My Exchange 2000 server is generating vast amounts of log files causing the server to fail due to lack of disk space. The amounts generated appear to be disproportionate to the number of users on the system and currently I am having to delete these log files to keep the server running. Does anyone have any ideas as to how I might diagnose/resolve the problem?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Vast amounts of log files being generated
- Thread starter NickDJ
- Start date
ShackDaddy
MIS
Don't delete any log files that show up in your Exchsvr\MDBDATA directory. You are probably getting a lot of 5mb files created, sometimes a new one every 5 or ten minutes. The way to keep the number of log files down is to do a full Exchange Store backup regularly. When you do the backup, the logs get flushed into the database, and all data is "committed." When you delete these logs, you run a great risk of corruption or not being able to recover your data in the event of a failure.
To do a proper backup, you can use NTBackup or BackUp-Exec or any other Exchange-aware backup program. I back up my Exchange Information Store every night, and I don't have trouble with logs. If my backup server goes down and I run for a week without a backup, I get in the same sort of trouble that you are in.
Some might tell you that you need to enable circular logging, which limits the number of log files that get created to a certain number, but this can bite you when you try and restore from backup and find that you can't restore any data since your last backup. Having the log files on hand (in a number limited by a recent flush via backup) is the best way to be able to recover right up to the point at which the information store got corrupt.
ShackDaddy
To do a proper backup, you can use NTBackup or BackUp-Exec or any other Exchange-aware backup program. I back up my Exchange Information Store every night, and I don't have trouble with logs. If my backup server goes down and I run for a week without a backup, I get in the same sort of trouble that you are in.
Some might tell you that you need to enable circular logging, which limits the number of log files that get created to a certain number, but this can bite you when you try and restore from backup and find that you can't restore any data since your last backup. Having the log files on hand (in a number limited by a recent flush via backup) is the best way to be able to recover right up to the point at which the information store got corrupt.
ShackDaddy
apart from the way to flush the logfiles by a backup ...
We are having the same problem, sometime suddenly large amounts of logfiles are created, somtimes several in a single minute! same problem as nick has, it fills our disk and thus Exchange fails to run.
Is there a way to read the logfiles, find out what actions in Exchange is causing this abundant growth?
Bascy
Software developer at
We are having the same problem, sometime suddenly large amounts of logfiles are created, somtimes several in a single minute! same problem as nick has, it fills our disk and thus Exchange fails to run.
Is there a way to read the logfiles, find out what actions in Exchange is causing this abundant growth?
Bascy
Software developer at
ShackDaddy
MIS
There's no way to read the logfiles. Assuming that you haven't turned on massive process auditing, you just need to plan for a certain amount of space to be dedicated to logfiles and then do daily backups. A test to make sure that these logfiles are transaction logs would be to do see how many files exist in the directory in question and then check again immediately after a full Exchange backup (not the files, I'm talking about the Information Store).
ShackDaddy
ShackDaddy
there is 3.5 Gb of room on the disk after a backup, we backup every morning at 1, except on sundays and mondays cause we dont work in the weekend. Last saturday, starting at 11.16 am the logs started growing, filling the 3.5 Gb in 8 - 10 hours ...
I suspect it is spam that is causing all this activity and therefore all those logs, but how can i find the cause? Can i read a log somewhere? can i see who is receiving how many messages in a certain period of time? ....
Bascy
Software developer at
I suspect it is spam that is causing all this activity and therefore all those logs, but how can i find the cause? Can i read a log somewhere? can i see who is receiving how many messages in a certain period of time? ....
Bascy
Software developer at
ShackDaddy
MIS
1. Check your outbound mail queues. If they are filled up (500+) with emails without reply addresses, you are probably getting hit with an RNDR attack and Microsoft has a hotfix for you to use to prevent this.
2. Check your private information store and see if any particular box is way out of wack as far as size goes.
3.Make sure that you didn't recently become one of the internet's major relays. Truson has a slightly more complete relay tester than other sites:
4. Turn on some mail-related performance counters and see what the numbers on your incoming and outgoing mail look like. You might find that some internal client is gotten infected with an email virus.
5. Anthing interesting in your Application log?
ShackDaddy
2. Check your private information store and see if any particular box is way out of wack as far as size goes.
3.Make sure that you didn't recently become one of the internet's major relays. Truson has a slightly more complete relay tester than other sites:
4. Turn on some mail-related performance counters and see what the numbers on your incoming and outgoing mail look like. You might find that some internal client is gotten infected with an email virus.
5. Anthing interesting in your Application log?
ShackDaddy
can you tell me where i can find performance counters that show incomming and outgoing email counts?
There are so much Exchange counters, i can't find them
Bascy
Software developer at
There are so much Exchange counters, i can't find them
Bascy
Software developer at
- Thread starter
- #8
ShackDaddy,
Thanks for your comments regarding the resolution of this problem, it's given me much more to go on. I'm aware that backing up the Exchange Databases will clear out the accumulated log files and I am currently sourcing a backup solutoin to addres this issue.
However, much like Bascy says, the problem of immediate concern to me was the large amount of log files accumulating in short periods of time, especially given the limited users assigned to the Exchange server in question. (My fault for not being specific enough in posting the issue).
I think that your last reply regarding monitoring the content of outgoing queues etc has really provided me with the diagnosoes process I was after. I was also intending to pause the mail queues, let some of the mail accumulate, and then read the queued mail using Outlook from the C:\ProgramFiles\Exchsrvr\Mailroot\vsi 1\Queue location to investigate what mail is creating the vastly accumulating log files. Somebody else hinted that it might be anti-virus email alerts begin sent from client machines at set intervals. Anyway, I'll try the techniques which you have helpfully provided.
Thanks once again...
NickDJ
Thanks for your comments regarding the resolution of this problem, it's given me much more to go on. I'm aware that backing up the Exchange Databases will clear out the accumulated log files and I am currently sourcing a backup solutoin to addres this issue.
However, much like Bascy says, the problem of immediate concern to me was the large amount of log files accumulating in short periods of time, especially given the limited users assigned to the Exchange server in question. (My fault for not being specific enough in posting the issue).
I think that your last reply regarding monitoring the content of outgoing queues etc has really provided me with the diagnosoes process I was after. I was also intending to pause the mail queues, let some of the mail accumulate, and then read the queued mail using Outlook from the C:\ProgramFiles\Exchsrvr\Mailroot\vsi 1\Queue location to investigate what mail is creating the vastly accumulating log files. Somebody else hinted that it might be anti-virus email alerts begin sent from client machines at set intervals. Anyway, I'll try the techniques which you have helpfully provided.
Thanks once again...
NickDJ
Nick - ntbackup on the Exchange box will back it up and flush the logs for you while you look for a backup product.
Check you are not being used as a relay and ensure your Exchange logging is off which should minimise troubles and maximise performance.
<signature for rent>
Check you are not being used as a relay and ensure your Exchange logging is off which should minimise troubles and maximise performance.
<signature for rent>
- Status
Similar threads
- Locked
- Question
- Locked
- Question