Microsoft Exchange

Microsoft Exchange is a widely used enterprise-level email server running on Windows Server operating systems. The following sections describe various logs generated by Exchange and provide solutions for collecting Microsoft Exchange logs from these sources with NXLog Agent.

MS Exchange stores most of its operational logs in a comma-delimited format similar to W3C. These MS Exchange logs can be read with im_file and the xm_w3c extension module. You can also use the xm_csv extension instead, explicitly listing the fields and configuring it to skip header lines. In some of the log files, the W3C header is prefixed by an additional CSV header line enumerating the same fields as the #Fields directive; NXLog Agent must be configured to skip that line too. See the Exchange transport logs section for examples.

The information provided here is not intended to be comprehensive but rather provides a general overview of NXLog Agent integration with some of the major log mechanisms used by Exchange. Other logs generated by Exchange can be found in the Logging and other sub-directories of the installation directory.

This Guide focuses on Exchange Server 2010 SP1 and later versions. Older versions are either not supported by Microsoft or are being decommissioned. Apart from passing their end-of-life date, these versions also lack the audit logging feature.

Exchange transport logs

Exchange Server writes various transport logs. Three of those logs are covered in the following sections. For more information about additional Exchange transport logs, see the Transport logs in Exchange 2016 Microsoft Learn article.

Configuring transport logs

Exchange message tracking logs, connectivity logs, and protocol logs are enabled by default and written to comma-delimited log files, in a format similar to W3C. The logs can be enabled or disabled, and the log file locations modified, through the Exchange Admin Center (EAC).

  1. Log in to the Exchange Admin Center (at https://server/ecp).

  2. Click servers in the list on the left.

  3. Select the server and click the Edit icon.

    Editing an Exchange server
  4. Click transport logs in the list on the left.

    Editing the transport log configuration
  5. Modify the logging configuration as required, then click Save.

Exchange message tracking logs

Message tracking logs provide a detailed record of message activity as mail flows through the transport pipeline on an Exchange server.

Log Sample
#Software: Microsoft Exchange Server
#Version: 15.01.1034.026
#Log-type: Message Tracking Log
#Date: 2017-09-15T20:01:45.863Z
#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data,transport-traffic-type,log-id,schema-version
2017-09-15T20:01:45.863Z,,,,WINEXC,No suitable shadow servers,,SMTP,HAREDIRECTFAIL,34359738369,<49b4b9a2781a45cba555008075f7bffa@test.com>,8e1061b7-a376-497c-3172-08d4fc7497bf,test1@test.com,,6533,1,,,test,Administrator@test.com,Administrator@test.com,,Originating,,,,S:DeliveryPriority=Normal;S:AccountForest=test.com,Email,63dc9d79-5b4e-4f6c-1358-08d4fc7497c3,15.01.1034.026

NXLog Agent can be configured to get message tracking log data with the im_file module, and parse them with xm_w3c.

Example 1. Collecting message tracking logs with xm_w3c

This configuration collects message tracking logs from the defined BASEDIR and parses them using the xm_w3c module. The logs are then converted to JSON format and forwarded via TCP.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension json>
    Module        xm_json
</Extension>

<Extension w3cinput>
    Module        xm_w3c
    Delimiter     ,
</Extension>

<Input w3c>
    Module        im_file
    File          '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
    InputType     w3cinput
</Input>

<Output tcp>
    Module        om_tcp
    ListenAddr    10.0.0.1:1514
    Exec          to_json();
</Output>

You can also use the xm_csv extension to parse these files.

Example 2. Using xm_csv to get message tracking logs

This configuration uses the xm_csv module to parse the message tracking logs.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv>
    Module    xm_csv
    Fields    date-time, client-ip, client-hostname, server-ip, server-hostname, \
              source-context, connector-id, source, event-id, \
              internal-message-id, message-id, network-message-id, \
              recipient-address, recipient-status, total-bytes, recipient-count, \
              related-recipient-address, reference, message-subject, \
              sender-address, return-path, message-info, directionality, \
              tenant-id, original-client-ip, original-server-ip, custom-data, \
              transport-traffic-type, log-id, schema-version
</Extension>

<Input messagetracking>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

Exchange connectivity logs

Connectivity logging records outbound message transmission activity by the transport services on the Exchange server.

