What the Heck – Why is there no information in the Exchange Application Event Log?

Recently I was browsing the MSExchange.org Forums and I came across a post where the person had a problem where no Exchange events were being entered into the Application Event log. I thought that this was a little strange so I probed a bit and asked what would be entered into the Application Event log when they stopped and started the Information Store (usually a good one to get data in to the Event log). The information that the person posted back I have to admit perplexed me a little bit – but the following are examples of the entries that he was getting:

Initially I suggested Re-installing Exchange 2003 SP2 again as I suspected that perhaps some form of DLL registration had become messed up – but the gentleman in the forum seemed a little bit reluctant to go with the Service Pack re-install which at the time I thought was a little puzzling, but, different Exchange Admins have different rules in the environment that they run so I had to respect the guys choice.

A week or so passed and I saw the thread in the forum re-appear – only this time it contained some new information. Essentially it would seem that the server which Exchange was running on, had at some point in the past experienced a failure, and a new installation of Exchange had been placed on a separate drive on the same box – the chap that was managing it was looking to stabilise the installation long enough for a migration to fresh hardware – however he was having problems doing this as he had no meaningful information in the event logs.

It was at this point that it began to make sense to me – if I were in the situation above, I would not wish to do something as invasive as a service pack re-install and risk loosing the box again, so I started to think about troubleshooting options.

Now in possession of some of the history as to what had happened to the gentleman's server, I started to think about how Exchange (or indeed other applications typically add data to the event log) – the following is what I believe happens when Exchange wishes to log an Event to the Application Log:

Now, continuing from the above – the vast majority of programs that log data to the Events logs, will register (or bind) themselves with the Event Log Service and Exchange is no different – these bindings can be viewed in the Windows registry. My theory was, what if, when the second installation of Exchange was placed on the server, the bindings no longer reflected where the Event Resource DLLs were stored – could this cause the issue that we are looking at – so in my test lab I navigated to the following key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventogApplication Under this key there are the following Exchange Related Entries:

rev1

I opened up the the key for the “MSExchangeIS” which changed the right hand pane of the registry Editor to look like the following:

rev2

From reviewing the the information above – I suspected that if I changed the values of the following entries I would be able to replicate the problem that the gentleman in the forum had been having:

  • CategoryMessageFile
  • EventMessageFile

So in order to prove my idea I changed the paths values for the two entries above to reflect a pair of non-existent paths on my server – like so:

rev3

By changing this value to an incorrect path – this would in effect make the diagram displayed above look like the following:

After changing that paths in the Registry I then cleared the Application Event Log on my test server (so I did not confuse my results with normal event entries) and then restarted the “MSExchangeIS” service. After the service had restarted I opened the application Event Log and reviewed the entries for the “MSExchangeIS” and sure enough I had the following entries for the “MSExchangeIS” service:

So what I posted back to the gentleman in the forums and if anyone else experiences this issue check the following situations on your Exchange Server:

  • Ensure that the following files are in the ExchsrvrRes Folder and that they are the correct versions for your service pack and patch level of Exchange:

adclog.dll calconmsg.dll ds2mbmsg.dll dscmsg.dll eventmsg.dll exconmsg.dll imap4evt.dll madmsg.dll mdbmsg.dll msallog.dll mtamsg.dll pop3evt.dll srsmsg.dll tranmsg.dll

  • In the Registry of your Exchange Server, check all of values of “CategoryMessageFile” and “EventMessageFile” in the Exchange related keys under: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventogApplication point to the correct disk location of your Exchange installation (ExchsrvrRes)

I have not heard back from the chap yet – but I will post an update when I do.

Sharing is caring!:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.