Agent logging is enabled by default on both Exchange 2007 and 2010. So if you are running the anti-spam agents but never played with this feature, an excellent starting point would be for you to go and open one of the files under:
<Program Files>\Microsoft\Exchange Server\v14\TransportRoles\Logs\AgentLog\
The logs will be located on the Edge or Hub Transport server where the anti-spam agents are running. Here is what the raw log file looks like.
Even better, instead of looking at the raw log, we could use the Get-AgentLog cmdlet. This is helpful when searching for specific information. However for today we won't discuss this cmdlet.
To get an idea of the information included in this log here is the list of field names:
Timestamp, SessionId, LocalEndpoint, RemoteEndpoint, EnteredOrgFromIP, MessageId, P1FromAddress, P2FromAddresses, Recipient, NumRecipients, Agent, Event, Action, SmtpResponse, Reason, ReasonData, Diagnostics
Which of these fields gets populated depends on the specific anti-spam agent generating the log entry. As you will know, Exchange includes a number of anti-spam agents. Each plugs to the email flow at different stages. The Content Filter Agent processes an incoming email after that this is completely received. So this agent is in the position to be very informative. Whereas the Connection Filter Agent processes emails at a much earlier stage since its filtering logic is mostly based on the IP of the remote host sending the email. So this agent will be less informative.
To highlight this point let's have a look at two log entries one generated by the Content Filter and one by the Connection Filter.
| Field Name |
Content Filter Agent Log |
Connection Filter Agent Log |
| Timestamp |
2012-02-26T09:51:42.968Z |
2012-02-26T09:47:57.269Z |
| SessionId |
08CEC282DA2C4CFE |
08CEC282DA2C4CFD |
| LocalEndpoint |
192.168.30.60:25 |
192.168.30.60:25 |
| RemoteEndpoint |
192.168.30.23:2457 |
192.168.30.67:49228 |
| EnteredOrgFromIP |
192.168.30.23 |
192.168.30.67 |
| MessageId |
<3340BA0E97CD42CB827... |
|
| P1FromAddress |
malta@exchangeinbox.com |
joe@exchangeinbox.com |
| P2FromAddresses |
malta@exchangeinbox.com; |
|
| Recipient |
user3@wtest-dom1.local |
|
| NumRecipients |
1 |
0 |
| Agent |
Content Filter Agent |
Connection Filtering Agent |
| Event |
OnEndOfData |
OnMailCommand |
| Action |
AcceptMessage |
RejectCommand |
| SmtpResponse |
|
550 5.7.1 External client with IP address 192.168.30.67 does not have permissions to submit to this server. |
| Reason |
SCL |
LocalBlockList |
| ReasonData |
2 |
entry created by administrator |
| Diagnostics |
|
|
Here are some interesting points worth highlighting:
Unlike the Content Filter, the Connection Filter does not log the MessageId, P2FromAddresses and Recipient information. All of this is unavailable to the Connection Filter.
The Action field shows whether the email was blocked or accepted. In this case here we are looking at two different emails. One that was Accepted and allowed to go through by the Content Filter and the other was Blocked by the Connection Filter.
When it comes to Rejected emails we can see the exact rejection response returned from the SmtpResponse field.
The Reason and ReasonData fields are very useful when investigating why an email was rejected. Here we see that the Connection Filter reports LocalBlackList and "entry created by administrator". This is a clear indication that the Remote IP is configured in the static IP Block list.
Configuring Agent Logging
Exchange also allows us to configure how agent logging works. There is no flashy interface, just an XML file that you will find at the Edge/Hub Transport server under:
<Program Files>\Microsoft\Exchange Server\ v14\Bin\EdgeTransport.exe.config
From here we can configure:
AgentLogEnabled - (default on) turn logging on/off.
AgentLogMaxDirectorySize - (default 250Mb) specify the maximum total size taken by all log files in the directory in bytes. This limit will cause the oldest file to be deleted.
AgentLogMaxFileSize - (default 10Mb) specify the maximum size of individual log files in bytes. This limit will cause a new file to be created.
AgentLogMaxAge - (default 30 days) specify the age limit of log files in the format d.hh:mm:ss.ff (<days>.<hours>:<minutes>:<seconds>:<fraction of a second>). Files aging beyond this limit get deleted.
The initial configuration file won't have entries for AgentLogMaxDirectorySize, AgentLogMaxFileSize and AgentLogMaxAge. For any missing values, Exchange applies the defaults.
To set a new value we need to add an element in the format:
<add key="property_name" value="property_value" />
Here is what the configuration file may look like once you configure all of the properties relevant to agent logging:
Important: The Exchange Transport Service must be restarted for changes to take effect.
Final Tips
This concludes our introduction to the Exchange 2007/2010 Anti-Spam Agent Logging. Today we had a quick look at the type of information we can obtain from these logs and how we can configure this functionality.
For sure we could dig a lot deeper and discuss this topic more in depth. The Reason and ReasonData log fields are a gold mine. I would love to compile a detailed article on how to directly map these fields to the exact filtering reason. The Get-AgentLog cmdlet is also very useful and worthy of a closer look.
References
How to Manage Agent Log Output - Exchange 2010
Get-AgentLog - Exchange 2010