Friday, September 04, 2009

I am posting this in hopes that it helps other admins. We ran in to an issue that involved a huge increase in log generation on one of our storage groups. After running thru the usual suspects (virus scanning, looping mesages) we attempted to identify any potential users that could be causing the issue by using exmon. Most articles specify looking at the log bytes column for users
on E2k7 but for a mailbox on an E2k3 server, that column is non-functional. You can however use the BytesIn column to get an idea of any clients generating a lot of traffic to the server.

While exmon helped, it still did not definitively identify the user who was causing this issue. The next step was to use powershell to examine a subset of the logs being generated to idenitfy any patterns:

This ended up being the method that allowed us to identify a particular user that was causing an inordinate
amount of updates in the logs (apparently you need at least 50 logs files to get a good set of data). Going on a hunch from another case I had read about, we deleted this users OST file (he was running Outlook 2007/sp2) and the excessive log generation stopped. We are still waiting to hear from MS on whether their is a fix for this issue but at least we have a better method of identifying the problem user.

Here is a nice article on the new mailbox auditing features included in sp2 for Exchange 2007. This feature has been sorely missing as the in the box tools were basically useless and the 3rd party tools that we have looked at ended up causing more problems than they solved.

Also nice work adding a special hidden permission to allow you to exclude service accounts from the auditing as it makes looking at the logs much easier and helps conserve log space.