Last week a colleague asked me to generate a list of all mail sent to a specific mailbox, including the timestamp. We use Exchange 2003, and we don’t delete the log files, so theoretically I had all the information: all the emails sent to the mailbox, and the date and time. Hmm… how to digg into 6 GB (!!) of log-files? Some search resulted in Log Parser, a free tool from Microsoft.
Log Parser is a very powerful (but very little-known) tool to execute SQL queries on log files. It’s possible to export the results to a text-file, csv, or even a SQL-database! A nice column can be found on the site of Microsoft.
I did the following to extract the information from the log files and to create a nice graph:
- Download and install log parser
- Run dir > dirlist.txt on the Exchange log file folder to get a list of all the log files of Exchange, comma separated. Then use i.e. Notepad+ to convert the list to a nice comma separated line
- Run the following query to extract the needed information from your log file(s): logparser -i:w3c -q:ON “SELECT * FROM [complete path to your logfile *.log] [, complete path to your second logfile *.log when needed] WHERE Recipient-Address LIKE ‘[the email address you want to monitor]‘ AND Event-ID = 1028? > c:\export.txt
- Load the created text file into Excel, delete the unnecessary columns (every column except the date and time in my case) and create some fancy graphs
- Done!
I am trying to follow your instructions. I have logparser installed. What is the point of step 2?
When I run the command in step three I get the following error:
C:\Program Files\Log Parser 2.2>logparser -i:w3c -q:ON “SELECT * FROM Z:\2010030
1.log WHERE Recipient-Address LIKE `email@domain.com` AND Event-ID = 1028? > c:\
export.txt
Error: detected extra argument “*” after query
What am I doing wrong? Blaine Kehl(Quote)