Hi, I am a log analyst and am currently working on the MS exchange 2007 logs. I got hold of the send and receive protocol logs, but i observed that their format is not matching the format given in the microsoft technet site. I mean, that the number of fields and also the formatting is not matching. In the microsoft site it is mentioned that the logs will come in the Comma seperated field format. Also the fields that should be present are: Date-time connector-id session-id sequence number local-endpoint remote-endpoint event data context But the send protocol log looks like this: <220 edgedns3 ESMTP Microsoft ESMTP MAIL Service, Version: 8.0.647.0; Tue, 29 Aug 2006 04:22:00 -0700 (PDT)>EHLO edgea36.dns.contoso.com<250-edgedns3 Hello woodgrove.com [192.168.0.2], pleased to meet you<250-ENHANCEDSTATUSCODES<250-PIPELINING<250-EXPN<250-VERB<250-8BITMIME<250-SIZE<250-DSN<250-ETRN<250-STARTTLS<250-DELIVERBY<250 HELP>STARTTLS<220 2.0.0 Ready to start TLS*Sending certificate*CN=edgea36, Certificate subject*CN=edgea36, Certificate issuer name*CA2EDF2487C6F09B4E413FD3812A7F89, Certificate serial number*E8DA062786FD097DD8D79FF10C583CC23AD64F6C, Certificate thumbprint*edgea36;edgea36.dns.contoso.com, Certificate alternate names*Received certificate*CN=smi.extest.contoso.com, OU=Contoso, O=Corp, L=Spokane, S=WA, C=US, Certificate subject*CN=ExCertDom EntSub Issuing CA v1.0, DC=ExCertDom, DC=ExTest, DC=Contoso, DC=Com, Certificate issuer name*446DD186000A00002819, Certificate serial number*DC27B5F8657F84B15B5004BE63CE482721871582, Certificate thumbprint*smi.extest.contoso.com, Certificate alternate names>EHLO edgea36.dns.contoso.com<250-edgedns3 Hello woodgrove.com [192.168.0.2], pleased to meet you<250-ENHANCEDSTATUSCODES<250-PIPELINING<250-EXPN<250-VERB<250-8BITMIME<250-SIZE<250-DSN<250-ETRN<250-DELIVERBY<250 HELP*08C895F533E837EC;2006-08-28T22:37:53.323Z;1, sending message>MAIL FROM:<user@woodgrove.com> SIZE=614>RCPT TO:<root@smi.extest.contoso.com><250 2.1.0 <user@woodgrove.com>... Sender ok<250 2.1.5 <root@smi.extest.contoso.com>... Recipient ok>DATA<354 Enter mail, end with "." on a line by itself<250 2.0.0 k7TBM0BZ000043 Message accepted for delivery>QUIT<221 2.0.0 edgedns3 closing connection In the above log only the first line is in the comma separated format, that too has missing fields. Could someone please explain what is the problem here and why is this discrepency present? Thanks, Yuvika

