Ah. The IIS logs (and in another case the SMTP logs) were sufficient for me to determine the culprits and make the necessary decisions.
Kurt On Mon, Jan 30, 2012 at 07:15, Michael B. Smith <[email protected]> wrote: > You can still use the IIS logs (if you have them turned on) to see data > VOLUME - which can track user, source ip, data read, data written, etc. > > However, that doesn't allow you to see actual data CONTENT. > > The process described here allows you to examine content. > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Friday, January 27, 2012 10:00 AM > To: MS-Exchange Admin Issues > Subject: Re: Analysing e2k10 transaction logs > > That's interesting - the problems I had under E2003 with exploding > logs were in logs that are human readable. I did not know that might > change under E2010. > > Kurt > > On Thu, Jan 26, 2012 at 20:51, Richard Stovall <[email protected]> wrote: >> I think the OP is referring to the Exchange database's transaction logs, >> which are not human readable text. >> >> That said, I did run across the link below by Googling "exchange transaction >> log parser." It mentions 2007, but may be applicable to 2010 as well. >> Basically, the author uses the *nix strings command to find readable text >> and then slices and dices the output a bit. It's very much like what Kurt >> proposes, but takes into account that the Exchange logs are not pure text. >> Looks very useful, actually. The comments are worth reading too, as is >> often the case. >> >> http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx >> >> >> >> On Thu, Jan 26, 2012 at 6:57 PM, Kurt Buff <[email protected]> wrote: >>> >>> If that's a single file, I'd use a file splitter to make that into about >>> 1,000 files, and then take the first 20 lines out of each file. >>> >>> Enumerating the users in those lines should show you which account is >>> generating the the bulk of the lines. I'd get a count of the lines in those >>> files with 'wc', as well. >>> >>> Get 'split' and 'wc' from http://gnuwin32.sf.net or http://unxutils.sf.net >>> >>> If it's not immediately obvious from the above, then, with some findstr >>> (or grep) magic in conjunction with 'wc' you can start to winnow down the >>> list. >>> >>> If you want to get a bit more sophisticated, 'cut' and 'sed along with the >>> above tools do yeoman work as well. >>> >>> Lastly, if you've not used it before, the MSFT tool logparser can help - >>> there are tutorials around on how to use it. >>> >>> Kurt >>> >>> On Wed, Jan 25, 2012 at 08:19, Joseph L. Casale >>> <[email protected]> wrote: >>>> >>>> >>>> I am offsite, but have access to a copy of about 10gig of transaction >>>> logs that got created within a couple hours. >>>> Anyone know how to analyze the logs themselves for an idea of who/what >>>> created that mess in case I should be have someone remotely disable a user >>>> for example? >>>> >>>> Thanks, >>>> jlc >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe exchangelist >>>> >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe exchangelist >> >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe exchangelist > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe exchangelist > > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe exchangelist
