General tips on reading MailMarshal Exchange service logs


This article applies to:

  • Trustwave ECM/MailMarshal Exchange 7.X

Symptoms:

  • General tips on reading MailMarshal service logs.

Information:

The MailMarshal service logs are located by default in the \Logging\ subfolder of the install folder. The logs contain detailed information about the ongoing operation of each service. Familiarity with these logs is key to achieving a quick and successful understanding of MailMarshal issues.

Use Word Wrap wisely in Notepad.
Typically we view MailMarshal service logs in Notepad. Sometimes it is important to clearly see the columns in the log - if so turn off Word Wrap. Each service log will have three columns - the columns are Thread Number, Time, and Logged Data. At other times, it is more important to see all the Logged Data on-screen - in this case turn on Word Wrap. Also use Notepad in full screen mode.

Learn to use the thread number.
The MailMarshal services run multi-threaded. Therefore different threads of data can be written to the logs at the same time. When reading the logs the data appears to jump from topic to topic in a meaningless way. However if you follow the thread number you can easily track relevant entries. Use the Notepad search function to locate subsequent thread entries.

Note that thread numbers can be used again once freed up by the thread.

Use the Message ID
The message name (such as B422c96d90000) is also a useful way of tracking the progress of a message through the logs. Unlike the Thread number, it is unique and never reused. If the message is created with a filename of, say, B422c96d90000.000000000001.0001.mml, then the B422c96d90000 part will be used in all the MailMarshal logs when referencing this message, or any messages split from it. A split typically occurs if the message has multiple recipients, and a rule applies to some but not all recipients.

Use a Grep tool to parse information from logs
Given that logs may be appear cryptic due to the multithreaded operation of MailMarshal, some users find it extremely helpful to use a grep tool to assist viewing of relevant information in the logs. One example of such a tool is PowerGREP from JGS.

Follow the progress of a message from start to finish.
When it is being processed by MailMarshal Exchange, a message will be processed by the MailMarshal Transport Agent, Engine, and again the Transport Agent service.

Transport Agent:
The MEXTransportAgent logs steps for an individual message as follows:

  • Inspects messages in the Exchange Replay directory. 
  • If a message has already been processed by MailMarshal Exchange, no further action results.
  • If a message has NOT already been processed by MailMarshal Exchange, the message and header information is placed in a file and queued for Engine processing.

Engine:
The MMEngine logs steps for an individual message as follows:

  • Thread unpacks message.
  • Rules are run against message.
  • If a rule triggers, the actions taken against message are logged
  • If the message is to be delivered, it is moved to the ProcessedOK folder and then returned to the Exchange Replay directory.
    • In version 7.1, where possible messages are returned through an object in memory and not through the Replay directory.

Transport Agent:
As described above, the Agent checks the message and determines that no further action is required.

Notes on other MailMarshal Logs
MailMarshal Exchange includes two other services that exist in every MailMarshal system, the Controller and Array Manager services. In addition, the optional MMReleaseMessage logs activity.

The Agent Installer, Agent Controller, and Updater services also log activity, but they are not directly related to message processing.

MEXController Logs:
Each MailMarshal node will have a MailMarshal Controller, which interfaces between the central Array Manager and the node's mail processing services (Agent and Engine).

  • Reports on configuration updates received from the Array Manager.
  • Logs when message is unpacked for viewing in Console.
  • Logs when SQL log information is passed to Array Manager.

MEXArrayManager Logs:
Any given system of MailMarshal servers will have one central Array Manager

  • Logs LDAP and AD groups updates
  • Oversees and logs the status of MailMarshal nodes
  • Logs SQL database updates.
  • Records the processing of Digest Notifications

MEXReleaseMessage Logs
If you use the MEXReleaseMessage.exe external command to allow end users to release email, a log file is generated to record release activities.

  • Release code is parsed from message
  • Service connects to Node to locate and release message.

Notes:

See also the following Knowledge Base articles:

  • Q14023 - How do I read MailMarshal Log Files?
  • Q10545 - How does MailMarshal Exchange work? (message flow)


Last Modified 12/9/2010.
https://support.trustwave.com/kb/KnowledgebaseArticle14022.aspx