Connectivity logging in Exchange Server

Connectivity logging records the outbound connection activity that's used to transmit messages on Exchange servers. In Exchange Server, the following services transmit messages, so they have connectivity logs:

  • The Transport service on Mailbox servers and Edge Transport servers.

  • The Front End Transport service on Mailbox servers.

  • The Mailbox Transport Submission service on Mailbox servers.

  • The Mailbox Transport Delivery service on Mailbox servers.

For more information about these transport services, and where they can transmit messages, see Mail flow and the transport pipeline.

Connectivity logging doesn't track the transmission of individual messages. Instead, it tracks the number and size of messages that were transmitted over a connection, DNS resolution information for the destination, and informational messages that are related to the connection.

By default, connectivity logging is enabled, and Exchange uses circular logging to limit the connectivity log files based on size and age to help control the hard disk space that's used. To configure connectivity logging, see Configure connectivity logging in Exchange Server.

Note: If you're interested in a detailed record of the entire SMTP protocol conversation from start to finish, see Protocol logging.

Structure of the connectivity log files

By default, the connectivity log files exist in these locations:

  • Mailbox servers:

    • Transport service: %ExchangeInstallPath%TransportRoles\Logs\Hub\Connectivity

    • Front End Transport service: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\Connectivity

    • Mailbox Transport Delivery service: %ExchangeInstallPath%TransportRoles\Logs\Mailbox\Connectivity\Delivery

    • Mailbox Transport Submission service: %ExchangeInstallPath%TransportRoles\Logs\Mailbox\Connectivity\Submission

  • Edge Transport servers

The naming convention for the connectivity log files is CONNECTLOGyyymmdd-nnnn.log. The placeholders represent the following information:

  • yyyyMMdd is the Coordinated Universal Time (UTC) when the log file was created. yyyy = year, MM = month, and dd = day.

  • nnnn is an instance number that starts at the value of 1 for each day.

Information is written to the log file until the file reaches its maximum size. Then, a new log file that has an incremented instance number is opened (the first log file is -1, the next is -2, and so on). Circular logging deletes the oldest log files when either of the following conditions are true:

  • A log file reaches its maximum age.

  • The connectivity log folder reaches its maximum size.

The connectivity log files are text files that contain data in the comma-separated value file (CSV) format. Each connectivity log file has a header that contains the following information:

  • #Software: The value is Microsoft Exchange Server.

  • #Version: The value is 15.0.0.0.

  • #Log-Type: The value is Transport Connectivity Log.

  • #Date: The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-MM-ddThh:mm:ss.fffZ, where yyyy = year, MM = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • #Fields: Comma delimited field names that are used in the connectivity log files. These values are described in the next section.

Fields in the connectivity log files

Connectivity logging stores each outbound connection event on a single line in the log. The information on each line is organized by fields, and these fields are separated by commas. The following table describes the fields that are used to classify each outgoing connection event.

Field name Description
date-time UTC date-time of the connection event. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-MM-ddThh:mm:ss.fffZ, where yyyy = year, MM = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
session A GUID value. The value is the same for every event that's associated with the session, but different for each session.
source One of these values:
  • SMTP for SMTP connections.
  • MapiDelivery for connections from the local mailbox database by the Mailbox Transport Delivery service.
  • MapiSubmission for connections from the local mailbox database by the Mailbox Transport Submission service.
destination These are some examples of values you'll see here:
  • In the Transport service:
    • The FQDN of the destination messaging server
    • shadowredundancy (on Mailbox servers only)
  • In the Front End Transport service:
    • internalproxy
    • client proxy
  • In the Mailbox Transport Delivery service:
    • The GUID of the destination mailbox database.
  • In the Mailbox Transport Submission service:
    • The GUID of the destination mailbox database.
    • mailboxtransportsubmissioninternalproxy
direction Single character that represents the start, middle, or end of the connection. The values you'll see here are:
  • +: Connect
  • -: Disconnect
  • >: Send
description Text information that's associated with the connection event. For example:
  • Number and size of messages that were transmitted.
  • DNS MX resource record resolution information for destination domains.
  • DNS resolution information for destination Mailbox servers.
  • Connection establishment messages.
  • Connection failure messages.

The transport services connect to and transmit messages to multiple destinations simultaneously. Entries in the log file from different connection events are interlaced (they typically aren't grouped together as one uninterrupted series of connection events). However you can use the fields (in particular, the unique session field value for a connection) to organize and arrange the log entries for each separate connection from start to finish.