Is there a sensible way to search the SMTP Receive protocol logs on the client access servers? The Get-MessageTrackingLog cmdlet only searches the mailbox servers, but I need to be able to look at what's connecting to the CAS sometimes and manipulate
those logs. The transport logs are entirely too verbose for some of my needs.
I've been parsing the logs via PowerShell using some form of these piped commands I've put together, and it's certainly functional, but I can't help but feel that I'm doing things the hard way.
Get-ChildItem -Path 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*' -Include '*.LOG' |
Where-Object -Filter {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} |
Sort-Object -Property 'LastWriteTime' |
Get-Content |
Where-Object -Filter {$_ -like '*,530 5.7.1 Client was not authenticated,*'} |
ConvertFrom-Csv -Header 'date-time','connector-id','session-id','sequence-number','local-endpoint','remote-endpoint','event','data','context' |
ForEach-Object -Process {
[void]($_.'local-endpoint' -match '(.*):([0-9]*)$')
$lip = [IPAddress]$Matches[1]
$lport = [Int]$Matches[2]
[void]($_.'remote-endpoint' -match '(.*):([0-9]*)$')
New-Object -TypeName PSObject -Property @{
'date-time' = [datetime]$_.'date-time';
'connector-id' = [string]$_.'connector-id';
'session-id' = [string]$_.'session-id';
'sequence-number' = [int]$_.'sequence-number';
'local-endpoint' = [string]$_.'local-endpoint';
'local-endpoint-ip' = $lip;
'local-endpoint-port' = $lport;
'remote-endpoint' = $_.[string]'remote-endpoint';
'remote-endpoint-ip' = [IPAddress]$Matches[1];
'remote-endpoint-port' = $rport = [Int]$Matches[2];
'event' = [string]$_.'event';
'data' = [string]$_.'data';
'context' = [string]$_.'context'
}
} |
Format-Table -Property 'date-time','remote-endpoint-ip','data'