This article describes a method to troubleshoot sudden mass transaction log generation in Microsoft Exchange which causes back pressure due to transaction log drives filling up.
TechNet covers a number of ways to troubleshoot this issue here using ExMon & IIS Log parsing. However if these methods yield no results there is another way to actually read directly from the Transaction Log files themselves to identify rogue accounts causing the growth.
If you have ever opened a Transaction Log in Notepad you would be forgiven for thinking there is no readable information in there however, there is!
We can use some UNIX tools in Windows to parse the strings from a sample of log files (e.g. the latest 200 transaction logs) to see any patterns of excessive use, and this is how you do it.
- Download the “Unix for Win32” utilities from http://downloads.sourceforge.net/unxutils/UnxUtils.zip?modtime=1172730504&big_mirror=0
- Move all .exe files from the UnxUtils\usr\local\wbin subsirectory to C:\UNIX
- Download strings.exe from http://live.sysinternals.com/strings.exe, and place strings.exe into C:\UNIX
- Make a C:\TMP directory
- Make a directory for all your transaction log files, and place all the logs in here
- From an administrative command prompt, navigate to your C:\UNIX directory
- Run the following command:
strings -n 16 C:\Users\User1\Documents\LOGFILES\*.log | cut -f3 -d: | sort /rec 65535 | uniq -c | sort /rec 65535 | tee c:\Users\User1\Documents\log-output.wri
what this is doing:
- Collecting all 16 char strings from all of the log files
- Sorts the output
- Counts the duplicates
- Writes an output file
Here is an example of the output in the command line
So what we can see here in the 200 log files analysed is 5161 entries for “Jonathan Caldwell” we can also see 4042 entries for “Julia Greenwood” so we can use this information to deduce where the problem lies by checking the different users Active Sync devices for any mail stuck in the outbox for example or disabling MAPI access for the user to see if the excess log generation stops.
Note the “IPM.Note.EnterpriseVault.PendingArchive” could also be Symantec Enterprise Vault causing an issue with items failing to Archive and generating logs.