Log Sample
#Software: Microsoft Exchange Server
#Version: 15.0.0.0
#Log-type: Transport Connectivity Log
#Date: 2017-09-15T03:09:34.541Z
#Fields: date-time,session,source,Destination,direction,description
2017-09-15T03:09:33.526Z,,Transport,,*,service started; #MaxConcurrentSubmissions=20; MaxConcurrentDeliveries=20; MaxSmtpOutConnections=Unlimited

NXLog Agent can be configured to collect exchange connectivity logs with the im_file module, and parse them with xm_w3c.

Example 3. Collecting Exchange connectivity logs with xm_w3c

This configuration collects connectivity logs from the defined BASEDIR and parses them using the xm_w3c module.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension w3cinput>
    Module       xm_w3c
    Delimiter    ,
</Extension>

<Input w3c>
    Module       im_file
    File         '%BASEDIR%\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG'
    InputType    w3cinput
</Input>

You can also use the xm_csv extension to parse these files.

Example 4. Using xm_csv for connectivity logs

This configuration uses the xm_csv module to parse the connectivity logs.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv>
    Module    xm_csv
    Fields    date-time, session, source, Destination, direction, description
</Extension>

<Input connectivity>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

Exchange Protocol/SMTP logs

Protocol logging records the SMTP conversations that occur on Send and Receive connectors during message delivery.

Log sample
#Software: Microsoft Exchange Server
#Version: 15.0.0.0
#Log-type: SMTP Send Protocol Log
#Date: 2017-09-20T21:00:47.866Z
#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
2017-09-20T21:00:47.167Z,internet,08D5006A392BE443,0,,64.8.70.48:25,*,,attempting to connect

NXLog Agent can be configured to collect exchange protocol logs and SMTP logs with the im_file module, and parse them with xm_w3c.

Example 5. Collecting protocol logs with xm_w3c

This configuration collects protocol logs from the defined BASEDIR and parses them using the xm_w3c module.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension w3cinput>
    Module       xm_w3c
    Delimiter    ,
</Extension>

<Input smtp_receive>
    Module       im_file
    File         '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV*.LOG'
    InputType    w3cinput
</Input>

<Input smtp_send>
    Module       im_file
    File         '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\SEND*.LOG'
    InputType    w3c_parser
</Input>

You can also use the xm_csv extension to parse these files.

Example 6. Using xm_csv for protocol logs

This configuration uses the xm_csv module to parse the protocol logs.

nxlog.conf
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv>
    Module    xm_csv
    Fields    date-time, connector-id, session-id, sequence-number, \
              local-endpoint, remote-endpoint, event, data, context
</Extension>

<Input smtp_receive>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

<Input smtp_send>
    Module    im_file
    File      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\SEND*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>

Windows Event Log

Exchange Server also logs events to Windows Event Log. Events are logged to the Application and Systems channels, as well as multiple Exchange-specific crimson channels (see your server’s Event Viewer). For more information about events generated by Exchange, see the following Microsoft Learn articles.

See also Windows Event Log for more information about using NXLog Agent to collect logs from Windows Event Log.

Example 7. Collecting Exchange events from Windows Event Log

With this configuration, NXLog Agent will use the im_msvistalog module to subscribe to the Application and System channels (Critical, Error, and Warning event levels only) and the MSExchange Management crimson channel (all event levels). Note that the Application and System channels will include other non-Exchange events.

nxlog.conf
<Input eventlog>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Application">
                <Select Path="Application">
                    *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path="System">
                    *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path="MSExchange Management">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

IIS logs

Exchange is closely integrated with the Internet Information Server (IIS), which itself logs Outlook Web Access (OWA) and Exchange Admin Center (EAC) events.

IIS Exchange Back End

See the Microsoft IIS chapter for more information about collecting events from IIS with NXLog Agent.