Applies to: Exchange Server 2013
Topic Last Modified: 2013-01-30
Protocol logging records the SMTP conversations that occur between messaging servers as part of message delivery. These SMTP conversations occur on Send connectors and Receive connectors that exist in the Front End Transport service on Client Access servers, the Transport service on Mailbox servers, and the Mailbox Transport service on Mailbox servers. You can use protocol logging to diagnose mail flow problems.
By default, protocol logging is disabled on all Send connectors and Receive connectors. Protocol logging is enabled or disabled on each individual connector. Other protocol logging options are set for all the Receive connectors or all the Send connectors that exist in each individual transport service on the server. All the Receive connectors in a transport service share the same protocol log files and protocol log options. These protocol log files and protocol log options are separate from the Send connector protocol log files and protocol log options in the transport service on the same server.
The following options are available for the protocol logs of all Send connectors or all Receive connectors in each transport service on the Exchange server:
- Specify the location of the Send connector or the Receive
connector protocol log files.
- Specify a maximum size for the Send connector or the Receive
connector protocol log files. The default size is 10 megabytes
(MB).
- Specify a maximum size for the directory that contains the Send
connector or Receive connector protocol log files. The default size
is 250 MB.
- Specify a maximum age for the Send connector or Receive
connector protocol log files. The default age is 30 days.
By default, Exchange uses circular logging to limit the protocol logs based on file size and file age to help control the hard disk space used by the log files.
A special Send connector named the intra-organization Send connector exists in the Transport service on every Mailbox server, and in the Front End Transport service on every Client Access server. This connector is implicitly created, invisible, and requires no management. The intra-organization Send connector is used by the following transport services:
- Transport service on Mailbox servers
- Relays messages to the Transport service and the Mailbox
Transport service on other Exchange 2013 Mailbox servers in the
organization.
- Relays messages to other Exchange 2007 or Exchange 2010 Hub
Transport servers in the organization.
- Relays messages to Edge Transport servers in the perimeter
network.
- Relays messages to the Transport service and the Mailbox
Transport service on other Exchange 2013 Mailbox servers in the
organization.
- Front End Transport service on Client Access
servers Relays messages to the Transport
service on Exchange 2013 Mailbox servers in the organization.
An equivalent Send connector named the mailbox delivery Send connector exists in the Mailbox Transport service on every Mailbox server. This connector is also implicitly created, invisible, and requires no management. The mailbox delivery Send connector is used to relay messages to the Transport service and the Mailbox Transport service on other Mailbox servers in the organization.
By default, protocol logging for the mailbox delivery Send connector is also disabled. You can enable or disable protocol logging for the mailbox delivery Send connector by using the MailboxDeliveryConnectorProtocolLoggingLevel parameter on the Set-MailboxTransportService cmdlet. If you enable protocol logging for the mailbox delivery Send connector, logging occurs in the Send connector protocol logs for the Mailbox Transport service on the Mailbox server.
Contents
Structure of the protocol log files
By default, the protocol log files exist in the following locations:
- Receive connector protocol log files for the Transport
service on Mailbox
servers %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive
- Receive connector protocol log files for the Mailbox
Transport service on Mailbox
servers %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive
- Receive connector protocol log files for the Front End
Transport service on Client Access
servers %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
- Send connector protocol log files for the Transport service
on Mailbox
servers %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpSend
- Send connector protocol log files for the Mailbox Transport
service on Mailbox
servers %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend
- Send connector protocol log files for the Front End
Transport service on Client Access
servers %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend
The naming convention for log files in each protocol log directory is prefixyyyymmdd-nnnn.log. The placeholders represent the following information:
- The placeholder prefix is SEND for Send connectors or
RECV for Receive connectors.
- The placeholder yyyymmdd is the Coordinated Universal
Time (UTC) date on which the log file was created. The placeholder
yyyy = year, mm = month, and
dd = day.
- The placeholder nnnn is an instance number that starts
at the value of 1 for each day.
Information is written to the log file until the file size reaches its maximum specified value, and a new log file that has an incremented instance number is opened. This process is repeated throughout the day. Circular logging deletes the oldest log files when the protocol log directory reaches its maximum specified size, or when a log file reaches its maximum specified age.
The protocol log files are text files that contain data in the comma-separated value file (CSV) format. Each protocol log file has a header that contains the following information:
- #Software Name of the software that
created the protocol log file. Typically, the value is Microsoft
Exchange Server.
- #Version Version number of the software
that created the protocol log file. Currently, the value is
15.0.0.0.
- #Log-Type Log type value of this field,
which is either SMTP Receive Protocol Log or SMTP Send Protocol
Log.
- #Date UTC date-time when the log file
was created. The UTC date-time is represented in the ISO 8601
date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where
yyyy = year, mm = month, dd = day, T indicates
the beginning of the time component, hh = hour, mm =
minute, ss = second, fff = fractions of a second, and
Z signifies Zulu, which is another way to denote UTC.
- #Fields Comma-delimited field names
used in the protocol log files.
Information written to the protocol log
The protocol log stores each SMTP protocol event on a single line in the protocol log. The information stored on each line is organized by fields. These fields are separated by commas. The following table describes the fields used to classify each protocol.
Fields used to classify each protocol event
Field name | Description |
---|---|
date-time |
UTC date-time of the protocol event. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC. |
connector-id |
Distinguished name (DN) of the connector associated with the SMTP event. |
session-id |
GUID that's unique for each SMTP session but is the same for each event associated with that SMTP session. |
sequence-number |
Counter that starts at 0 and is incremented for each event in the same SMTP session. |
local-endpoint |
Local endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>:<port>. |
remote-endpoint |
Remote endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>:<port>. |
event |
Single character that represents the protocol event. The possible values for the event are as follows:
|
data |
Text information associated with the SMTP event. |
context |
Additional contextual information that may be associated with the SMTP event. |
A single SMTP conversation that represents the sending or receiving of a single email message generates multiple SMTP events. These SMTP events cause multiple lines to be written to the protocol log. Multiple SMTP conversations that represent the sending or receiving of multiple email messages can occur at the same time. This creates protocol log entries from different SMTP conversations that are interspersed. You can use the session-id and sequence-number fields to sort the protocol log entries by SMTP conversation.