A few days ago I had a problem with transaction log files on a Exchange 2010 SP2 RU1 mail server. They grown and grown and grown... I saw above 160,000 (one hundred sixty thousand !!!) files belonging to a single mailbox database. The mailbox database itself was ca. 30 GByte in size. It was then no surprise that the appropriate volume exceeded it capacity after only a couple of hours.
I wouldn't even have noticed the issue but the appropriate backup job that should flush transaction log files among other things failed and didn't run. Because of the failed backup job the transaction log files were not flashed and were not removed but grown.
But what was the reason log files grown such extremely way? I held as first spam emails or wrong-configured inbox rules responsible for the rapid growth. But I could see very soon that the amount of emails in the mailbox database increased very slowly. And sometimes I saw three thousand transaction log files were generated during 15 minutes. You may remember that one transaction log file's size is one MByte by default. Somebody wrote that an iPhone device caused the trouble like this. I had to find the device, which caused the issue, because of buggy Exchange ActriveSync protocol implementation.
I used the following tools that helped me investigating the case and founding the real problem source:
- LPS (Log Parser Studio)
and
- ExMon (Exchange User Monitor)
The first one analyzes different log files (IIS log files from the responsible CAS server in this case) and can create statistics based on the analyses. It requires "Log Parser 2.2" to be installed. The pre-defined queries are very good, I used "ActiveSync Report [Top 20]" to find the device that caused the traffic and the creation of the transaction log files:
The very big amount of Hits and Pings in the first line of the statistics indicates that the device causes a problem.
The second helpful tool comes from world of Exchange 5.5 and 2003, but it runs under Exchange 2010 as well. It died showing an exception, but it was no big thing. I had to run it as administrator. ExMon shows a very detailed statistics about the recent client access, packets, sessions and client device versions. The statistics can be saved to be analyzed later.
In my case the same device as found with LPS caused a lot of sessions and a high CPU (regarding CPU time for the store process).
After that I disabled the ActiveSync protocol for the user and a couple of minutes later the growth of transaction log files became moderate, I'd say normal. The problem was solved.
Below I'd like to note some links relative to the tools I used:
Log Parser + Log Parser Studio:
http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx
http://blogs.technet.com/b/exchange/archive/2012/03/07/introducing-log-parser-studio.aspx
Exchange User Monitor
http://www.microsoft.com/en-us/download/details.aspx?id=11461
http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html
Exchange 2010 transaction logfiles grow very fast
Eingestellt von
Unknown
Friday, May 18, 2012
15:37
Subscribe to:
Post Comments (Atom)

 
 
 
 
this was very use full
Thanks a lot!
what action did you take for those users who are causing this issue... did you enable them after sometime, or did you remove the partner ship or recreated the profile or did you ask user to update their device
Unknown
24 March, 2013 15:57Hi Rajesh, glad to hear it :-)
If a user causes an issue I'd like to find out what is the exactly reason: a buggy firmware? a buggy ActiveSync speaking app? something else? So I'll take a look at his/her smartphone. Sometimes the re-installing of the app helps. Sometimes you have to wait for an update from the manufacturer. The clear answer is: it depends ;-)
Unknown
27 March, 2013 10:09What would be a Normal value for the Hit count or Ping count? I guess my question is what values would indicate "abnormal" behavior? Is there a threshold of number that would indicate something abnormal?
Thanks
Anonymous
28 March, 2013 19:21I don't have any absolute numbers. I believe that there aren't any. The easierst way is to look for values that are notable in relation to others.
Unknown
29 March, 2013 17:28Thanks Hermann!
We used LPS and found 1 user with some pretty abnormally high values (user was running an IOS 6.1.3 device) and they were experiencing battery drain issues (which I believe have been common issues with IOS 6 devices recently.
We will continue to monitor.
Is there someplace where the LPS value for Activesync for HITS, PING, SYNC and MEETINGRESPONSE values are documented? I'm trying to understand what those values mean?
THANKS
Anonymous
29 March, 2013 18:43I'm sure the counters depend on the device usage. I can imagine that only relative values make sense, not absolute ones.
Unknown
07 April, 2013 11:55Hi Hermann, any news about this issue?
I'm facing the same problem with a single account, the environment is with Exchange 2010 SP3 and the user is using the iPhone 4 with iOS 6.1.3.
I disabled ActiveSync for this user and the problem has normalized.
I will open a case on this issue, because this mailbox is a director.
Thanks,
Ricardo Chiste
Anonymous
20 August, 2013 01:42It's 3 months laters. Somebody could have figured out what the normal values would be? If you don't know then how would this be useful?
Anonymous
03 December, 2013 04:11Hi, I have used log parser and found an account with loads of hits. However, it has no user, device or any other info. Any ideas please?
Anonymous
14 September, 2014 15:39Hi,
I have this problem with transaction logs rapidly filling a drive, but every time I try to run the ActiveSync Report (Top20) query you describe, I dont get any results. What am I doing wrong?
Mike
22 January, 2015 09:33Hi Mike,
The log files usually here: C:\inetpub\logs\LogFiles\W3SVC1
Try it.
Best!
Attila
23 March, 2015 10:20Some really nice stuff on this site, I enjoy it.
Anonymous
21 March, 2018 17:51