Solved

Exchange 2010 - help with rapidly expanding transaction logs

Posted on 2015-01-22
9
300 Views
Last Modified: 2015-01-23
Hi all,

Yesterday morning I arrived in the office to find that no users could connect to Exchange (2010).  After some investigation, it was discovered that the the drive that holds our transaction log files was full.

We have an overnight VSS backup which successfully cleans up all these log files, but they are growing so rapidly that within 4 or 5 hours the drive is full again (30GB).

We have 5 x mailbox databases and can see that it is clearly just one of these DB's which is out of control.  There are only about 10 users mailbox's in this db, so it is not large.

After reading some blog's etc online, my best guess is that this probably being caused by one of the users iphone's doing something crazy with Activesync and filling the logs.

I have read about using Log Parser Studio to examine the logs (good blog here: http://hermannmaurer.blogspot.in/2012/05/exchange-2010-transaction-logfiles-grow.html), but I am not getting any success. When I run the query described in the blog I don't get any output.

I am looking for help to find out which user/device is causing this rapid growth so I can put a stop to it!

Thanks all
0
Comment
Question by:fieldj
  • 5
  • 3
9 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40563788
Disable all Active sync access to the users on that DB and see if log growth sops/slows to normal.  If so then enable one at a time and monitor.  If you only have 10 users in the DB it should not take you long.

Ensure that you exchange is on all of the latest service packs and patches as there have been fixes for IOS and active sync issues.
0
 

Author Comment

by:fieldj
ID: 40563808
Exchange is patched and up to date.  Also I know most of the iPhones are running the latest version of iOS, and none of them are on iOS 6 (which is the version I understand can cause the problem)

Rather than disable access to all users, is there not a way I can analysis the logs to identify the problem?  Activesync is my best guess but I am not 100% sure this is the problem.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40563853
I have just installed the latest version of Log Parser and Log Parser Studio, ran the "ActiveSync Report" and point it at my exchange servers IIS w3c logs directory and got exactly what it should produce first time.  Are you pointing at the correct logs folder?
0
 

Author Comment

by:fieldj
ID: 40563862
I am pointing it at the folder which contains the rapidly expanding logs.

In my case its L:\MailboxDatabase\XtraMailbox2.edb\

The logs are all named E0400035....log or similar and are 1,024kb it in size.

I believe that these are the transaction logs (they are automatically deleted when I run a backup).

Should I be pointing Log Parser Studio at a different set of logs?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 40563872
Those are not active sync logs they are exchnage mail logs.  to examine activesync activity you need to point at the
inetbub/logs/logfiles/W3SVC* log folders on all CAS servers
0
 
LVL 15

Expert Comment

by:Ivan
ID: 40563888
Hi,

i had a problem with log's growing out of control some days ago. They used to grow 200gb in 10-15h.
I finally found that i had 1 message stuck in queue for a day. Deleted msg and everything started working fine.

Regards,
0
 

Author Comment

by:fieldj
ID: 40563927
Thank you!

I think we have identified our culprit!

It seems that one iPad starts going crazy requesting data at just after 11pm every 1 second until the HD is full.

Thanks again for your help.
0
 

Author Comment

by:fieldj
ID: 40563930
I wont close this quite yet and reward the points, just in case I need to ask for any further help when I actually get my hands on the iPad.

Looking good though.
0
 

Author Comment

by:fieldj
ID: 40566051
Confirmed that after reconfiguring all the Exchange settings on the iPad, everything was OK.

It seemed that the users IPad was stuck in an endless loop of requesting data from Exchange via Activesync and just hammering the server which resulted in the rapid log growth.

Thanks all and in particular Neilsr
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now