Managing Agent Logging

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Agent logs record the actions that are performed on a message by specific anti-spam agents that are installed and configured on a computer that is running Microsoft Exchange Server 2007 that has the Edge Transport server role or the Hub Transport server role installed. Only the following agents can write information to the agent log:

  • Connection Filter agent

  • Content Filter agent

  • Edge Rules agent

  • Recipient Filter agent

  • Sender Filter agent

  • Sender ID agent

The information that is written to the agent log depends on the agent, the Simple Mail Transfer Protocol (SMTP) event, and the action that is performed on the message.

The only configurable option for agent logging is the AgentLogEnabled parameter in the EdgeTransport.exe.config application configuration file. By default, agent logging is enabled on Hub Transport servers or Edge Transport servers. The other agent log values that are not configurable are described in the following list:

  • The path where the agent logs are stored is C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog.

  • The maximum size for the individual agent log files is 10 MB.

  • The maximum size for the directory that contains the agent log files is 250 MB.

  • The maximum age for the agent log files is 30 days.

The Exchange 2007 server uses circular logging to limit the agent logs based on file size and file age to help control the hard disk space that is used by the log files.

Note

If you want to keep the agent log files longer than allowed by file age or directory size values that you cannot configure, you can create a scheduled task that periodically moves the unused agent log files to a different location.

Note

By default, the transport logging process has a logging level value of 0 (Lowest). If you want Microsoft Exchange to write an event log entry when circular logging removes a log file, you must change the logging level value of the transport logging process to 5 (Maximum) or 7 (Expert). For more information, see How to Change Logging Levels for Exchange Processes.

An Overview of Transport Agents

Agents can only act upon messages at specific points in the SMTP command sequence that is used to transport the messages through a Hub Transport server or Edge Transport server. These access points in the SMTP command sequence are called SMTP events. Each agent has a priority value that can be assigned. However, the SMTP events must always occur in a specific order. Therefore, the agent priority depends on the SMTP event. If two agents can act on a message during the same SMTP event, the agent that has the highest priority will act on the message first.

Table 1 lists the SMTP events in order of occurrence and the agents that write information to the agent log in order of priority from highest to lowest for each SMTP event.

Table 1   SMTP events in order of occurrence and the agents that write information to the agent log in order of priority for each SMTP event

SMTP event Agent

OnConnect

Connection Filter agent

OnMailCommand

Connection Filter agent

Sender Filter agent

OnRcptCommand

Connection Filter agent

Recipient Filter agent

OnEndOfHeaders

Connection Filter agent

Sender ID agent

Sender Filter agent

OnEndOfData

Edge Rules agent

Content Filter agent

For more information about agents, SMTP events, and agent priority, see Overview of Transport Agents.

Structure of the Agent Log Files

The agent logs exist in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog.

The naming convention for the agent log files is AGENTLOGyyyymmdd-nnnn.log. The placeholders represent the following information:

  • The placeholder yyyymmdd is the Coordinated Universal Time (UTC) date that the log file was created. yyyy = year, mm = month, and dd = day.

  • The placeholder nnnn is an instance number that starts at the value of 1 for each day.

Information is written to the log file until the file size reaches 10 MB. Then, a new log file that has an incremented instance number is opened. This process is repeated throughout the day. Circular logging deletes the oldest log files when the agent log directory reaches 250 MB, or when a log file is 30 days old.

The agent log files are text files that contain data in the comma separated value (CSV) format. Each agent log file has a header that contains the following information:

  • #Software:   The name of the software that created the agent log file. Typically, the value is Microsoft Exchange Server.

  • #Version:   The version number of the software that created the agent log file. Currently, the value is 8.0.0.0.

  • #Log-Type   The value of this field is Agent Log.

  • #Date:   The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • #Fields:   The comma delimited field names that are used in the agent log files.

Information That Is Written to the Agent Log

The agent log stores each agent transaction on a single line in the log. The information that is stored on each line is organized by fields. These fields are separated by commas. The field name is generally descriptive enough to determine the type of information it contains. However, some of the fields may be blank. Or the type of information that is stored in the field may change based on the agent or the action that is performed on the message by the agent. Table 2 describes the fields that are used to classify each agent transaction.

Table 2   Fields that are used to classify each agent transaction

Field name Description

Timestamp

The UTC date-time of the agent event. This is represented in the ISO 8601 format. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu.

SessionId

The unique SMTP session identifier. This identifier is represented as a 16-digit hexadecimal number.

