Microsoft Exchange

The parser included in Logmanager can process the transport of logs from Microsoft Exchange (versions 2010 to 2019), with a specific focus on Message tracking record - necessary to observe the SMTP part of the email delivery flow.

Message tracking record logs monitor the message activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. You can use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.

In order to process logs from Microsoft Exchange Message tracking correctly, there are four requirements:

Check if log creation is enabled in Microsoft Exchange documentation. Some versions create logs by default, some need the creation of message-tracking record logs to be first enabled in their configuration. Follow Microsoft Exchange documentation.

Links to the versions of the Microsoft documentation:
- Exchange 2019 - https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/configure-message-tracking?view=exchserver-2019
- Exchange 2016 - https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/configure-message-tracking?view=exchserver-2016
- Exchange 2013 - https://docs.microsoft.com/en-us/exchange/configure-message-tracking-exchange-2013-help
- Exchange 2010 - https://docs.microsoft.com/cs-cz/samples/browse/?redirectedfrom=TechNet-Gallery
Record directory, where the log in text files are stored. Suggested approach: Check the content of this directory. If already full of old log files, please back up the existing content to a different folder and delete from this directory logs older than 1 month before proceeding to step 2.
Install the Logmanager Beats agent on Exchange server.
To collect message tracking logs, add an agent rule: In Logmanager Sources/Beats agents, find the server by its hostname and click the blue pencil icon to edit it.
1. In the Log files – click the green button: + Add.
2. Select Template – Exchange.
3. In file path – paste the directory where text logs are located, followed by MSGTRK2*.LOG (to collect only from files of our interest).
4. Keep the tag “exchange” in the Tags field - according to this tag, Logmanager will automatically parse logs into the correct parser.
5. Optionally, you can add your own tags (comma-separated values).
6. Click OK and save the agent configuration. If the filebeat state is set to auto, it will be started automatically once it receives a configuration update (unless it’s already running).
7. Optionally restart the logmanager-orchestrator-service on the given host to speed up agent configuration refresh.

If you delete the tag “exchange” from the log files configuration, your data will not be parsed correctly.

Proposed agent configuration in the screenshot below: