Despite the automated maintenance properties in Exchange 2013 and Exchange 2016, managing the server still requires a skilled administrator. When an Exchange deployment fails or messages stop flowing, the admin needs to solve the problem quickly. When these challenges arise, most Exchange administrators rely on tools and techniques that have worked consistently.
Log Parser and its GUI front-end Log Parser Studio are two tools that use queries and create reports to help admins troubleshoot various issues in the Exchange environment.
Log Parser pulls information from various sources
Log Parser is a command-line tool that can analyze text-based files, such as log files, XML or CSV files, to help with troubleshooting or reporting.
It also runs queries directly on various sources such as the file system and Active Directory.
Using a SQL-like query language, Log Parser retrieves information from logs, processes them and outputs the results to SQL or a chart image. Its SQL-like language also contains functions to construct helpful queries, such as filename parsing and IP resolving. Other functions can extract date or time parts from a textual date-time field, which can be used to group rows per date, for example.
Getting acquainted with Log Parser
It's best to start with Log Parser Studio, which can be used with its separately available GUI. Log Parser Studio contains more than 180 built-in queries for IIS, Exchange log files and covers typical Exchange scenarios, such as finding top usage for ActiveSync devices or producing reports on throttled devices. Administrators can customize the queries for their environments and needs.
Figure 1. A listing of the built-in queries in Log Parser Studio.
To start, double-click one of the built-in queries. A new tab opens and shows the related query in the bottom pane. You can select one or more logs, or the location where the logs are kept.
Log Parser Studio's built-in log types are tied to the built-in queries. In the example below, the log type is EELLOG, which stands for Exchange Extensible Log. The log type defines how to interpret the data, including how many lines to skip.
Some queries require specifying additional details, such as the Mailbox or User ID. To customize an existing query, click the orange lock icon to switch it from read-only mode.
Figure 2. Use Log Parser Studio to execute a query, then sort through the results.
After editing the query, click the execute button -- the icon with the exclamation mark -- to run it. Log Parser Studio will run the underlying Log Parser command and show the result in a grid.
I ran a query against the Remote Procedure Call (RPC) Client Access logs, a breakdown on the MAPI clients and versions (Figure 2). The top clients reported are searchprotocolhost.exe, part of Windows Desktop Search; and archivetask.exe, which is used by the Enterprise Vault archiving task. Both comprise more than 75% of the logged RPC entries, so that might require further investigation. You can navigate through the results and look for ways to make further modifications.
Figure 3. Log Parser Studio can export queries as a PowerShell script.
To use queries again, export the query as a PowerShell script (Figure 3). Aside from the Log Parser requirement, the script runs by itself. This feature enables administrators to create repeatable queries, such as those that provide input for reports.
Next Steps
Exchange server tools that help maintain control
How to analyze server data to fix Exchange problems
Third-party tools for monitoring Office 365
Dig Deeper on Microsoft messaging and collaboration
