Powershell is good stuff :) From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, March 10, 2010 4:31 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring - thanks Rob!
I just needed to get a feel for what's hit the SMTP server in the last 30 days (err, 350,000 records after changing the result size). Of course now I can also find average message sizes, etc... From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, March 10, 2010 1:46 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring - thanks Rob! You're welcome! Note - that's only getting a fixed number of log entries. If you want to do daily reporting, we'll need to change that to use a startdate and enddate calculated from the current datetime. It should be fine for a quick look at what's hit it recently. From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, March 10, 2010 3:36 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring - thanks Rob! You sir, and the bomb! Thank you very much I am in business, I now have exactly what I am looking for. Thanks again, Dave From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, March 10, 2010 12:00 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring There is a "hostname" field. Whether there's anything in it or not will depend on whether the client reported it. Add "hostname" to the select to add the column. I could probably script a dns lookup to backfill it after the fact. It truncates automatically on the screen display. You can try adding "| ft -wrap" to make it not truncate. You can also dump it to .csv with: Get-messagetrackinglog -server <servername> -resultsize 100 -eventid "RECEIVE" |? {$_.source -eq "SMTP"} | Select clientip,hostname,totalbytes,timestamp | export-csv "c:\somedir\stmplog.csv" -notype (that should be all on one line) From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, March 10, 2010 1:42 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring Yep! Is there a way to add 'hostname"? Also, is there a way to make it not truncate "Sender" - a way to make the default column with something different? A formatting option I am sure. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, March 10, 2010 9:25 AM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring Does it work with just | select clientip,totalbytes,timestamp ? From: David Lum [mailto:david....@nwea.org] Sent: Wednesday, March 10, 2010 11:20 AM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring Money, this works. Adding ft -auto" breaks it though. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Tuesday, March 09, 2010 3:07 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring OK. Let's see if any of them are SMTP Get-messagetrackinglog -server <servername> -resultsize 100 -eventid "RECEIVE" |? {$_.source -eq "SMTP"} From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, March 09, 2010 3:55 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring A bunch of results From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Tuesday, March 09, 2010 1:38 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring What does just this much get you? Get-messagetrackinglog -server <servername> -resultsize 100 -eventid "RECEIVE" From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, March 09, 2010 3:35 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring My hub server. I can run the canned tracking tool GUI fine, but running that in the PS window gives me nothing. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Tuesday, March 09, 2010 1:27 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring That's weird. Are you checking your mail server logs, or your hub transport logs? These events will only show up on the hub transport servers. From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, March 09, 2010 2:35 PM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring Thanks for this. It just comes back with the prompt...no error, but no output.. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Tuesday, March 09, 2010 8:30 AM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring Missed the closing quote on "SMTP" Get-messagetrackinglog -server <servername> -resultsize 100 -eventid "RECEIVE" | ? {$_.source -eq "SMTP"} | Select clientip,totalbytes,timestamp | ft -auto From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Tuesday, March 09, 2010 10:26 AM To: MS-Exchange Admin Issues Subject: RE: SMTP traffic monitoring You can check the SMTP RECEIVE events in the Message Tracking Logs on the hub transport servers. Get-messagetrackinglog -server <servername> -resultsize 100 -eventid "RECEIVE" | ? {$_.source -eq "SMTP} | Select clientip,totalbytes,timestamp | ft -auto From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, March 09, 2010 10:09 AM To: MS-Exchange Admin Issues Subject: SMTP traffic monitoring We have Exchange 2007 here and I'd like to be able to see what machines are passing SMTP traffic though it - how do I do that? it appears that it can create a CONNECTLOGnnnnn.LOG file - is there something that can parse it so I can view the connections easily? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ************************************************************************************************** ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **************************************************************************************************
