NXLog Documentation

You are viewing the documentation of our legacy products. Go to the NXLog Platform Documentation.

Microsoft Exchange

Microsoft Exchange is a widely used enterprise level email server running on Windows Server operating systems. The following sections describe various logs generated by Exchange and provide solutions for collecting Microsoft Exchange logs from these sources with NXLog.

MS Exchange stores most of its operational logs in a comma-delimited format similar to W3C. These MS Exchange logs can be read with im_file and the xm_w3c extension module. For NXLog Community Edition, the xm_csv extension module can be used instead, with the fields listed explicitly and the header lines skipped. In some of the log files, the W3C header is prepended by an additional CSV header line enumerating the same fields as the #Fields directive; NXLog must be configured to skip that line also. See the sections under Exchange transport logs for examples.

The information provided here is not intended to be comprehensive, but rather provides a general overview of NXLog integration with some of the major log mechanisms used by Exchange. Other logs generated by Exchange can be found in the Logging and other sub-directories of the installation directory.

This Guide focuses on Exchange Server 2010 SP1 and later versions. Older versions are either not supported by Microsoft or are being decommissioned. Apart from passing their end-of-life date, these versions also lack the audit logging feature.

Exchange transport logs

Exchange Server writes various transport logs. Three of those logs are covered in the following sections. For more information about additional Exchange transport logs, see the Transport logs in Exchange 2016 Microsoft Learn article.

Configuring transport logs

Exchange message tracking logs, connectivity logs, and protocol logs are enabled by default and written to comma-delimited log files, in a format similar to W3C. The logs can be enabled or disabled, and the log file locations modified, through the Exchange Admin Center (EAC).

  1. Log in to the Exchange Admin Center (at https://server/ecp).

  2. Click servers in the list on the left.

  3. Select the server and click the Edit icon.

    Editing an Exchange server
  4. Click transport logs in the list on the left.

    Editing the transport log configuration
  5. Modify the logging configuration as required, then click Save.

Exchange message tracking logs

Message tracking logs provide a detailed record of message activity as mail flows through the transport pipeline on an Exchange server.

Log Sample
#Software: Microsoft Exchange Server
#Version: 15.01.1034.026
#Log-type: Message Tracking Log
#Date: 2017-09-15T20:01:45.863Z
#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data,transport-traffic-type,log-id,schema-version
2017-09-15T20:01:45.863Z,,,,WINEXC,No suitable shadow servers,,SMTP,HAREDIRECTFAIL,34359738369,<49b4b9a2781a45cba555008075f7bffa@test.com>,8e1061b7-a376-497c-3172-08d4fc7497bf,test1@test.com,,6533,1,,,test,Administrator@test.com,Administrator@test.com,,Originating,,,,S:DeliveryPriority=Normal;S:AccountForest=test.com,Email,63dc9d79-5b4e-4f6c-1358-08d4fc7497c3,15.01.1034.026

NXLog can be configured to get message tracking log data with the im_file module, and parse them with xm_w3c.

Example 1. Collecting message tracking logs with xm_w3c

This configuration collects message tracking logs from the defined BASEDIR and parses them using the xm_w3c module. The logs are then converted to JSON format and forwarded via TCP.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension json>
    Module        xm_json
</Extension>

<Extension w3c>
    Module        xm_w3c
    Delimiter     ,
</Extension>

<Input messagetracking>
    Module        im_file
    File          '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
    InputType     w3c
</Input>

<Output tcp>
    Module        om_tcp
    ListenAddr    10.0.0.1:1514
    Exec          to_json();
</Output>

For NXLog Community Edition, the xm_csv module can be configured to parse these files.

Example 2. Using xm_csv to get message tracking logs

This configuration uses the xm_csv module to parse the message tracking logs.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv>
    Module    xm_csv
    Fields    date-time, client-ip, client-hostname, server-ip, server-hostname, \
              source-context, connector-id, source, event-id, \
              internal-message-id, message-id, network-message-id, \
              recipient-address, recipient-status, total-bytes, recipient-count, \
              related-recipient-address, reference, message-subject, \
              sender-address, return-path, message-info, directionality, \
              tenant-id, original-client-ip, original-server-ip, custom-data, \
              transport-traffic-type, log-id, schema-version
</Extension>

<Input messagetracking>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

Exchange connectivity logs

Connectivity logging records outbound message transmission activity by the transport services on the Exchange server.

