We have seen a lot of cases where we get calls reporting that the number of their transaction logs has grown exponentially in last day / few days. This can cause big issues, especially if the disk housing the transaction logs is not big enough to accommodate for this growth between online backups.
Here are a few things that are 1st to blame for unusually large amounts of transaction logs:
- Online maintenance - yes, during online maintenance, we move and shuffle data around within Exchange databases. That results in transactions that will then result in transaction logs being created. Of course - this log file growth would then happen mainly during the online maintenance period and not all day. This in most cases is not it, but it is a good thing to have in mind.
- Public folder replication - we have seen many cases where a bunch of replicas for public folders were created on a specific server and then transaction logs get "out of control". This is understandable, as the content has to actually arrive to the server, which will produce transactions. Sometimes administrators don't think to check this one or might not be aware of it, as the replica change is done in public folder hierarchy, so some other administrator on some other server might do it without telling anyone. :) Yup, saw a few of those… Since public folder replication messages are sent from public store to public store, the way to find out if this is your problem is opening up the message tracking log in Excel for example, and sorting by recipients. Search for recipients with an address of "SERVERNAME-IS@domain.com" which is the proxy address that the public folder store will get by default.
- Looping messages - this one can be different variations on the subject, but the bottom line is - messages are for some reason looping between Exchange server and some other email system / server. The easiest way to get this figured out is again though message tracking log. Now, this log is not too "human-friendly" to read, but if you sort it by recipients, you will be able to see if there is a specific mailbox or mailboxes that are just getting a TON of email comparing to others. SMTP logging might help too as you will see the actual SMTP verbs including who is sending messages to whom. Seeing that message looping is in many cases caused by rules (either on public folders or mailboxes) - turning up Diagnostics Logging on rules for both private and public stores can help identify this problem too.
- Open relay - if your server is an open relay, there will be tons of transaction logs. You will also usually see a bunch of items in the BADMAIL folder. The key here is of course, locking the server down so it is not an open relay anymore. :)
- Scanning the M: drive with file-level AV software - this is probably the most frequent culprit in this area and we have seen it a LOT… The bottom line is - scanning the M: drive with file-level Anti Virus software will actually modify those items in several ways. Item-level ACLs might change. "Last Modified" time will change. This results in sudden rush of MANY transaction logs as AV software is scanning. If the scanning is scheduled on a daily basis - then it will happen every day, on the clock. Obviously - the way to stop it is - stop scanning the M: drive with file-level AV software.
Some related KB articles:
246965 XADM: Message Tracking Logs Field Descriptions in Exchange 2000 Server
http://support.microsoft.com/?id=246965
257265 XCON: General Troubleshooting for Exchange 2000 Transport Issues
http://support.microsoft.com/?id=257265
310380 HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in Windows
http://support.microsoft.com/?id=310380
324958 HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP
http://support.microsoft.com/?id=324958
328841 XADM: Exchange and Antivirus Software
http://support.microsoft.com/?id=328841
You Had Me at EHLO.