LocalEndpoint

The local IP address and port number that accepted the message. SMTP sessions typically use port 25.

RemoteEndpoint

The IP address and port number of the previous SMTP server that connected to this server to deliver the message. In an Edge Transport server and Hub Transport server topology, the value of RemoteEndpoint in the agent log on the Hub Transport server will be the IP address of the Edge Transport server. Even though the message is transmitted by SMTP, the port number that is used by the sending server will be a random number larger than 1024.

EnteredOrgFromIP

The IP address of the remote SMTP server that first connected to the Exchange organization to deliver the message. On an Edge Transport server, the value of RemoteEndpoint and EnteredOrgFromIP are the same. Anti-spam agents use the IP address in EnteredOrgFromIP to examine a message.

MessageId

The value of the MessageID: header field. If this value is blank, the Exchange 2007 transport server assigns an arbitrary value, but only if the message is accepted. After assigned, the value of MessageID: is constant for the lifetime of the message.

P1FromAddress

The sender e-mail address specified in MAIL FROM: in the message envelope. This value is used to transport the message between SMTP messaging servers. This value serves a comparison to the value of P2FromAddresses to determine whether the sender address in the message header is forged.

P2FromAddresses

The sender e-mail address specified in the From: header field or in the Sender: header field in the message header.

Recipient

The e-mail address of the recipients. Although the original message may contain multiple recipients, only one recipient is displayed per line in the agent log.

NumRecipients

The total number of recipients in the original message.

Agent

The name of the agent that took the action. The possible values are as follows:

  • Connection Filter agent

  • Content Filter agent

  • Edge Rules agent

  • Recipient Filter agent

  • Sender Filter agent

  • Sender ID agent

Event

The SMTP event where the action was taken by the agent. The value of Event depends on the agent. The SMTP events that are available to each agent are described in Table 1 earlier in this topic. The possible values for Event are as follows:

  • OnConnect

  • OnEndOfHeaders

  • OnEndOfData

  • OnMailCommand

  • OnRcptCommand

Action

The action that is performed on the message by the agent. The possible values for Action are as follows:

  • AcceptMessage

  • DeleteMessage

  • DeleteRecipients

  • Disconnect

  • QuarantineMessage

  • QuarantineRecipients

  • RejectAuthentication

  • RejectCommand

  • RejectConnection

  • RejectMessage

  • RejectRecipients

SmtpResponse

The Enhanced SMTP response as defined in RFC 2034.

Reason

The reason for the action that is supplied by the agent.

ReasonData

The descriptive details for the action that is supplied by the agent.

Searching the Agent Logs

You can use the Get-AgentLog cmdlet in the Exchange Management Shell and the Get-AntiSpamFilteringReport script to search the agent logs.

For more information, see Get-AgentLog.

How to Enable or Disable Agent Logging

By default, agent logging is enabled on a Hub Transport server or an Edge Transport server. Agent logging is enabled or disabled by modifying the EdgeTransport.exe.config file that is located in C:\Program Files\Microsoft\Exchange Server\Bin. The EdgeTransport.exe.config file is an XML application configuration file that is associated with the EdgeTransport.exe file. EdgeTransport.exe and MSExchangeTransport.exe are the executable files that are used by the Microsoft Exchange Transport service. This service runs on every Hub Transport server or Edge Transport server. Changes that are made to the EdgeTransport.exe.config file are applied after the Microsoft Exchange Transport service is restarted.

The following example shows the typical structure of the EdgeTransport.exe.config file:

<configuration>

<runtime>

<gcServer enabled="true" />

</runtime>

<appSettings>

<add key="Configuration Option" value="Value" />

...

</appSettings>

</configuration>

You can add new configuration options or modify existing configuration options in the <appSettings> section. Many configuration options available are completely unrelated to agent logging. Any configuration options that don't involve agent logging are outside the scope of this topic.

Note

The parameter names in the <add key=../> section are case sensitive.

To enable or disable agent logging

  1. Open the following file by using Notepad: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe.config

  2. Modify the following line in the <appSettings> section:

    <add key="AgentLogEnabled" value="<TRUE | FALSE>" />
    

    For example, to disable agent logging, modify the AgentLogEnabled parameter as follows:

    <add key="AgentLogEnabled" value="FALSE" />
    
  3. Save and close the EdgeTransport.exe.config file.

  4. Restart the Microsoft Exchange Transport service.

For More Information

For more information, see Anti-Spam and Antivirus Functionality.