Hi Yuvika, Firstly, below is the send protocol log which I gathered from my test lab. My Exchange Server is 2007 Service Pack 1. #Software: Microsoft Exchange Server #Version: 8.0.0.0 #Log-type: SMTP Send Protocol Log #Date: 2008-06-09T06:04:34.509Z #Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context 2008-06-09T06:04:34.509Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,0,,192.168.1.4:25,*,,attempting to connect 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,1,192.168.1.1:19852,192.168.1.4:25,+,, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,2,192.168.1.1:19852,192.168.1.4:25,<,"220 ex2k7.sinbe.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Mon, 9 Jun 2008 14:04:34 +0800 ", 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,3,192.168.1.1:19852,192.168.1.4:25,>,EHLO Ex2k7.lab.com, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,4,192.168.1.1:19852,192.168.1.4:25,<,250-ex2k7.sinbe.com Hello [192.168.1.1], 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,5,192.168.1.1:19852,192.168.1.4:25,<,250-TURN, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,6,192.168.1.1:19852,192.168.1.4:25,<,250-SIZE, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,7,192.168.1.1:19852,192.168.1.4:25,<,250-ETRN, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,8,192.168.1.1:19852,192.168.1.4:25,<,250-PIPELINING, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,9,192.168.1.1:19852,192.168.1.4:25,<,250-DSN, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,10,192.168.1.1:19852,192.168.1.4:25,<,250-ENHANCEDSTATUSCODES, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,11,192.168.1.1:19852,192.168.1.4:25,<,250-8bitmime, 2008-06-09T06:04:34.519Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,12,192.168.1.1:19852,192.168.1.4:25,<,250-BINARYMIME, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,13,192.168.1.1:19852,192.168.1.4:25,<,250-CHUNKING, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,14,192.168.1.1:19852,192.168.1.4:25,<,250-VRFY, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,15,192.168.1.1:19852,192.168.1.4:25,<,250-X-EXPS GSSAPI NTLM LOGIN, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,16,192.168.1.1:19852,192.168.1.4:25,<,250-X-EXPS=LOGIN, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,17,192.168.1.1:19852,192.168.1.4:25,<,250-AUTH GSSAPI NTLM LOGIN, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,18,192.168.1.1:19852,192.168.1.4:25,<,250-AUTH=LOGIN, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,19,192.168.1.1:19852,192.168.1.4:25,<,250-X-LINK2STATE, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,20,192.168.1.1:19852,192.168.1.4:25,<,250-XEXCH50, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,21,192.168.1.1:19852,192.168.1.4:25,<,250 OK, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,22,192.168.1.1:19852,192.168.1.4:25,*,112,sending message 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,23,192.168.1.1:19852,192.168.1.4:25,>,MAIL FROM:<> SIZE=6986, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,24,192.168.1.1:19852,192.168.1.4:25,>,RCPT TO:<Sarah@sinbe.com>, 2008-06-09T06:04:34.529Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,25,192.168.1.1:19852,192.168.1.4:25,<,250 2.1.0 <>....Sender OK, 2008-06-09T06:04:34.719Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,26,192.168.1.1:19852,192.168.1.4:25,<,250 2.1.5 Sarah@sinbe.com , 2008-06-09T06:04:34.719Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,27,192.168.1.1:19852,192.168.1.4:25,>,BDAT 6588 LAST, 2008-06-09T06:04:34.769Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,28,192.168.1.1:19852,192.168.1.4:25,<,250 2.6.0 <6ee5beba-cff3-4b91-aba1-2f9f81203a83> Queued mail for delivery, 2008-06-09T06:04:34.769Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,29,192.168.1.1:19852,192.168.1.4:25,>,QUIT, 2008-06-09T06:04:34.769Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,30,192.168.1.1:19852,192.168.1.4:25,<,221 2.0.0 ex2k7.sinbe.com Service closing transmission channel, 2008-06-09T06:04:34.769Z,EdgeSync - Default-First-Site-Name to Internet,08CA940CEDD40705,31,192.168.1.1:19852,192.168.1.4:25,-,,Local Regarding the Send Protocol log which you posted, I would like to know whether you get the example from the following WhitePaper: http://technet.microsoft.com/en-us/library/bb266978(EXCHG.80).aspx Mike

Hi Mike, Sorry for the late reply. Yeah I got the logs from that whitepaper itself. Thanks for providing me the proer logs. Can you tell me what exactly are the local and remote end point fields? Thanks, Yuvika

Hi Yuvika, The local end point is the IP Address 192.168.1.1 which is my Exchange 2007 Server. The remote end point is the IP Address 192.168.1.4 which is another Exchange server. The log information records the Exchange 2007 Server 192.168.1.1attempts to send an email to another Exchange Server 192.168.1.4. Mike

Hey Mike, Thanks a lot for all ur help. Yuvika

Hi Mike, I urgently require a bulk of message tracking logs. Can you provide me with that? The logs should include all the events, most importantly SEND event.