Whilst looking for an answer to a very strange issue I had with a particular application receiving random logon failures to my Exchange environment on POP3 via my hardware load balanced hostname, I decided it was time to go to the logs.
Step 1 and 2 is only the commands, I have 8 servers so I did not execute them on every single server one by one but in the interest of time I have resorted to the documentation to bring this portion to you:
Step 1 – Enable protocol logging on POP3:
Set-PopSettings -Server “CAS01” -ProtocolLogEnabled $true
Step 2: – Stop and start the pop3 and pop3backend services:
Step 3: Used the pop3 folders under the logging folder in Exchange 2013 as my source data, then I chose CSV as my logfile type and configured the source with a headers file contained all the headers I found in the pop3 source, then I devised the following query and within a few seconds I have my answer.
(SAMPLE BELOW I PUT HEALTH MAILBOXES BACK – TO MUCH COMPANY INFORMATION IN THE REAL OUTPUT )
I wanted connection information did not respond as OK, I did not want system mailboxes and I also wanted all the other data where certain fields were incompete to not be included.
This is what my query looked like in the end:
SELECT top 10000 DISTINCT
dateTime AS dateTime,
user AS user,
cIp AS cIp,
sIp AS sIp,
context AS context,
command as command,
duration as duration
where user <> NULL and command <> NULL and CONTEXT NOT LIKE ‘%R=ok%’ and CONTEXT <> NULL and user not like ‘%health%’
order by DateTime desc
Very powerful data. Whilst it would be entirely possible to pull those logs into a central place and then process it using excel, this only took about 5 minutes to compile and yielded instant results and my issue was escalated to the relevant area and resolved within the hour.