applies to: Exchange Server 2013

Topic Last Modified: 2013-01-30

Protocol logging records the SMTP conversations that occur between messaging servers as part of message delivery. These SMTP conversations occur on Send connectors and Receive connectors that exist in the Front End Transport service on Client Access servers, the Transport service on Mailbox servers, and the Mailbox Transport service on Mailbox servers. You can use protocol logging to diagnose mail flow problems.

By default, protocol logging is disabled on all Send connectors and Receive connectors. Protocol logging is enabled or disabled on each individual connector. Other protocol logging options are set for all the Receive connectors or all the Send connectors that exist in each individual transport service on the server. All the Receive connectors in a transport service share the same protocol log files and protocol log options. These protocol log files and protocol log options are separate from the Send connector protocol log files and protocol log options in the transport service on the same server.

The following options are available for the protocol logs of all Send connectors or all Receive connectors in each transport service on the Exchange server:

  • Specify the location of the Send connector or the Receive connector protocol log files.

  • Specify a maximum size for the Send connector or the Receive connector protocol log files. The default size is 10 megabytes (MB).

  • Specify a maximum size for the directory that contains the Send connector or Receive connector protocol log files. The default size is 250 MB.

  • Specify a maximum age for the Send connector or Receive connector protocol log files. The default age is 30 days.

By default, Exchange uses circular logging to limit the protocol logs based on file size and file age to help control the hard disk space used by the log files.

A special Send connector named the intra-organization Send connector exists in the Transport service on every Mailbox server, and in the Front End Transport service on every Client Access server. This connector is implicitly created, invisible, and requires no management. The intra-organization Send connector is used by the following transport services:

  • Transport service on Mailbox servers

    • Relays messages to the Transport service and the Mailbox Transport service on other Exchange 2013 Mailbox servers in the organization.

    • Relays messages to other Exchange 2007 or Exchange 2010 Hub Transport servers in the organization.

    • Relays messages to Edge Transport servers in the perimeter network.

  • Front End Transport service on Client Access servers   Relays messages to the Transport service on Exchange 2013 Mailbox servers in the organization.

An equivalent Send connector named the mailbox delivery Send connector exists in the Mailbox Transport service on every Mailbox server. This connector is also implicitly created, invisible, and requires no management. The mailbox delivery Send connector is used to relay messages to the Transport service and the Mailbox Transport service on other Mailbox servers in the organization.

By default, protocol logging for the mailbox delivery Send connector is also disabled. You can enable or disable protocol logging for the mailbox delivery Send connector by using the MailboxDeliveryConnectorProtocolLoggingLevel parameter on the Set-MailboxTransportService cmdlet. If you enable protocol logging for the mailbox delivery Send connector, logging occurs in the Send connector protocol logs for the Mailbox Transport service on the Mailbox server.

Contents

Structure of the protocol log files

Information written to the protocol log

Structure of the protocol log files

By default, the protocol log files exist in the following locations:

  • Receive connector protocol log files for the Transport service on Mailbox servers   %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive

  • Receive connector protocol log files for the Mailbox Transport service on Mailbox servers   %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive

  • Receive connector protocol log files for the Front End Transport service on Client Access servers   %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

  • Send connector protocol log files for the Transport service on Mailbox servers   %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpSend

  • Send connector protocol log files for the Mailbox Transport service on Mailbox servers   %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend

  • Send connector protocol log files for the Front End Transport service on Client Access servers   %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend

The naming convention for log files in each protocol log directory is prefixyyyymmdd-nnnn.log. The placeholders represent the following information:

  • The placeholder prefix is SEND for Send connectors or RECV for Receive connectors.

  • The placeholder yyyymmdd is the Coordinated Universal Time (UTC) date on which the log file was created. The placeholder yyyy = year, mm = month, and dd = day.

  • The placeholder nnnn is an instance number that starts at the value of 1 for each day.

Information is written to the log file until the file size reaches its maximum specified value, and a new log file that has an incremented instance number is opened. This process is repeated throughout the day. Circular logging deletes the oldest log files when the protocol log directory reaches its maximum specified size, or when a log file reaches its maximum specified age.

The protocol log files are text files that contain data in the comma-separated value file (CSV) format. Each protocol log file has a header that contains the following information:

  • #Software   Name of the software that created the protocol log file. Typically, the value is Microsoft Exchange Server.

  • #Version   Version number of the software that created the protocol log file. Currently, the value is 15.0.0.0.

  • #Log-Type   Log type value of this field, which is either SMTP Receive Protocol Log or SMTP Send Protocol Log.

  • #Date   UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • #Fields   Comma-delimited field names used in the protocol log files.

Return to top

Information written to the protocol log

The protocol log stores each SMTP protocol event on a single line in the protocol log. The information stored on each line is organized by fields. These fields are separated by commas. The following table describes the fields used to classify each protocol.

Fields used to classify each protocol event

Field name Description

date-time

UTC date-time of the protocol event. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

connector-id

Distinguished name (DN) of the connector associated with the SMTP event.

session-id

GUID that's unique for each SMTP session but is the same for each event associated with that SMTP session.

sequence-number

Counter that starts at 0 and is incremented for each event in the same SMTP session.

local-endpoint

Local endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>:<port>.

remote-endpoint

Remote endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>:<port>.

event

Single character that represents the protocol event. The possible values for the event are as follows:

  • +   Connect

  • -   Disconnect

  • >   Send

  • <   Receive

  • *   Information

data

Text information associated with the SMTP event.

context

Additional contextual information that may be associated with the SMTP event.

A single SMTP conversation that represents the sending or receiving of a single email message generates multiple SMTP events. These SMTP events cause multiple lines to be written to the protocol log. Multiple SMTP conversations that represent the sending or receiving of multiple email messages can occur at the same time. This creates protocol log entries from different SMTP conversations that are interspersed. You can use the session-id and sequence-number fields to sort the protocol log entries by SMTP conversation.

Return to top