You are here: Home / Features / Managing Diagnostic Logging with Exchange Server 2007

Managing Diagnostic Logging with Exchange Server 2007

February 23, 2009 By 4 Comments

For those familiar with the GUI interface for Exchange Server 2003 diagnostic logging the new Exchange Server 2007 diagnostic logging cmdlets might seem a little daunting at first.  But with a little PowerShell understanding they become much easier to manage.  Lets take a look at a few examples.

First of all the two shell cmdlets we are going to use are Get-EventLogLevel and Set-EventLogLevel.  Each does what the name suggests, and can be combined to manage multiple diagnostic logging items quickly and easily. The -Level parameter of each cmdlet determines what level of diagnostic logging is displayed. The levels you can choose are 0 (Lowest), 1 (Low), 3 (Medium), 5 (High), and 7 (Expert). Usually level 5 (High) is adequate but sometimes you will want level 7 (Expert). The default level is 0 (Lowest) and should always be reset once your troubleshooting is complete.

Running Get-EventLogLevel on its own will output a long list of diagnostic logging items.

[PS] C:\>Get-EventLogLevel

Identity                                                             EventLevel
--------                                                             ----------
MSExchange ActiveSync\Requests                                       Lowest
MSExchange ActiveSync\Configuration                                  Lowest
MSExchange Antispam\General                                          Lowest
MSExchange Autodiscover\Core                                         Lowest
MSExchange Autodiscover\Web                                          Lowest
...

To change the diagnostic logging level for one of these items we use Set-EventLogLevel.

[PS] C:\>Set-EventLogLevel "MSExchange ActiveSync\Requests" -Level 5

You can see the outcome of this by running Get-EventLogLevel again.

[PS] C:\>Get-EventLogLevel

Identity                                                             EventLevel
--------                                                             ----------
MSExchange ActiveSync\Requests                                       High
MSExchange ActiveSync\Configuration                                  Lowest
MSExchange Antispam\General                                          Lowest
MSExchange Autodiscover\Core                                         Lowest
...

Changing the level back is the same command with a different -Level value used.

[PS] C:\>Set-EventLogLevel "MSExchange ActiveSync\Requests" -Level 0

Now lets say you are troubleshooting a Public Folder issue and want to turn up all of the diagnostic logging items for Public Folders. You could run the Set-EventLogLevel cmdlet for each of the Public Folder logging items but that would be quite tedious as there are quite a few.

MSExchangeIS\9001 Public\Transport General                           Lowest
MSExchangeIS\9001 Public\General                                     Lowest
MSExchangeIS\9001 Public\Replication DS Updates                      Lowest
MSExchangeIS\9001 Public\Replication Incoming Messages               Lowest
MSExchangeIS\9001 Public\Replication Outgoing Messages               Lowest
MSExchangeIS\9001 Public\Replication NDRs                            Lowest
MSExchangeIS\9001 Public\Transport Sending                           Lowest
MSExchangeIS\9001 Public\Transport Delivering                        Lowest
MSExchangeIS\9001 Public\MTA Connections                             Lowest
MSExchangeIS\9001 Public\Logons                                      Lowest
MSExchangeIS\9001 Public\Access Control                              Lowest
MSExchangeIS\9001 Public\Send On Behalf Of                           Lowest
MSExchangeIS\9001 Public\Send As                                     Lowest
MSExchangeIS\9001 Public\Rules                                       Lowest
MSExchangeIS\9001 Public\Storage Limits                              Lowest
MSExchangeIS\9001 Public\Replication Site Folders                    Lowest
MSExchangeIS\9001 Public\Replication Expiry                          Lowest
MSExchangeIS\9001 Public\Replication Conflicts                       Lowest
MSExchangeIS\9001 Public\Replication Backfill                        Lowest
MSExchangeIS\9001 Public\Background Cleanup                          Lowest
MSExchangeIS\9001 Public\Replication Errors                          Lowest
MSExchangeIS\9001 Public\DS Synchronization                          Lowest
MSExchangeIS\9001 Public\Views                                       Lowest
MSExchangeIS\9001 Public\Replication General                         Lowest
MSExchangeIS\9001 Public\Download                                    Lowest
MSExchangeIS\9001 Public\Local Replication                           Lowest

With a little PowerShell syntax we can set the logging level of all of these items in a single command.

