Checking Exchange SMTP Logs To Determine Usage
This week I was fortunate to return to one of my favourite customers, to help with Exchange 2010 migration activities. As we all know, Exchange 2010 will exit out of extended support on the 14th of January 2020.
Fortunately they are progressing very well with moving all mailboxes off Exchange 2010, and one of the last remaining items was to review SMTP mail flow through the Exchange 2010 Hub transport servers. This is required as we do not want to negatively impact senders who are still using the Exchange 2010 servers to send valid business email. Maintaining a list of those applications, services and Multi Function Devices can be challenging to keep updated. So we need to ensure that we have reviewed the current usage prior to decommissioning the servers.
We started with some simple LogParser 2.2 queries, but did not want to progress further down that avenue so I quickly wrote the below.
The intent is that it will parse the Exchange 2010 SMTP receive connector logs, to determine the endpoints connecting to the local receive connectors. Only the remote IP address is returned from the logs. This generates a series of IP addresses which are then deduped so that only unique values are present in the output.
Script makes multiple assumptions. For example, you actually enabled logging. Also that logging has been running long enough to capture a meaningful amount of data.
The script can be downloaded from the TechNet Script Gallery below:
The below is an example of the output after running in one of my labs:
The information is also persisted to an output.txt file which is created in the local directory. It contains the same content as written to the screen.