Managing Exchange Server 2007 log files (Part 2)

by [Published on 5 March 2009 / Last Updated on 5 March 2009]

Other methods to get log information in Exchange Server 2007.

If you like to read the other parts in this article series please go to:


In the first article of this series we saw how to enable debug in Exchange Server 2007 using Set-EventLogLevel cmdlet. In this article and the next one we will continue looking at logs configuration in Exchange Server 2007. Exchange Server 2007 allows enabling debug in several components, here are some of the components that we are going to play with in this article series:

  • Internet Information Services (IIS)
  • Message Records Management
  • Agent Transport logs
  • Message Tracking
  • Send and Receive Connectors
  • POP3 and IMAP4 protocols
  • Connectivity Logs

Being aware of where these components can be configured and keeping their logging information can be helpful during a troubleshoot process and also for report purposes.

Internet Information Services (IIS)

Exchange Server 2007 relies on IIS, and we can use the log files created by IIS to get information about OWA, ActiveSync, Autodiscover, OAB, and Web Services components utilization and also troubleshoot these components when required.

In order to validate the logging information we can open Internet Information Services (IIS) Manager which is located under Administrative Tools menu, expand Web Sites and then right click on the chosen website and click Properties (Figure 01). Make sure that the Enable Logging option is ticked then we can select a suitable format for the logs, the default configuration is W3C Extended Log File Format.

Figure 01

IIS log configuration is done at Website level, not at Virtual Directory level. In a default exchange installation we will have a single website named Default Web Site and all Exchange Virtual directories are located underneath it, such as: AutoDiscover, EWS, Exchange, OAB, UnifiedMessaging and etc. However, some companies do not use SAN (Subject Alternative Name) certificates as they opt for more than one Web Site in order to accommodate the required certificates. In this case, each Virtual Web Site has a log configuration and a different location where the log files are kept.

If you click on Properties in the Virtual Web Site main page, two tabs will open; General and Advanced. In General tab (Figure 02) you can control how often the log files will be generated (which is generated daily by default) and you will also have the file system location where all log files will be created, which by default is; C:\windows\system32\Logfiles. When this is done, a subdirectory will be created based on the Virtual Web Site ID (Figure 02). In this example the folder is listed as W3SVC1.

Figure 02

The Advanced tab allows you to select which fields will be logged by IIS in the log files, as shown in Figure 03. You can use this page as a reference for the column names that you are going to use with the Log Parser utility in the next step.

Figure 03

You can retrieve and troubleshoot from the IIS log files using any text editor, however, we can do a little bit more with the IIS log files using a tool called Log Parser. This tool allows you to run queries using SQL format to retrieve information from several sources, such as: CSV, EVT, IIS Log files, etc. The output may be a graphic, text, html csv, datagrid and so on.

How can we start using it?

Logparser is a command line utility (logparser.exe) of which we have some samples in the Samples folder which are created during the tool installation. You can create your own queries using the given templates or start from scratch. You should however be aware that all fields used in the queries come from the IIS fields that we have chosen in the previous figure (Figure 3).

Besides this, we should be aware of two basic parameters used by the tool, namely input and output. If you have any question regarding the tool utilization you can use LogParser –h and a summary with all the possible options will be displayed. Here are the two basic switches that we are going to use:

  • -i:<input format>” - Here we can select what is going to be the input format, in this case it will be IISW3C.
  • -o: <output-format>” – Which is the format in which the data will be displayed; in this case, we are going to use DataGrid which shows the information in a GUI.

So, if you open the folder Samples, then open the subfolder Queries you will be able to pick one of the existent queries. In my case, I chose Get authentication and authorization failures where we can see the Http error code that the end-user is receiving. Using the query that we copied from the samples with –I and –o like we have just seen, you will end up with the result shown in Figure 04.

Figure 04

In order to understand the HTTP status code we can get more information in the following Microsoft Kbs: HTTP Status code for IIS 5.0 and 6.0, and also for IIS 7.

POP and IMAP Protocols

By default POP3 and IMAP4 services are disabled and they also have log features disabled. If you enable one of these services in your environment and you want to troubleshoot the client process to connect and retrieve messages you can be managing the debug information of either of these protocols by changing the following files that are located in \Exchange Server\ClientAccess\PopImap folder.

  • Microsoft.Exchange.Pop3.exe.config for POP3 Service
  • Microsoft.Exchange.IMAP4.exe.config for IMAP4 service

Either log file has the same configuration to enable or disable log files, we just need to change the value of ProtocolLog parameter to true instead of false. All log files will be created on the path specified in the LogPath parameter, as shown in Figure 05.

 After enabling or disabling the log in POP/IMAP a restart of the service is required.

Figure 05

Now that we enabled the service and know where the files are generated, after the first connection using POP/IMAP we can open any of the log files and we will be able to validate the information logged between client and server, as shown in Figure 06.

Figure 06


In this second article we went over the IIS log configuration and also POP/IMAP log configuration in Exchange Server 2007.

If you like to read the other parts in this article series please go to:

See Also

The Author — Anderson Patricio

Anderson Patricio avatar

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).


Featured Links