This is a topic based on Microsoft's official blog translation. Recently, we found that the log parse tool is really good and can help us analyze related problems easily. Our next series will use the log parse tool to generate corresponding reports or analyze the current data status!
Log parse is a log analysis tool that can analyze different types of data logs. I am an exchange MVP and use it to analyze exchange-related logs, I declare again that these statements are from the official Microsoft Exchange blog.
Let's take a look at the requirements. By default, we can install log parse on any server. Because data processing is required, we recommend that you perform this operation on a machine with sufficient CPU speed. The software download link is as follows:
Log parse 2.2 http://www.microsoft.com/downloads/details.aspx? Familyid = 890cd06b-abf8-4c25-91b2-f8d975cf8c07 & displaylang = en
If we need to generate the corresponding chart, we need to install the following plug-ins:
Outlook 2003 Web plug-in: http://www.microsoft.com/downloads/details.aspx? Familyid = 7287252c-402e-4f72-97a5-e0fd290d4b76 & displaylang = en
Plug-in for Outlook 2003 sp2: http://www.microsoft.com/downloads/details.aspx? Familyid = C815DFFA-D5F3-4B71-BF46-13721BD44682 & displaylang = en
After the above sections are installed, we need to put the corresponding ex logs on your Log Analysis Server for analysis. What is the key for us to analyze the log like a Trojan? As mentioned in our blog, you can check it out. I will continue to paste the table here:
|
Default path |
Protocol logs (SMTP send) |
\ Exchange Server \ transportroles \ logs \ protocollog \ smtpsend |
Protocol logs (SMTP receive) |
\ Exchange Server \ transportroles \ logs \ protocollog \ smtpreceive |
Agent logs |
\ Exchange Server \ transportroles \ logs \ agentlog |
IIS logs |
[Windows 2003] \ windows \ system32 \ logfiles \ w3svc1 [Windows 2008] \ Inetpub \ logs \ logfiles \ w3svc1 |
Message tracking logs |
\ Exchange Server \ transportroles \ logs \ messagetracking |
POP3/IMAP logs |
\ Exchange Server \ clientaccess \ popimap |
Connectivity logs |
\ Exchange Server \ transportroles \ logs \ connectivity |
Pipeline tracing logs |
\ Exchange Server \ transport roles \ logs \ pipelinetracing |
Routing table logs |
\ Exchange Server \ transportroles \ logs \ Routing |
Mrm logs |
\ Exchange Server \ Logging \ managed folder Assistant |
Next, we must copy the data to my local computer for execution.
Let's first take a look at the credibility of emails in the Organization. We need to look at the status of emails in the Organization, we can execute the following log parse command to analyze the mail reputation in the organization using the data table:
"C: \ Program Files (x86) \ log parser 2.2 \ logparser.exe" "select case to_int (reasondata) when null then 0 else to_int (reasondata) end as reasondata2, count (*) as hits into agentreasonspread.gif from c: \ progra ~ 1 \ Microsoft \ exchan ~ 1 \ transportroles \ logs \ agentlog \ agent *. log group by reasondata2 order by hits DESC "-I: CSV-nskiplines: 4-O: Chart-charttype: pieexploded3d-charttitle:" Agent reason spread "-E 200-dtlines: 600
After running log parse, we can see that the table we generated is as follows:
We can find out the number of mails in the current classification. The figure above is not very intuitive. We use a pie chart to analyze the number of mails. We can use the following chart for intuitive performance, run the following statement:
"C: \ Program Files (x86) \ log parser 2.2 \ logparser.exe" "select case to_int (reasondata) when null then 0 else to_int (reasondata) end as reasondata2, count (*) as hits into agentreasonspread.gif from c: \ progra ~ 1 \ Microsoft \ exchan ~ 1 \ transportroles \ logs \ agentlog \ agent *. log group by reasondata2 order by hits DESC "-I: CSV-nskiplines: 4-O: Chart-charttype: pieexploded3d-charttitle:" Agent reason spread "-E 200-dtlines: 600
If you understand SQL statements, I believe that the above statements are not very difficult to study. The key point is to convert the data into images, which must be patched! Here we convert all the data into GIF files and store them in the place where the command is executed. My command is executed in the Administrator directory. We can find the GIF file in the corresponding place to see the current file status:
Let's take a look at the corresponding figure and look at the agent classification value: