Protocol logging records the SMTP conversations that occur between messaging servers and between Exchange services in the transport pipeline as part of message delivery. You can use protocol logging to diagnose mail flow problems. The SMTP conversations that can be recorded by protocol logging occur in the following locations:
Send connectors and Receive connectors in the Transport service on Mailbox servers.
Send connectors and Receive connectors in the Transport service on Edge Transport servers.
Receive connectors in the Front End Transport service on Mailbox servers.
The implicit and invisible intra-organization Send connector in the Transport service on Mailbox servers.
The implicit and invisible intra-organization Send connector in the Front End Transport service on Mailbox servers.
The implicit and invisible intra-organization Send connector in the Mailbox Transport Submission service on Mailbox servers.
The implicit and invisible Mailbox Delivery Receive connector in the Mailbox Transport Delivery service on Mailbox servers.
By default, protocol logging is enabled on the following connectors:
The default Receive connector named Default Frontend <ServerName> in the Front End Transport service on Mailbox servers.
The implicit and invisible Send connector in the Front End Transport service on Mailbox servers.
By default, protocol logging is disabled on all other connectors. You need to enable or disable protocol logging on each individual connector. You configure other protocol logging options for all Receive connectors or all Send connectors that exist in each individual transport service on the Exchange server. All Receive connectors in a transport service share the same protocol log files and protocol log options. These files and options are separate from the Send connector protocol log files and protocol log options in the same transport service on the Exchange server.
By default, Exchange uses circular logging to limit the protocol log based on file size and file age to help control the hard disk space that's used by the log files. To configure protocol logging, see Configure protocol logging.
Structure of the protocol log files
By default, the protocol log files exist in the following locations:
Mailbox Transport Delivery service on Mailbox servers (Receive connectors): %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive\Delivery
Mailbox Transport Submission service on Mailbox servers (Send connectors): %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend\Submission
Note: Protocol logging for side effect messages that are submitted after messages are delivered to mailboxes occurs in %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend\Delivery. For example, a message that's delivered to a mailbox triggers an Inbox rule that redirects the message to another recipient.
The naming convention for log files is SENDyyyyMMddhh-nnnn.log for Send connectors and RECVyyyyMMddhh-nnnn.log for Receive connectors. The placeholders represent the following information:
yyyyMMddhh is the coordinated universal time (UTC) date when the log file was created. yyyy = year, MM = month, dd = day and hh = hour.
nnnn is an instance number that starts at the value 1 every hour.
Information is written to the log file until the file reaches its maximum size. Then, a new log file that has an incremented instance number is opened (the first log file is -1, the next is -2, and so on). Circular logging deletes the oldest log files when either of the following conditions is true:
A log file reaches its maximum age.
The protocol log folder reaches its maximum size.
The protocol log files are text files that contain data in the comma-separated value file (CSV) format. Each protocol log file has a header that contains the following information:
#Software: The value is Microsoft Exchange Server.
#Version: Version number of the Exchange server that created the message tracking log file. The value uses the format 15.01.nnnn.nnn.
#Log-Type: The value is either SMTP Receive Protocol Log or SMTP Send Protocol Log.
#Date: UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-MM-ddThh:mm:ss.fffZ, where yyyy = year, MM = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
#Fields: Comma-delimited field names that are used in the protocol log files.
Fields in the protocol log
The protocol log stores each SMTP protocol event on a single line in the log. The information stored on each line is organized by fields, and these fields are separated by commas. The fields that are used in the protocol log are described in the following table.
Field name
Description
date-time
UTC date-time of the protocol event. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-MM-ddThh:mm:ss.fffZ, where yyyy = year, MM = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
connector-id
Distinguished name (DN) of the connector that's associated with the SMTP event.
session-id
GUID value that's unique for each SMTP session, but is the same for every event that's associated with that SMTP session.
sequence-number
Counter that starts at 0 and is incremented for each event in the same SMTP session.
local-endpoint
Local endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>: <port>.
remote-endpoint
Remote endpoint of an SMTP session. This consists of an IP address and TCP port number formatted as <IP address>: <port>.
event
Single character that represents the protocol event. Valid values are: +: Connect -: Disconnect >: Send <: Receive *: Information
data
Text information associated with the SMTP event.
context
Additional contextual information that may be associated with the SMTP event.
One SMTP conversation that represents sending or receiving a single email message generates multiple SMTP events. Each event is recorded on a separate line in the protocol log. An Exchange server has many SMTP conversations going on at any given time. This creates protocol log entries from different SMTP conversations that are mixed together. You can use the session-id and sequence-number fields to sort the protocol log entries by each individual SMTP conversation.
This module examines how Exchange Online Protection (EOP) protects organizations from phishing and spoofing. It also explores how EOP blocks spam, bulk email, and malware before they arrive in users’ mailboxes.