[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS\9001 Public\*"} | Set-EventLogLevel -Level 5

Get-EventLogLevel will show us the outcome of this.

[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS\9001 Public\*"}

Identity                                                             EventLevel
--------                                                             ----------
MSExchangeIS\9001 Public\Transport General                           High
MSExchangeIS\9001 Public\General                                     High
MSExchangeIS\9001 Public\Replication DS Updates                      High
MSExchangeIS\9001 Public\Replication Incoming Messages               High
MSExchangeIS\9001 Public\Replication Outgoing Messages               High
MSExchangeIS\9001 Public\Replication NDRs                            High
MSExchangeIS\9001 Public\Transport Sending                           High
MSExchangeIS\9001 Public\Transport Delivering                        High
MSExchangeIS\9001 Public\MTA Connections                             High
MSExchangeIS\9001 Public\Logons                                      High
MSExchangeIS\9001 Public\Access Control                              High
MSExchangeIS\9001 Public\Send On Behalf Of                           High
MSExchangeIS\9001 Public\Send As                                     High
MSExchangeIS\9001 Public\Rules                                       High
MSExchangeIS\9001 Public\Storage Limits                              High
MSExchangeIS\9001 Public\Replication Site Folders                    High
MSExchangeIS\9001 Public\Replication Expiry                          High
MSExchangeIS\9001 Public\Replication Conflicts                       High
MSExchangeIS\9001 Public\Replication Backfill                        High
MSExchangeIS\9001 Public\Background Cleanup                          High
MSExchangeIS\9001 Public\Replication Errors                          High
MSExchangeIS\9001 Public\DS Synchronization                          High
MSExchangeIS\9001 Public\Views                                       High
MSExchangeIS\9001 Public\Replication General                         High
MSExchangeIS\9001 Public\Download                                    High
MSExchangeIS\9001 Public\Local Replication                           High

To reset the logging levels when we are finished troubleshooting just use the same command string with the value for Lowest.

[PS] C:\>Get-EventLogLevel | where {$_.identity -like "MSExchangeIS\9001 Public\*"} | Set-EventLogLevel -Level 0

Now lets say you have a server with several different diagnostic logging items set to High, filling up your Application event log with entries. Some are Public Folder related, some are Transport related, and resetting them all would mean several individual commands. You also don’t want to touch any of the items set to other levels such as Low.

[PS] C:\>Get-EventLogLevel | where {$_.EventLevel -ne "Lowest" -and $_.EventLevel -ne "Low"}

By piping that command to the Set-EventLogLevel cmdlet you can reset any logging item that is now already set to Lowest or Low.

[PS] C:\>Get-EventLogLevel | where {$_.EventLevel -ne "Lowest" -and $_.EventLevel -ne "Low"} | Set-EventLogLevel -Level 0

Now all of the various items that were set to Medium, High, or Expert levels have been reset to Lowest.

I hope that helps demystify Exchange Server 2007 diagnostic logging commands and helps you make use of this feature when troubleshooting any servers issues you are having.

Filed Under: Features, Tutorials Tagged With: , , ,
About Paul Cunningham

Paul is a Microsoft Exchange Server specialist for one of Australia's largest companies, and is the Publisher of ExchangeServerPro.com. He is also an MCP, MCSA, MCSE, MCTS, and an MCITP for Exchange Server 2007/2010. Connect with Paul on Twitter, LinkedIn and Google+.

Comments

  1. Frank says:
    October 24, 2009 at 3:02 am

    Now where do I go to view the logs?

    Reply
  2. Paul says:
    October 24, 2009 at 11:11 pm

    Hi Frank,

    Once you have enabled diagnostic logging the log entries will appear in the Application Event Log on the server.

    Reply
  3. MSM says:
    January 1, 2010 at 12:26 am

    thanks Paul

    Can I know if any Exchange admin changed the logging level ?

    is there’s any log wrote in the event log when this happen?

    Reply

Leave a Comment

*