You can still use the IIS logs (if you have them turned on) to see data VOLUME - which can track user, source ip, data read, data written, etc.
However, that doesn't allow you to see actual data CONTENT. The process described here allows you to examine content. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, January 27, 2012 10:00 AM To: MS-Exchange Admin Issues Subject: Re: Analysing e2k10 transaction logs That's interesting - the problems I had under E2003 with exploding logs were in logs that are human readable. I did not know that might change under E2010. Kurt On Thu, Jan 26, 2012 at 20:51, Richard Stovall <rich...@gmail.com> wrote: > I think the OP is referring to the Exchange database's transaction logs, > which are not human readable text. > > That said, I did run across the link below by Googling "exchange transaction > log parser." It mentions 2007, but may be applicable to 2010 as well. > Basically, the author uses the *nix strings command to find readable text > and then slices and dices the output a bit. It's very much like what Kurt > proposes, but takes into account that the Exchange logs are not pure text. > Looks very useful, actually. The comments are worth reading too, as is > often the case. > > http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx > > > > On Thu, Jan 26, 2012 at 6:57 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> If that's a single file, I'd use a file splitter to make that into about >> 1,000 files, and then take the first 20 lines out of each file. >> >> Enumerating the users in those lines should show you which account is >> generating the the bulk of the lines. I'd get a count of the lines in those >> files with 'wc', as well. >> >> Get 'split' and 'wc' from http://gnuwin32.sf.net or http://unxutils.sf.net >> >> If it's not immediately obvious from the above, then, with some findstr >> (or grep) magic in conjunction with 'wc' you can start to winnow down the >> list. >> >> If you want to get a bit more sophisticated, 'cut' and 'sed along with the >> above tools do yeoman work as well. >> >> Lastly, if you've not used it before, the MSFT tool logparser can help - >> there are tutorials around on how to use it. >> >> Kurt >> >> On Wed, Jan 25, 2012 at 08:19, Joseph L. Casale >> <jcas...@activenetwerx.com> wrote: >>> >>> >>> I am offsite, but have access to a copy of about 10gig of transaction >>> logs that got created within a couple hours. >>> Anyone know how to analyze the logs themselves for an idea of who/what >>> created that mess in case I should be have someone remotely disable a user >>> for example? >>> >>> Thanks, >>> jlc >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe exchangelist >>> >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist > > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
