Tracking Exchange 2010 Transaction Log Offenders

Scenario: Exchange administrators are constantly battling with rapidly inflating transaction log utilization in an Exchange 2010 environment.  Admins report that transaction logs are exceeding any sizing estimates, and that one or two databases is accounting for a very large portion (80-90%) of the growth.  In some cases, this can result in transaction log disks filling to capacity and causing mailbox database outages.

In order to provide some relief to the environment, administrators are looking to gather a list of the users that are causing the large percentage of transaction log growth.  This is the correct strategy, as often individual users are the cause when no relief in the Exchange event logs is apparent.  Unfortunately, the Microsoft Exchange Management Shell doesn't provide a clear way of accessing this information.  But is this true?  Is this capability just a missed opportunity for the EMS?  Possibly, but this has since been corrected through additional administration scripts from Microsoft.

Navigating to the $exscripts location from the EMS reveals a huge variety of scripts available to administrators to extend the capabilities of the EMS to include some of the previously "missing" functions, or some that might have required administrators to reference a master script, accessible in a function.  The script to assist in finding runaway transaction log users is the storetslibrary.ps1.  By loading this script, we are then exposed to a wide variety of functions that did not previously exist in the EMS.  For our example, the function Get-TopLogGenerators

This function will (taken from script): "
# Returns a descending list of the users generating the most log bytes for a given database
# based on the output of Get-StoreUsageStatistics the list contains the MailboxGuid and the
# number of bytes generated during the captured sampling periods (~ 1 hour) "

Leveraging this script, administrators can combine this with some simple script-fu to derive a list of the top 20 users for each mailbox database in the environment that have consumed transaction log space over the past hour:

. $exscripts\StoreTSLibrary.ps1

$offenders = $null
$databases = get-mailboxdatabase
foreach ($database in $databases){
    $offenders += Get-TopLogGenerators -database $ | sort totallogbytes -descending | select -first 20| select {($_.totallogbytes/1024/1024)}, {$}, {(get-mailbox $_.mailboxguid.tostring())}
$offenders | Sort-Object -Property '($_.totallogbytes/1024/1024)' -descending 

After finding the offending users, administrators will often disable functionality from the account until identifying the cause of the issue.  In one notable case, ActiveSync on iPhone was causing the transaction log fill-up, and asking the user to remove and re-create the profile on the phone resolved the issue leaving administrators with contained and predictable transaction logs.

Labels: , , , , ,