A few days ago I had a problem with transaction log files on a Exchange 2010 SP2 RU1 mail server. They grown and grown and grown... I saw above 160,000 (one hundred sixty thousand !!!) files belonging to a single mailbox database. The mailbox database itself was ca. 30 GByte in size. It was then no surprise that the appropriate volume exceeded it capacity after only a couple of hours.
I wouldn't even have noticed the issue but the appropriate backup job that should flush transaction log files among other things failed and didn't run. Because of the failed backup job the transaction log files were not flashed and were not removed but grown.
But what was the reason log files grown such extremely way? I held as first spam emails or wrong-configured inbox rules responsible for the rapid growth. But I could see very soon that the amount of emails in the mailbox database increased very slowly. And sometimes I saw three thousand transaction log files were generated during 15 minutes. You may remember that one transaction log file's size is one MByte by default. Somebody wrote that an iPhone device caused the trouble like this. I had to find the device, which caused the issue, because of buggy Exchange ActriveSync protocol implementation.
I used the following tools that helped me investigating the case and founding the real problem source:
- LPS (Log Parser Studio)
- ExMon (Exchange User Monitor)
The first one analyzes different log files (IIS log files from the responsible CAS server in this case) and can create statistics based on the analyses. It requires "Log Parser 2.2" to be installed. The pre-defined queries are very good, I used "ActiveSync Report [Top 20]" to find the device that caused the traffic and the creation of the transaction log files:
The very big amount of Hits and Pings in the first line of the statistics indicates that the device causes a problem.
The second helpful tool comes from world of Exchange 5.5 and 2003, but it runs under Exchange 2010 as well. It died showing an exception, but it was no big thing. I had to run it as administrator. ExMon shows a very detailed statistics about the recent client access, packets, sessions and client device versions. The statistics can be saved to be analyzed later.
In my case the same device as found with LPS caused a lot of sessions and a high CPU (regarding CPU time for the store process).
After that I disabled the ActiveSync protocol for the user and a couple of minutes later the growth of transaction log files became moderate, I'd say normal. The problem was solved.
Below I'd like to note some links relative to the tools I used:
Log Parser + Log Parser Studio:
Exchange User Monitor