Troubleshooting: Exchange environment with Event viewer

  • Article

There are quite number of tools available to find the issues with Exchange Server environment. Here we’re going to view about “Event Viewer”. Interestingly Event viewer is it’s not directly meant nor designed for Exchange server, its designed for Windows OS environment.

So what can we get in the Event viewer?

Using the event logs in Event Viewer, we can gather information about hardware, software, and system problems, and you can monitor Windows operating system security events. In Event Viewer, both the application log and the system log contain errors, warnings, and informational events that are related to the operation of Exchange Server, the SMTP service, and other applications.

What else we can get?

You can use Event Viewer to obtain information about service failures, replication errors in the Active Directory directory service, and warnings about system resources such as virtual memory and disk space. Use Event Viewer to view and manage event logs; obtain information about hardware, software, and system problems that must be resolved; and identify trends that require future action.

Event Viewer maintains logs about application, security, and system events on your computer. Both Microsoft Exchange Server and Microsoft Windows report warnings and error conditions to the event logs. Therefore, make sure that you review event logs daily.

How to identify the issues in Event Viewer?

To identify the cause of message flow issues, carefully review the data that is contained in the application log and system log. Use the following procedure to view errors, warnings, and informational events in the application log.

Types of Logs Found in Event Viewer

Microsoft Windows Server 2003, Windows XP, Windows 2000 Server, and Windows NT record events in three kinds of logs:

  • Application log   The Application log contains events logged by applications or programs. For example, a database program might record a file error in the Application log. The program developer decides which events to record.
  • System log   The System log contains events logged by the Windows operating system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by the Windows operating system.
  • Security log   The Security log can record security events such as valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files. An administrator can specify what events are recorded in the Security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the Security log.

Servers running Windows Server 2003 and Windows 2000 Server that are domain controllers might have the following additional logs in Event Viewer:

  • Directory Service log   Windows Server 2003 and Windows 2000 Server directory service logs events in the Directory Service log. This includes any information regarding the Active Directory® directory service and Active Directory database maintenance.
  • File Replication Service log   File Replication Service (FRS) logs its events in this log. This service is used for replication of files, such as domain policies, between domain controllers.
  • DNS Server service log   This log includes events related to the Domain Name System (DNS) Server service running on Windows Server 2003 and Windows 2000 Server. This will show only on DNS servers running Windows Server 2003 and Windows 2000 Server.

Types of Events Logged

The icon on the left side of the Event Viewer screen describes the classification of the event by the Windows operating system. Event Viewer displays these types of events:

  • Error   A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged.
  • Warning   An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a warning will be logged.
  • Information   An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an information event will be logged.
  • Success Audit   An audited security access attempt that succeeds. For example, a user's successful attempt to log on to the system will be logged as a Success Audit event.
  • Failure Audit   An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.

What are the main event components of the Event viewer?

The main event components are as follows:

  • Source   The software that logged the event, which can be either an application name, such as Microsoft SQL Server™, or a component of the system or of a large application, such as MSExchangeIS, which is the Microsoft Exchange Information Store service.
  • Category   A classification of the event by the event source. For example, the security categories include Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management.
  • Event ID   A unique number for each source to identify the event.
  • User   The user name for the user who was logged on and working when the event occurred. N/A indicates that the entry did not specify a user.
  • Computer   The computer name for the computer where the event occurred.
  • Description   This field provides the actual text of the event, or how the application that logged the event explains what has happened.
  • Data   Displays binary data generated by the event in hexadecimal (bytes) or DWORDS (words) format. Not all events generate binary data. Programmers and support professionals familiar with source application can interpret this information.

Couple of samples available in the event viewer (exchange specific) :

How to view the application log in the event viewer?

  1. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.

  2. In the console tree, click Application Log.

  3. To sort the log alphabetically and quickly locate an entry for an Exchange service, in the details pane, click Source.

  4. Double-click a log entry to open an event's properties page.

  5. To filter the log to list entries for a specific type of Exchange-related event, from the View menu, click Filter.

  6. In Application Log Properties, use the Event source list to select an Exchange-related event source. For example:

    • MSExchangeTransport   Events that are recorded when SMTP is used to route messages.
    • IMAP4Svc   Events that are related to the service that allows users to access mailboxes and public folders through IMAP4.
    • MSExchangeAL   Events that are related to the service that addresses e-mail messages through address lists.
    • MSExchangeIS   Events that are related to the service that allows access to the Exchange Information Store service.
    • MSExchangeMTA   Events that are related to the service that allows X.400 connectors to use the message transfer agent (MTA).
    • MSExchangeMU   Events that are related to the metabase update service, a component that reads information from Active Directory and transposes it to the local IIS metabase.
    • MSExchangeSA   Events that are recorded when Exchange uses Active Directory to store and share directory information.
    • MSExchangeSRS   Events that are recorded when Site Replication Service (SRS) is used to replicate computers running Exchange 2003 with computers running Exchange 5.5.
    • POP3Svc   Events that are recorded whenever Post Office Protocol version 3 (POP3) is used to access e-mail.

  7. In the Category list, select a specific set of events or, to view all events for that event source, leave the default setting at All.

  8. Click OK.

How to view the System log in event viewer?

Use the following procedure to view errors, warnings, and informational events in the system log for SMTP service.

  1. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.

  2. In the console tree, click System Log.

  3. To sort the log alphabetically and quickly locate an entry for an Exchange service, in the details pane, click Source.

  4. Double-click a log entry to open an event's properties page.

  5. To filter the log to list entries for a specific type of SMTP service events, from the View menu, click Filter.

  6. In System Log Properties, in the Event source list, select SMTPSVC.

  7. In the Category list, select a specific set of events or, to view all events for the SMTP service, leave the default setting at All.

  8. Click OK.

Troubleshooting with Event viewer and Exchange Server:

Within each Event Viewer log, Exchange Server records informational, warning, and error events. Monitor these logs closely to track the types of transactions being conducted on your Exchange servers. You should periodically archive the logs or use automatic rollover to avoid running out of space. Because log files can occupy a finite amount of space, increase the log size (for example, to 50 MB) and set it to overwrite, so that Exchange Server can continue to write new events.

You can also automate event log administration by using tools and technologies such as the following:

  • Event Comb   The Event Comb tool lets you gathers specific events from the event logs of several computers to one central location. It also lets you report on only the event IDs or event sources you specify. For more information about Event Comb, see the Account Lockout and Management Tools Web site.
  • Eventtriggers   You can also use command-line tools to create and query event logs and associate programs with particular logged events. By using Eventtriggers.exe, you can create event triggers that will run programs when specific events occur. For more information about Eventtriggers, see the Windows Server 2003 topic New command-line tools and the Windows XP topic Managing event logs from the Command Line.
  • Microsoft Operations Manager   You can use Microsoft Operations Manager (MOM) to monitor the health and use of Exchange servers. Exchange 2007 Management Pack extends Microsoft Operations Manager by providing specialized monitoring for servers that are running Exchange 2007. This management pack includes a definition of health for an Exchange 2007 server and will raise an alert message to the administrator if it detects a state that requires intervention. For more information about Exchange 2007 Management Pack, see the Microsoft Operations Manager Web site.

Reference MSDN articles:

https://technet.microsoft.com/en-us/library/aa996117(EXCHG.65).aspx
https://technet.microsoft.com/en-us/library/aa996634(EXCHG.65).aspx
https://technet.microsoft.com/en-us/library/aa996105(EXCHG.65).aspx
https://technet.microsoft.com/en-us/library/bb232137(EXCHG.80).aspx