Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs

The anti-spam agents in Exchange Server 2007 log their actions in agent logs. By default, agent logs reside in \Exchange Server\TransportRoles\Logs\AgentLog. Each agent log is 10 Mb in size. The size of the directory is capped at 250 Mb, the age of a log to 30 days. (Logs are flushed when they "age" up to 30 days or if the directory size reaches 250 Mb - whichever happens first).

Additional agent log configuration parameters in SP1

Exchange Server 2007 RTM: In the RTM version, there's only one configuration option for the agent log - that to enable or disable it.

Exchange Server 2007 SP1: Additional parameters to control the max directory size, file size and age of agent logs added.

The config options available:
1) Enable/Disable agent log: Boolean value - TRUE/FALSE
2) Max directory size: In bytes. If not specified, the default is 250 Mb or 262144000 bytes.
3) Max file size: If not specified, the default is 10 Mb or 10485760 bytes.
4) Max age: If not specified, the default is 30 days.

The agent log configuration parameters can be controlled by editing the EdgeTransport.exe.config file, located in \Exchange Server\Bin folder on Edge and Hub Transport servers.

To disable agent logging, insert the following key under <appsettings></appsettings> in the config file:

<add key="AgentLogEnabled" value="FALSE" />

In the following example, we modify max directory size to 500 Mb, file size to 20 Mb, and age to 60 days, by creating new keys in EdgeTransport.exe.config:

<add key="AgentLogMaxDirectorySize" value="524288000" />
<add key="AgentLogMaxFileSize" value="20971520" />
<add key="AgentLogMaxAge" value="60.00:00:00" />

Parsing the agent log: You can parse the agent log using the Get-AgentLog command from the shell. By default, this parses the agent log residing in the default location. If you've copied a bunch of agent logs at an alternate location, you can specify the alternate location using the following syntax - in this example the agent logs have been copied to Z:\Antispam Agent Logs directory:

Get-AgentLog -location "Z:\AntiSpam Agent Logs"

Here's what an entry in the agent log looks like - note the different fields and their values:

Timestamp : 4/16/2007 12:39:49 AM
SessionId : 08C948C83FB951AC
IPAddress : 72.46.133.113
MessageId :
P1FromAddress : ret@noncornelan.com
P2FromAddresses : {}
Recipients : {foo@yourdomain.com}
Agent : Connection Filtering Agent
Event : OnRcptCommand
Action : RejectCommand
SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on a block list
Reason : BlockListProvider
ReasonData : Spamhaus SBL-XBL
Diagnostics :

As seen in the above output, the logs provide adequate information for reporting on anti-spam activity, as well as for troubleshooting anti-spam issues like messages not being received/wrongly filtered out.

Getting to know the agent logs will make troubleshooting such issues much easier.

By default, the Get-AgentLog command returns all the entries in the agent logs. It can be constrained to a particular date and time - the recommended way to perform most agent log searches, unless you want to immerse yourself in 30 days (or 250 Mb) of anti-spam goodness! This is done using the -StartDate and -EndDate parameters:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007"

You can also constrain it further by adding time of the day:

Get-AgentLog -StartDate "4/17/2007 8:00 AM" -EndDate "4/17/2007 2:00 PM"

Though the Get-AgentLog command only takes these 3 parameters - location, StartDate, and EndDate, you can further filter the logs using most of its logged fields.

To filter the log to show messages to a particular recipient:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007" | where {$_.recipients -like "foo@yourdomain.com"}

To search for messages from a particular sender:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007" | where {$_.P1FromAddress -like "aqe@easymoney2u.com" -or $_.P2FromAddresses -like "aqe@easymoney2u.com"}

To search for messages from a particular domain:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007" | where {$_.P1FromAddress -like "*somedomain.com" -or $_.P2FromAddress -like "*somedomain.com"}

To filter by the anti-spam agent that acted on a message, e.g. Connection Filtering Agent:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.Agent -eq "Connection Filtering Agent"}

Similarly, you can filter by other agents that write to the agent logs: 1) Content Filter Agent 2) SenderID agent 3) Sender Filter agent 4) Recipient Filter agent and 5) Edge Rules agent.

To filter agent logs by the sending host's IP address, use the following command:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.IPAddress -eq "72.46.133.113"}

The reason field in each log entry specifies the reason supplied by the anti-spam agent that takes the action. For instance, as seen in the agent log entry shown earlier in this article, the agent that acted on the message is the Connection Filtering Agent, the reason is BlockListProvider (i.e. "RBL" or "Real-time Block List", known as IP Block Lists in Exchange Server 2007). The ReasonData field gives you the name of the IP Block List Provider, as configured in Exchange. In the above agent log entry, it is "Spamhaus SBL-XBL". To constrain the search for messages blocked by IP Block List Providers:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.Reason -eq "BlockListProvider"}

To get a list of all IP addresses blocked by IP Block List Providers:

Get-AgentLog -StartDate "12/21/2007" | where {$_.Reason -eq "BlockListProvider"} | ft Timestamp,IPAddress,ReasonData

You can also look for messages blocked by a particular IP Block List Povider:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.ReasonData -eq "Spamhaus SBL-XBL"}

For messages scanned by the Content Filter Agent, the Reason field contains details like SCLAtOrAboveDeleteThreshold, SCLAtOrAboveRejectThreshold, etc. The ReasonData field contains the SCL value assigned to the message. To get a list of messages above the SCLDeleteThreshold, use the following command:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.reason -eq "SCLAtOrAboveDeleteThreshold"}

As shown in the above examples, you can use the Get-AgentLog command and pipe the data to filter it based on the fields logged. You can get more details about agent logs - including the fields logged, from the Managing Agent Logging section in Exchange Server 2007 documentation.


2/9/2008: Added sidebar about additional configuration parameters available in SP1.