Exchange Logs growing rapidly—Strings.exe

Hello All. In this post we will looking into what are the steps that are supposed to be checked when there is a Rapid growth in Exchange logs. We all know that in Exchange logs get generated when any modifications is done on the database.

Logs generally increases because of the following reasons

-> Mailbox has mails stuck in the outbox and the mails keeps on trying to resend

-> Any third party like anti virus,any mail related Soft wares

-> Active Sync issues

-> Mailbox or database corruption

-> Also CRM user can be a reason

And many more reasons. In this post we will learn how to narrow down the issue and fix it.

To see the items stuck in outbox use the below command to retrieve the number of items in the outbox

Get-mailbox -ResultSize Unlimited| Get-MailboxFolderStatistics -folderscope Outbox | Sort-Object Foldersize -Descending | select-object identity,name,foldertype,itemsinfolder,@{Name=”FolderSize MB”;expression={$_.folderSize.toMB()}} | export-csv OutboxItems.csv

From the CSV file we can see the items counts in the Outbox folders and delete them. We have another tool called Exmon which can be downloaded from here Exmon

From this tool we can see the user who are using the exchange server a lot We can also see the Bytes in ,Bytes out and the CPU usage. This tool will refresh automatically or we can refresh manually to see the usage of the user in a interval of time.

If this is because of active sync we can disable the active sync devices and then test the log growth If its fine then we have to update the OS version of all the active sync devices

If its because of database corruption then we can either run isinteg, or repair to remove the corruption. Also we can move the mailboxes to a new database to remove the corruption.

Now none of the above give us any idea and we don’t have any clue as to what is happening then we can parse the logs that are created to see which user is causing the high log file growth. To do this we have to collect about 100 logs that were created during the issue occurred. Please download the strings.exe from this location Strings

Extract and place it in a folder, open PowerShell and browse to the location of the exe file for this post i consider the Strings.exe is in C:\Strings.

As discussed collect the 100 logs and place it a location for this post i consider the logs are on C:\User\Administrator\desktop\Log

Run the below command to see the user have high number occurrence in the logs. The CSV file will be arranged in the Least to greater occurrence.


.\strings.exe -q -n 16 D:\templogs\*.log | foreach-object { ($_.Split(“:”.ToCharArray(),3)[2]) }| group-object | select-object count,name | sort count | export-csv C:\temp\output.csv


.\strings.exe -q -n 16 C:\user\Administrator\Desktop\log\*.log | foreach-object { ($_.Split(“:”.ToCharArray(),3)[2]) }| group-object | select-object count,name | sort count | export-csv C:\temp\output.csv


When we open the CSV file and scroll down to the last we can see the mailbox names that has the maximum Occurrences and accordingly we can take action on the mailbox to stop the Log file growth.



Happy Learning.

Like this post? Please share to your friends:
Comments: 1
  1. Sathesh

    Its a good Post Chris. It will be a good reference Article for me .

    Thank you

Leave a Reply