WinDeveloper O365 Mailer FREE for 1 Year

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Introducing Exchange 2007/2010 Anti-Spam Agent Logging

Kenneth Spiteri

Kenneth Spiteri Photo

Kenneth is an Exchange Administrator who loves to share anything he finds interesting with the rest of the community. He also helps with the administration of the site.

Cast your Vote
Poor Excellent

When monitoring or troubleshooting the built-in Exchange 2007/2010 anti-spam filters, one less known feature that can make a lot of difference is agent logging. Today we start exploring this functionality and how to configure it.

Agent logging is enabled by default on both Exchange 2007 and 2010. So if you are running the anti-spam agents but never played with this feature, an excellent starting point would be for you to go and open one of the files under:
<Program Files>\Microsoft\Exchange Server\v14\TransportRoles\Logs\AgentLog\

The logs will be located on the Edge or Hub Transport server where the anti-spam agents are running. Here is what the raw log file looks like.

Raw Agent Log File

Even better, instead of looking at the raw log, we could use the Get-AgentLog cmdlet. This is helpful when searching for specific information. However for today we won't discuss this cmdlet.

To get an idea of the information included in this log here is the list of field names:
Timestamp, SessionId, LocalEndpoint, RemoteEndpoint, EnteredOrgFromIP, MessageId, P1FromAddress, P2FromAddresses, Recipient, NumRecipients, Agent, Event, Action, SmtpResponse, Reason, ReasonData, Diagnostics

Which of these fields gets populated depends on the specific anti-spam agent generating the log entry. As you will know, Exchange includes a number of anti-spam agents. Each plugs to the email flow at different stages. The Content Filter Agent processes an incoming email after that this is completely received. So this agent is in the position to be very informative. Whereas the Connection Filter Agent processes emails at a much earlier stage since its filtering logic is mostly based on the IP of the remote host sending the email. So this agent will be less informative.

To highlight this point let's have a look at two log entries one generated by the Content Filter and one by the Connection Filter.

Field Name Content Filter Agent Log Connection Filter Agent Log
Timestamp 2012-02-26T09:51:42.968Z 2012-02-26T09:47:57.269Z
SessionId 08CEC282DA2C4CFE 08CEC282DA2C4CFD
LocalEndpoint 192.168.30.60:25 192.168.30.60:25
RemoteEndpoint 192.168.30.23:2457 192.168.30.67:49228
EnteredOrgFromIP 192.168.30.23 192.168.30.67
MessageId <3340BA0E97CD42CB827...  
P1FromAddress malta@exchangeinbox.com joe@exchangeinbox.com
P2FromAddresses malta@exchangeinbox.com;  
Recipient user3@wtest-dom1.local  
NumRecipients 1 0
Agent Content Filter Agent Connection Filtering Agent
Event OnEndOfData OnMailCommand
Action AcceptMessage RejectCommand
SmtpResponse   550 5.7.1 External client with IP address 192.168.30.67 does not have permissions to submit to this server.
Reason SCL LocalBlockList
ReasonData 2 entry created by administrator
Diagnostics    

Here are some interesting points worth highlighting:

  1. Unlike the Content Filter, the Connection Filter does not log the MessageId, P2FromAddresses and Recipient information. All of this is unavailable to the Connection Filter.

  2. The Action field shows whether the email was blocked or accepted. In this case here we are looking at two different emails. One that was Accepted and allowed to go through by the Content Filter and the other was Blocked by the Connection Filter.

  3. When it comes to Rejected emails we can see the exact rejection response returned from the SmtpResponse field.

  4. The Reason and ReasonData fields are very useful when investigating why an email was rejected. Here we see that the Connection Filter reports LocalBlackList and "entry created by administrator". This is a clear indication that the Remote IP is configured in the static IP Block list.

Configuring Agent Logging

Exchange also allows us to configure how agent logging works. There is no flashy interface, just an XML file that you will find at the Edge/Hub Transport server under:
<Program Files>\Microsoft\Exchange Server\ v14\Bin\EdgeTransport.exe.config

From here we can configure:

AgentLogEnabled - (default on) turn logging on/off.

AgentLogMaxDirectorySize - (default 250Mb) specify the maximum total size taken by all log files in the directory in bytes. This limit will cause the oldest file to be deleted.

AgentLogMaxFileSize - (default 10Mb) specify the maximum size of individual log files in bytes. This limit will cause a new file to be created.

AgentLogMaxAge - (default 30 days) specify the age limit of log files in the format d.hh:mm:ss.ff (<days>.<hours>:<minutes>:<seconds>:<fraction of a second>). Files aging beyond this limit get deleted.

The initial configuration file won't have entries for AgentLogMaxDirectorySize, AgentLogMaxFileSize and AgentLogMaxAge. For any missing values, Exchange applies the defaults.

To set a new value we need to add an element in the format:
<add key="property_name" value="property_value" />

Here is what the configuration file may look like once you configure all of the properties relevant to agent logging:

EdgeTransport.exe.config

Important: The Exchange Transport Service must be restarted for changes to take effect.

Final Tips

This concludes our introduction to the Exchange 2007/2010 Anti-Spam Agent Logging. Today we had a quick look at the type of information we can obtain from these logs and how we can configure this functionality.

For sure we could dig a lot deeper and discuss this topic more in depth. The Reason and ReasonData log fields are a gold mine. I would love to compile a detailed article on how to directly map these fields to the exact filtering reason. The Get-AgentLog cmdlet is also very useful and worthy of a closer look.

References

How to Manage Agent Log Output - Exchange 2010

Get-AgentLog - Exchange 2010

User Comments - Page 1 of 1

Alexander Zammit 15 Mar 2013 01:00
Check if logging was disabled as explained here
rob 14 Mar 2013 11:01
I have turned on anti-spamming with the script and I am using some block list. I know that the lists are blocking some people but for some reason my server is not producing any AgentLogs. The directory has not even been created. Any ideas?
demi 15 Nov 2012 17:23
I'm trying to figure out how to change the location of these logs. Any ideas?
Charles Derber 28 Feb 2012 20:51
Hey...Its been informative & Thanks!
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation