How to monitor and forward message tracking logfiles from Microsoft Exchange Server using MonitorWare Agent.
Article created 2008-05-09 by Andre Lorbach.
This article will guide you in how to monitor and forward message tracking
logfiles from Microsoft Exchange Server using syslog over tcp. As receiver you
have the choice of using different applications like
WinSyslog,
MonitorWare Agent or
even open source projects like
rsyslog.
- You can
download a preconfigured configuration from here, which you can import
on your target system. The configuration sample will have comments for
better understanding. The MonitorWare Agent client can
import the XML/REG configuration file by using the "Computer Menu".
If message tracking is enabled in Exchange Server, the logfiles are created
daily by default and contain informations about each message which is routed
through the Exchange server. Depending on the workload of your server, you may
need to delete the logfiles from time to time to save harddisk space. But you
need a backup of these logfiles in case you need to review them. This is where
MonitorWare Agent comes into play. The File Monitor of MonitorWare Agent can
be easily used to forward the message tracking logfiles to a syslog repository.
1. Exchange Server preparations
1.1
Enabling Message tracking logging in Exchange Server
2. Installing and
Configuring MonitorWare Agent
2.1 Download and
Install MonitorWare Agent
2.2 Setup up basic
MonitorWare Agent configuration
2.3 Configure the Foward
Syslog Action.
Final Thoughts
|
If already enabled, you can skip this step.
To enable message tracking logging, kindly check the "Enable message
tracking" option.
Optionally you can select "Remove log files" option and define
how old the logfiles have to be in order to get deleted. You may also change the
log file directory, may be to another hard disk, in order to save the space on
the main hard disk.
|
|
|
 If
enabled, Exchange Server creates one message tracking logfile per day. As you
can see in the date modified column, Exchange Server is using UTC and not
localtitme to create the logfiles. My testmachine is running with European
central time which is GMT+1 and GMT+2 daylight saving time (which is currently
set).
|
Back to Top
|
So if you haven't done so already, go to
www.mwagent.com and download
the latest MonitorWare Agent version. It is always recommended to use the latest
Version of MonitorWare Agent. Once the download is done, go ahead and install
it. You may have to restart after installation, this depends on your system.
|
Back to Top
|
 Start
the MonitorWare Agent client and skip the wizard on startup. First we create new
"File Monitor" service and name it "Exchange File
Monitor".
Then use the browse button to select the directory which contains the message
tracking logfiles. Kindly select one of the logfiles and replace its name with
this string: %Y%m%d.log
This will automatically match the logfiles each day, %Y will match the year, %m
the month and %d the current day.
It is also important to select UTC as Timemode for the
filename, as I already mentioned in step 1.1, the Exchange server used UTC (GMT)
to create the logfiles.
|
|
|
|
Now click on the Advanced Options, and the following dialog will appear.
In this dialog, enable the option "ignore empty lines". The message tracking
logfiles sometimes contain empty lines between the logfiles, so this option
will remove them automatically.
Make sure that you use only "\n" as message separation
sequence, as the typical Windows "\r\n" is not used in the
message tracking logfiles.
|
Back to Top
 The
last step is to configure the forward syslog action, first create a new Rule and
name it ForwardSyslog. Then create a new Forward Syslog Action
and call it Repository for example. You also see a
InterActive Action in the sample screenshot here, this is a helper
action which forwards to the local InterActive Syslogviewer, which is also
installed with MonitorWare Agent by default.
As I wrote in the beginning of this article, there are several syslog products
available which can be used as receiver. On Windows, we recommend to use
WinSyslog or
MonitorWare Agent. On
Unix based systems, we recommend to use
rsyslog, which is open
source of course ;)! Rsyslog is available on many plattforms and integrated in
many package systems.
All these syslog products are able to receive syslog message over tcp and also
in a persistent connection. |
|
|
Back to Top
I hope this article will help you solving your tasks and shows you the
potential of MonitorWare Agent, and what you can archive with it. Feel free to
email me for recommendations or questions.
|
