Unexpected transaction log file growth (Exchange)

I’ve recently spent a considerable amount of time trying to figure out why a client’s transaction logs were growing at the rate they were. I am talking 50GB worth of logs for one store every day. There really wasn’t anything warranting such growth. The usual things that came to mind like inbound/outbound spam issue didn’t apply. I have done a message tracking search to confirm this and with hindsight I should have really spotted the issue at that very point.

I have limited my search to a specific time period – but I would get a few messages showing sent date outside of the range. This was because the range you set in message tracking is when the message was logged – not when it originated. For some reason I decided not to pay any attention to this and persevere with some transaction logs analysis.

Scott Oseychik’s  guide on transaction log analysis is great for this:

  1. Download the “Unix for Win32” utilities fromhttp://downloads.sourceforge.net/unxutils/UnxUtils.zip?modtime=1172730504&big_mirror=0
  2. Extract all files from the UnxUtils\usr\local\wbin subsirectory to C:\UNIX
  3. Download strings.exe fromhttp://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx, and place strings.exe into C:\UNIX
  4. Make a C:\TMP directory (Unix tools need a Win32 equivalent of /tmp)
  5. Make a directory for all your transaction log files (i.e. D:\customers\test), and place all the logs in this dir
  6. From a cmd prompt, navigate to your C:\UNIX dir
  7. Run the following command:
    strings -q -n 16 D:\customers\test\*.log | cut -f3 -d: | sort | uniq -c | sort | tee c:\log-output.wri

If you open the wri file (just use a text editor of your choice) you get a list of 16 character strings sorted from the least number of occurrences to the largest. While this won’t tell you exactly what the problem is it will definitely point you in the right direction.

In my case I had a totally ridiculous number of  “Out of Office Reply” – so much so the next highest expression wasn’t anywhere near it. At this point it finally occurred to me that the messages “randomly” showing in message tracking were the culprit. While they may have been sent a while ago they were still looping on the Exchange server and constantly generating new transaction logs and coming up in each message tracking search.

Now I just had to stop these messages by disabling the automatic reply on each offending mailbox. As usual in hindsight it sounds very simple.