How to monitor and forward message tracking logfiles from Microsoft Exchange Server using MonitorWare Agent.
Article created 2008-05-09 by Andre Lorbach.
This article will guide you in how to monitor and forward message tracking logfiles from Microsoft Exchange Server using syslog over tcp. As receiver you have the choice of using different applications like WinSyslog, MonitorWare Agent or even open source projects like rsyslog.
- You can download a preconfigured configuration from here, which you can import on your target system. The configuration sample will have comments for better understanding. The MonitorWare Agent client can import the XML/REG configuration file by using the “Computer Menu”.
If message tracking is enabled in Exchange Server, the logfiles are created daily by default and contain informations about each message which is routed through the Exchange server. Depending on the workload of your server, you may need to delete the logfiles from time to time to save harddisk space. But you need a backup of these logfiles in case you need to review them. This is where MonitorWare Agent comes into play. The File Monitor of MonitorWare Agent can be easily used to forward the message tracking logfiles to a syslog repository.
1. Exchange Server preparations
1.1 Enabling Message tracking logging in Exchange Server
2. Installing and Configuring MonitorWare Agent
2.1 Download and Install MonitorWare Agent
2.2 Setup up basic MonitorWare Agent configuration
2.3 Configure the Foward Syslog Action.
If already enabled, you can skip this step.
To enable message tracking logging, kindly check the “Enable message tracking” option.
Optionally you can select “Remove log files” option and define how old the logfiles have to be in order to get deleted. You may also change the log file directory, may be to another hard disk, in order to save the space on the main hard disk.
|If enabled, Exchange Server creates one message tracking logfile per day. As you can see in the date modified column, Exchange Server is using UTC and not localtitme to create the logfiles. My testmachine is running with European central time which is GMT+1 and GMT+2 daylight saving time (which is currently set).|
|So if you haven’t done so already, go to www.mwagent.com and download the latest MonitorWare Agent version. It is always recommended to use the latest Version of MonitorWare Agent. Once the download is done, go ahead and install it. You may have to restart after installation, this depends on your system.|
|Start the MonitorWare Agent client and skip the wizard on startup. First we create new “File Monitor” service and name it “Exchange File Monitor”.
Then use the browse button to select the directory which contains the message tracking logfiles. Kindly select one of the logfiles and replace its name with this string: %Y%m%d.log
This will automatically match the logfiles each day, %Y will match the year, %m the month and %d the current day.
It is also important to select UTC as Timemode for the filename, as I already mentioned in step 1.1, the Exchange server used UTC (GMT) to create the logfiles.
Now click on the Advanced Options, and the following dialog will appear. In this dialog, enable the option “ignore empty lines”. The message tracking logfiles sometimes contain empty lines between the logfiles, so this option will remove them automatically.
Make sure that you use only “\n” as message separation sequence, as the typical Windows “\r\n” is not used in the message tracking logfiles.
|The last step is to configure the forward syslog action, first create a new Rule and name it ForwardSyslog. Then create a new Forward Syslog Action and call it Repository for example. You also see a InterActive Action in the sample screenshot here, this is a helper action which forwards to the local InterActive Syslogviewer, which is also installed with MonitorWare Agent by default.
As I wrote in the beginning of this article, there are several syslog products available which can be used as receiver. On Windows, we recommend to use WinSyslog or MonitorWare Agent. On Unix based systems, we recommend to use rsyslog, which is open source of course ! Rsyslog is available on many plattforms and integrated in many package systems.
All these syslog products are able to receive syslog message over tcp and also in a persistent connection.
I hope this article will help you solving your tasks and shows you the potential of MonitorWare Agent, and what you can archive with it. Feel free to email me for recommendations or questions.