An Exchange organization may have send connectors that are believed to be no longer in use, for example a send connector used for shared SMTP namespace.
However when you are planning the removal of a send connector there is the concern that some email traffic may still be using that send connector, and so you want to investigate this further before making your change.
One way of determining send connector usage is to analyze protocol logs. If you’re not already familiar with protocol logging I wrote an article about it here that is a good starting place.
To begin with you should check whether your send connector has protocol logging enabled.
[PS] C:\>Get-SendConnector "Name of Send Connector" | fl ProtocolLoggingLevel ProtocolLoggingLevel : Verbose
There are two possible values; None (off) or Verbose (on). If protocol logging is not already set to Verbose you can turn it on using Set-SendConnector.
[PS] C:\>Set-SendConnector "Name of Send Connector" -ProtocolLoggingLevel Verbose
A default protocol logging configuration will retain 30 days worth of logs, but you can start analyzing them after a day or so if that is all the time you think you will need to discover any systems still using the connector. Obviously for less used connectors the longer you wait the more chance you’ll capture something.
Using Log Parser to View Send Connector Hits in Protocol Logs
We can use a Log Parser query to search through the protocol logs and count the “hits” for each connector, because one of the fields in the log file is the “connector-id”.
SELECT connector-id,
Count(*) as Hits
from *.log
WHERE data LIKE '%EHLO%'
GROUP BY connector-id
ORDER BY Hits DESC
To run this query open Log Parser, navigate to the folder containing the send connector protocol logs (C:\Program Files\Microsoft\Exchange\V14\TransportRoles\Logs\ProtocolLog\SmtpSend by default on an Exchange 2010 server. Refer to the protocol logging article if you need more help finding the path on your server), and then run the command:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT connector-id,Count(*) as Hits from *.log WHERE data LIKE '%EHLO%' GROUP BY connector-id ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1 connector-id Hits --------------------- ----- Internet 70556 Shared Domains 152 Fax Gateway 4 Statistics: ----------- Elements processed: 1469279 Elements output: 4 Execution time: 4.52 seconds
Using Log Parser to Analyze Email Traffic on a Send Connector
As you can see in the output above the “Shared Domains” connector has registered a small number of hits. To dig into that further we can use Log Parser again to query the logs for information such as the “RCPT TO” command being used in the SMTP transaction, which will tell us the recipient email address.
SELECT data,
Count(*) as Hits
from *.log
WHERE connector-id = 'Shared Domains'
AND data LIKE '%RCPT TO%'
GROUP BY data
ORDER BY Hits DESC
Again, running from Log Parser after navigating to the SmtpSend folder:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%RCPT TO%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1
You should see output similar to this.
data Hits ------------------------------------------------------------------------------------------- ---- RCPT TO:18 RCPT TO: ORCPT=rfc822;david@domain.com.au 6 RCPT TO: ORCPT=rfc822;peter@domain.com.au 5 RCPT TO: ORCPT=rfc822;cathy@domain.com.au 4 RCPT TO: ORCPT=rfc822;michael@domain.com.au 4 RCPT TO: ORCPT=rfc822;michelle@domain.com.au 4 RCPT TO: ORCPT=rfc822;donna@domain.com.au 3 RCPT TO: ORCPT=rfc822;jacinta@domain.com.au 3
Knowing which recipients are still receiving email that is going over a particular send connector can be very useful in tracking down any stragglers among the mailboxes or applications that the connector was originally set up for, but that have not been migrated properly.
You could do the same analysis using a search for “MAIL FROM” instead, which will show you the senders of the emails, which is also useful in some cases.
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT data,Count(*) as Hits from *.log WHERE connector-id = 'Shared Domains' AND data LIKE '%MAIL FROM%' GROUP BY data ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1
Summary
As you can see in the examples above there is some very useful information contained within protocol logging that can help you determine whether a send connector is still being used in your Exchange Server organization.
This article Using Log Parser and Protocol Logs to Analyze Send Connector Usage is © 2014 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
