Exchange Transaction Log Growth, Parsing Transaction Logs with UNIX Tools

This article describes a method to troubleshoot sudden mass transaction log generation in Microsoft Exchange which causes back pressure due to transaction log drives filling up.

TechNet covers a number of ways to troubleshoot this issue here using ExMon & IIS Log parsing. However if these methods yield no results there is another way to actually read directly from the Transaction Log files themselves to identify rogue accounts causing the growth.

If you have ever opened a Transaction Log in Notepad you would be forgiven for thinking there is no readable information in there however, there is!


We can use some UNIX tools in Windows to parse the strings from a sample of log files (e.g. the latest 200 transaction logs) to see any patterns of excessive use, and this is how you do it.

strings -n 16 C:\Users\User1\Documents\LOGFILES\*.log | cut -f3 -d: | sort /rec 65535 | uniq -c | sort /rec 65535 | tee c:\Users\User1\Documents\log-output.wri

what this is doing:

  • Collecting all 16 char strings from all of the log files
  • Sorts the output
  • Counts the duplicates
  • Writes an output file

Here is an example of the output in the command line


So what we can see here in the 200 log files analysed is 5161 entries for “Jonathan Caldwell” we can also see 4042 entries for “Julia Greenwood” so we can use this information to deduce where the problem lies by checking the different users Active Sync devices for any mail stuck in the outbox for example or disabling MAPI access for the user to see if the excess log generation stops.

Note the “IPM.Note.EnterpriseVault.PendingArchive” could also be Symantec Enterprise Vault causing an issue with items failing to Archive and generating logs.

365 Guy

Microsoft Infrastructure Consultant @ Novosco. Specialising in Office 365, Azure AD & Exchange Server.

Leave a Reply

Your email address will not be published. Required fields are marked *