?
Solved

Exchange 2010 inetpub log files

Posted on 2014-10-09
6
Medium Priority
?
194 Views
Last Modified: 2016-06-14
Greetings,
We are running Exchange 2010 on MS Server 2008 R2.  We have our EDBs on drive E:\ and our ExchangeLogs on drive F:\.  Our nightly backups purge the logs and we keep both these drives with plenty of headroom.  Last night, however, our Exchange server reported severe backflow issues, and I eventually realized that the C:\ drive was 98% full.  This looks largely due to C:\inetpub, which is severely bloated, and doesn't seem to be getting purged by anything automatically.  More worrisome is that 10 days ago, each daily log file suddenly jumped from around 70 MB to 1 GB, in one day!  

1. Can someone shed some light on what these log files are and how they pertain to my Exchange server?
2. What are possible reasons for such a dramatic increase in size, as I can't recall any changes we've made in the last 10 days?
3. As a stopgap measure, to avoid my C:\ drive from filling up over night, can I manually delete old log files safely?
4. As a longterm solution, what is best practice for this directory?

Much thanks!
0
Comment
Question by:cuiinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Accepted Solution

by:
bas2754 earned 2000 total points
ID: 40371969
The inetpub log files will be for logs associated with services such as the web server running on that box.  Do you run OWA on the same server?  It may be attempts to hack your server, it may be malfunctioning mobile clients.  It may be even that someone turned up diagnostic logging on that system.

I would copy over one or more of the 1GB log files and open with something other than notepad.  Word will probably handle it.   Look in the log and see what the errors are stating.


As to deleting these files, yes.  Generally the log files in this location are safe to delete, however without knowing what is going on you may determine it is best to keep them around in case you find there is an intrusion in your system.  I would advise buying an external drive and copying the log files there until you determine what is going on.

If you can post a few lines from the logs it would go a long way in helping us help you.
0
 
LVL 1

Author Comment

by:cuiinc
ID: 40372006
thanks.  we do run OWA on the same server, although we don't have many users (only a couple actually) that use OWA.  

i couldn't open the file with Word (too big) but Wordpad can barely handle it.  It's been loading for 15 minutes now, and I think I'm only a third of the way through the file, but the loglines all look to be very similar.  I've pasted some below.  
...41 is our mail server and ...42 is our archive server.  It looks to be some kind of comm between these two servers. I'm not sure what to make of this, however, especially as it references Mac OS X, and we only have a couple users who use Macs.  

2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 0
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42 MacOutlook/14.2.0.101115+(Intel+Mac+OS+X+10.6.2) 200 0 0 15
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40372165
For files that large I recommend downloading Log Parser Studio from Microsoft. Its free. And it will get the job done.
http://blogs.technet.com/b/exchange/archive/2013/06/17/log-parser-studio-2-2-is-now-available.aspx

Primarily for Exchange, LPS can also be used for IIS.
http://blogs.msdn.com/b/friis/archive/2014/02/06/how-to-analyse-iis-logs-using-logparser-logparser-studio.aspx

Bas is correct on all points. It is up to you whether you keep them. Unfortunately, there is no native truncation process for these logs. Although I know a quick Google search on IIS log cleanup will reveal some scripts you could schedule. You can turn them off in IIS if you wish as well.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40372233
2014-10-09 05:36:32 192.168.75.41 POST /EWS/Exchange.asmx - 443 CUI\emailarchive 192.168.75.42

Thats Outlook for Mac, which utilizes EWS. The OS running that version of Outlook for Mac is OSX 10.6.2 :) The 200 code up there also means it successfully connected (as that is HTTP 200 - OK).

IIS logs file tend to grow, and depending on the amount of traffic your clients are generating it can be rapid. I use the following at work and then set it up as a scheduled task..

http://blog.wapnet.nl/2013/09/iis-7-and-7-5-rotate-all-logging/
0
 
LVL 1

Author Comment

by:cuiinc
ID: 40373631
Thank you all for the insights.  One follow-up question, as I dig deeper:  Yesterday I went into IIS, clicked on the top-level server (my mail server), clicked on "logging," and selected "Do not create new log files."  I clicked through all the child-level websites to ensure that they inherited this setting.  Additionally, I removed the most recent 900 MB log file.  immediately, i saw new, empty log file get created.  

And today I have a day-old, huge log file in inetpub.  Are there any other locations I should be checking, or might have overlooked?
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question