Log Management 101 for Exchange 2010

Chicago Area Laptop for rent: $35 per day plus $10 for additional day

Log Management 101 for Exchange 2010

As any systems admin will tell you, keeping an eye on system logs is a very important part of monitoring the overall health and wellbeing of both the operating system and the applications running on a server. As any systems admin will quietly admit (off the record and after hours) keeping an eye on system logs is simply something they don’t have time to do, and consulting the logs only happens during troubleshooting. Of course, that puts log checking in the reactive phase, after a problem has already occurred. We want to move this into a proactive phase, so that we can detect minor issues and resolve them before they become major headaches. In this post, we’re going to take a look at the kinds of events you want to watch for, and discuss some options for automating that process, which can save you time, money, and heartburn.

Exchange 2010 logs a ton of information in several places within the logs you can see in Event Viewer. In a smaller environment, simply parsing these logs from time to time might be enough for you to catch issues before they impact users, but if your environment is small enough for you to only need one or two servers, your staff is probably too small for you to have the time to do this regularly. Let’s look at three strategies for monitoring event logs to see which way can work best for your environment.

Manual checks

In a smaller shop with only one or two servers, you could simply check the logs each day for warnings and errors. The key here is consistency, which means you either need to do it first thing in the morning, right after you get back from lunch, or right before you leave for the day. Unless you get in before everyone else, you probably want to opt for the right-after-lunch approach, so that you can do this without being disturbed. Log on to each of your Exchange servers, and parse the logs for anything that indicates a problem. Check the system log for operating system events, and the following locations for Exchange specific issues; the application log, and the Windows->Exchange->High Availability, MailboxDatabaseFailureItem, and Troubleshooter logs. Watch out for errors, but take a look at warnings too. Situations like low disk space start out as warnings to give you time to increase space before they become errors that impact mail flow.

Pros: Easy, free
Cons: Not scalable, requires discipline to ensure it is done daily

Log forwarding

You can save a little time by forwarding event logs from each of your servers to a central collector computer. The steps to do this are covered in this TechNet article, and are fairly straightforward. This way, you need only consult the logs of a single machine, which could even be your desktop (as long as it stays powered on and connected to the network 24x7.) Beware however; there are several pitfalls to this approach. If a forwarding server stops forwarding for any reason, nothing will be logged in the collector. No news is definitely not good news here, but you have to notice that the server has not sent anything. Second, unless the collector has Exchange installed as well, the event descriptions will not contain useful information. You’ll need to work on memorizing event IDs that are important.

Pros: Easy, free, slightly scalable
Cons: Failures could be missed and forwarded events may not contain all the data you need to understand the problem.

Central log monitoring

Several companies sell event log monitoring applications that make the process of log management automated and easy. You install the software on a central server, and can either configure the software to pull logs from other systems, or install an agent on each system you want to push to the central server. The application can aggregate and summarize the logs, and provide summaries and alerts through email. Some are flexible enough to give you daily or weekly summaries of less critical events, while emailing you instantly for events that require immediate attention. Better apps can filter out the noise and take actions (such as firing scripts) based on rules you create, automating some of your more common tasks.

Pros: Fully scalable, centralized log management, reporting, and archiving, can automate repetitive tasks
Cons: Costs money, though typically less than the labor costs of manually performing log management

I definitely recommend the central log monitoring approach. If you consider the time it would take you daily to review the logs and add up the cost of that time over a year, you definitely are spending more on manual approaches. When you consider the cost of an outage, anything that proactively alerts you to a problem before it impacts users gives you an immediate ROI. Most log management applications are able to handle far more than just Exchange, giving you a tool that can help you with your entire infrastructure.

If you have to go with the manual for forwarding approach, here’s a table that lists some of the most important Exchange events:

Log type	Source	Type	Event ID	description
Application	MSExchange Autodiscover	Error	1	Your Exchange server cannot find a domain controller. Make sure your DC is running, your AD Sites are properly defined, and no firewalls (Windows built-in or other) are blocking connections from the Exchange server to domain controllers in the site. Remember how dependent upon Global Catalog servers Exchange is; you should have a GC in every site in which you have an Exchange server.
Application	MSExchangeFDS, RPC, POP3, or IMAP4	Warning or Error	1003	Each of these services needs to communicate with Active Directory, and is reporting that it cannot. Make sure each Exchange server has a domain controller in its site, and consider adding a second for redundancy. When patching, consider patching the Exchange servers and the domain controllers at opposite ends of the process so that when Exchange starts up, it doesn’t look for AD while the DC is still rebooting.
Application	MSExchangeIMAP4, POP3	Error	2007	The services cannot handle TLS connections because no suitable certificate is installed on the server. Install a certificate using the New Certificate Wizard that includes the server’s hostname and FQDN and is set up to support POP3 and IMAP.
Application	MSExchangeTransport	Error	12014	Your Exchange server does not have a certificate that it can use for SMTP/TLS. Create a new certificate using the New Certificate Wizard and make sure to specify the FQDN of your server.
Application	MSExchange ADAccess	Error	2104	Your Exchange server cannot query all the domain controllers it needs for topology information. If you are in a multi-domain environment, remember that Exchange will need to query DCs in all domains which contain user accounts with mailboxes in the Exchange Organization. Check routing and firewalls to ensure you have full connectivity.
Microsoft, Exchange, HighAvailability, Operational	HighAvailability	Warning	127	This logs when a database is forcefully dismounted. It’s usually because of a shutdown/reboot, so nothing to worry about unless you cannot correlate it to a planned reboot for patching or maintenance.
Microsoft, Exchange, HighAvailability, Operational	HighAvailability	Error	252	When this event is logged, an inconsistent event record has been found in the database. Check for free disk space or network connectivity issues.
Application	MSExchangeRepl	Error	4113	If you have a DAG that has no redundant copies on any other server, 4113s are logged every twenty minutes until a replica is generated on another server. If you have just created a DAG, look for the 4114 that means a copy of the DAG exists on another server. If you see this on an existing DAG, check the replica server for other errors.
Application	MSExchange ActiveSync	Warning	1022	Your CAS server cannot connect to your Mailbox server. Check network connectivity between these servers, especially any software or hardware firewalls, and that neither server has problems authenticating to AD.
Application	MSExchange EdgeSync	Error	1004	There is a problem with your Edge Transport server’s attempts to authenticate to your Hub Transport server. Make sure that the Edge Subscription is working correctly and the certificate is not expired.
Application	MSExchange EdgeSync0	Error	1024	Your Hub Transport server cannot connect to your Edge Transport server’s ADAM instance. Verify ADAM is running, and then, since your Edge Transport server is in the DMZ and your Hub Transport server is not, confirm that no changes to the firewall have been made.
Application	MSExchangeTransport	Warning	15004	This is a warning that your Exchange server is running out of some resource, this will almost always be free disk space. It is the start of back pressure. You need to expand your volume, or move your database to a larger volume, soon.
Application	MSExchangeTransport	Error	15006	This is what happens when you have run out of that resource you were warned about in the 15004. The Transport service will reject all mail until you resolve the resource constraint.

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: Event log management.

All product and company names herein may be trademarks of their respective owners.

Post your questions, comments, feedbacks and suggestions

Contact a consultant