Exchange Server 2007 uses new transport logs file formats that are easy to parse with one of our favorite Swiss Army knife tools, "Log Parser". Log Parser (also referred to as LP in the rest of this blog post) is commonly used for analyzing IIS log files or Windows Event logs. This first post will get you started on how to use Log Parser in the context of analyzing Exchange 2007 transport logs. The second part will lead you in-depth on how extract the essence of the log as it provides a lot of valuable information.
I have tried to write this post in a way that you can see how we came to final queries that we wanted to use, so we might walk through several versions of queries and show what different options we are adding.
To get started first download and install Log Parser from the following link:
I mentioned looking at IIS logs... if you have IIS installed, from a command line you can run:
logparser "select * from <1>" -o:DATAGRID
This query will return all fields from your IIS logs into a data grid where IIS SiteID=1. As you can see LP allows you to parse IIS logs using common SQL commands such as: select, where, group by, order by, etc.
The "logparser -h" switch returns the main help information. Below are the most useful help commands:
- logparser-h FUNC - returns all LP functions
- logparser-h GRAM - returns all LP grammar keywords
- logparser-h EXAMPLES - returns additional sample queries
The beauty of this tool is that it can parse virtually any logs. As Exchange 2007 was released after Log Parser shipped we will use the CSV importer for our parsing.
So if you type "logparser-h -i:CSV" LP will return all additional options for the CSV input format.
- -i:CSV - specify the CSV input parser of LP as there is no current Exchange 2007 LP Input parser. The CSV allows specifying the separator and in the case of the Exchange 2007 logs it is comma separated.
- -nSkipLines:4 - specifies to skip 4 lines (The Exchange Transport Log file headers) before parsing logs. Note this is required because otherwise you are going to get into a single column named "