Log Sample
#Software: Microsoft Exchange Server
#Version: 15.0.0.0
#Log-type: Transport Connectivity Log
#Date: 2017-09-15T03:09:34.541Z
#Fields: date-time,session,source,Destination,direction,description
2017-09-15T03:09:33.526Z,,Transport,,*,service started; #MaxConcurrentSubmissions=20; MaxConcurrentDeliveries=20; MaxSmtpOutConnections=Unlimited

NXLog can be configured to collect exchange connectivity logs with the im_file module, and parse them with xm_w3c.

Example 3. Collecting Exchange connectivity logs with xm_w3c

This configuration collects connectivity logs from the defined BASEDIR and parses them using the xm_w3c module.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension w3c>
    Module       xm_w3c
    Delimiter    ,
</Extension>

<Input connectivity>
    Module       im_file
    File         '%BASEDIR%\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG'
    InputType    w3c
</Input>

For NXLog Community Edition, the xm_csv module can be configured to parse these files.

Example 4. Using xm_csv for connectivity logs

This configuration uses the xm_csv module to parse the connectivity logs.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv>
    Module    xm_csv
    Fields    date-time, session, source, Destination, direction, description
</Extension>

<Input connectivity>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

Exchange Protocol/SMTP logs

Protocol logging records the SMTP conversations that occur on Send and Receive connectors during message delivery.

Log sample
#Software: Microsoft Exchange Server
#Version: 15.0.0.0
#Log-type: SMTP Send Protocol Log
#Date: 2017-09-20T21:00:47.866Z
#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
2017-09-20T21:00:47.167Z,internet,08D5006A392BE443,0,,64.8.70.48:25,*,,attempting to connect

NXLog can be configured to collect exchange protocol logs and SMTP logs with the im_file module, and parse them with xm_w3c.

Example 5. Collecting protocol logs with xm_w3c

This configuration collects protocol logs from the defined BASEDIR and parses them using the xm_w3c module.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension w3c>
    Module       xm_w3c
    Delimiter    ,
</Extension>

<Input smtp_receive>
    Module       im_file
    File         '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV*.LOG'
    InputType    w3c
</Input>

<Input smtp_send>
    Module       im_file
    File         '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\SEND*.LOG'
    InputType    w3c
</Input>

For NXLog Community Edition, the xm_csv module can be configured to parse these files.

Example 6. Using xm_csv for protocol logs

This configuration uses the xm_csv module to parse the protocol logs.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv>
    Module    xm_csv
    Fields    date-time, connector-id, session-id, sequence-number, \
              local-endpoint, remote-endpoint, event, data, context
</Extension>

<Input smtp_receive>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

<Input smtp_send>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\SEND*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

Windows Event Log

Exchange Server also logs events to Windows Event Log. Events are logged to the Application and Systems channels, as well as multiple Exchange-specific crimson channels (see your server’s Event Viewer). For more information about events generated by Exchange, see the following Microsoft Learn articles.

See also Windows Event Log for more information about using NXLog to collect logs from Windows Event Log.

Example 7. Collecting Exchange events from Windows Event Log

With this configuration, NXLog will use the im_msvistalog module to subscribe to the Application and System channels (Critical, Error, and Warning event levels only) and the MSExchange Management crimson channel (all event levels). Note that the Application and System channels will include other non-Exchange events.

nxlog.conf
<Input eventlog>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Application">
                <Select Path="Application">
                    *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path="System">
                    *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path="MSExchange Management">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

IIS logs

Exchange is closely integrated with the Internet Information Server (IIS), which itself logs Outlook Web Access (OWA) and Exchange Admin Center (EAC) events.

IIS Exchange Back End

See the Microsoft IIS chapter for more information about collecting events from IIS with NXLog.

Audit logs (nxlog-xchg)

Microsoft Exchange also provides two types of audit logs: administrator audit logs and mailbox audit logs. For more information, see Administrator audit logging in Exchange 2016 and Mailbox audit logging in Exchange 2016 on Microsoft Learn.

The nxlog-xchg utility can be used to retrieve these logs. See the Exchange (nxlog-xchg) add-on documentation.

Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog version 5.6.7727
Microsoft Exchange Server 2016

Last revision: 30 September 2022