利用Log parse 分析Exchange 性能并产生相应报表!(1)-Protocol 协议 Log!
我们分析完成agent Log, 有时候领导需要我们分析出当前整个系统的邮件使用量情况,这怎么办呢?这就要使用我们的LOG PARSE来分析我们的 协议日志。
协议日志一般出现以下目录C:\Progra~1\Microsoft\Exchan~1\TransportRoles\Logs\ProtocolLog 下面,我们先来分析下全局的Inbound的连接属性,需要执行下如下的命令:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT QUANTIZE(TO_TIMESTAMP (EXTRACT_PREFIX(TO_STRING(EXTRACT_SUFFIX([#Fields: date-time],0,'T')),0,'.'), 'hh:mm:ss'),3600) AS Hour, COUNT(*) AS Hits INTO radar_traffic.gif FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive\RECV*.LOG WHERE event='+' GROUP BY Hour ORDER BY Hour ASC" -i:CSV -nSkipLines:4 -o:CHART -charttype:RadarLineFilled -charttitle:" Global total SMTP inbound simultaneous connections per hours"
这里我们生成的是图表。能够很直观的显示出我们相应的时间点对应的入站连接数,注意这里的时间是国际标准时间,这里显示的0点是我们的8点,生成的雷达图能够很清楚的表明我们当前的入站连接:
接下来我们希望看到发送的量的总体分布,可以采用如下的命令来实现:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT QUANTIZE(TO_TIMESTAMP (EXTRACT_PREFIX(TO_STRING(EXTRACT_SUFFIX([#Fields: date-time],0,'T')),0,'.'), 'hh:mm:ss'),3600) AS Hour, COUNT(*) AS Hits INTO radar_traffic_send.gif FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\ProtocolLog\SmtpSend\SEND*.LOG WHERE event='+' GROUP BY Hour ORDER BY Hour ASC" -i:CSV -nSkipLines:4 -o:CHART -charttype:RadarLineFilled -charttitle:" Global total SMTP outbound simultaneous connections per hours"
我们打开当前执行的目录下,看到刚才 RADER_Traffic_send.gif 我们可以看得到出站的连接数如下:
接下来我们来分析可疑发送者用户,这个操作我们会分为两个部分,我们将可疑发送者写入XML 文件,接下来我们将XML文件读取到LOG PARSE中。
我们先来执行第一步,命令如下:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT EXTRACT_PREFIX(remote-endpoint,0,':') AS Remote-host, count (*) AS hits INTO SuspiciousSenders.xml FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive\RECV*.log WHERE TO_INT(SUBSTR(DATA,0,3)) > 500 AND event = '>' GROUP BY Remote-host ORDER BY hits DESC" -i:CSV -nSkipLines:4 -o:XML
会在当前命令执行的地方生成XML文件,接下来我们执行第二步,从XML总读取数据到Log parse,执行如下命令:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT TOP 10 REVERSEDNS(Remote-host), hits FROM SuspiciousSenders.xml" -i:XML -o:DATAGRID
结果如下:
接下来呢,我们分析从本地出去的邮件被拒绝的比较多的原因,我们可以采用如下的命令:
"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT CASE TO_INT( SUBSTR(DATA,0,3)) when NULL then 0 else TO_INT( SUBSTR(DATA,0,3)) END AS RemoteHostReturnCode, data, count (*) AS hits FROM C:\Progra~1\Microsoft\Exchan~1\V14\TransportRoles\Logs\ProtocolLog\SmtpSend\SEND*.log WHERE RemoteHostReturnCode > 400 AND context <> 'Certificate thumbprint' AND context <> 'sending message' GROUP BY RemoteHostReturnCode, data ORDER BY hits DESC" -i:CSV -nSkipLines:4 -o:DATAGRID
我们来看看比较多的错误代码好原因是神马?看以下图标便知: