Tracing is a detailed logging of the actions taken by Forefront Protection 2010 for Exchange Server (FPE). Enabled by default, tracing helps support engineers diagnose and troubleshoot problems. Although you can control tracing by using the Tracelog.exe tool, some of the most common tracing settings can be configured directly by using the Forefront Management Shell to enter Windows PowerShell commands.

Monitoring without the aid of customer support

Tracing is for advanced troubleshooting scenarios. You should only use tracing under the direction of customer support. In order to investigate errors or to monitor your system on your own, it is recommended that you use the Windows Event Viewer.

To access the Windows Event Viewer
  • Click Start, point to All Programs, point to Control Panel, point to Administrative Tools, and then click Event Viewer.

The tools needed for tracing are tracelog.exe and tracefmt.exe. These are part of the Windows Driver Kit, and you can download them from Microsoft's WDK and Developer Tools site. In addition, a batch file called tracereader.bat is provided in order to automate the most common uses of tracelog.exe and tracefmt.exe.

Configuring tracing

You can configure the following trace settings by using the Windows PowerShell Set-FseTracing cmdlet:

  • The level of tracing, in order to indicate how much detail is included in the trace

  • The tracing flags, in order to indicate the functions being traced

  • The maximum size of the trace log

  • The frequency with which buffered tracing events are flushed (written) to the trace log

This is the syntax of the Set-FseTracing cmdlet:

Set-FseTracing [-Level level] [-Flags flags] [-MaxLogSize MaxLogSize] [FlushFrequency frequency]

The following sections describe the parameters.

Configuring tracing levels

In order to indicate how much detail to include in the trace, use the -Level parameter of Set-FseTracing.

The values are ordered so that each includes all previous values. For example, the default level value (Information) logs all information messages, as well as warning, error, and fatal messages. The following table lists the levels that you can set, from least to most inclusive.

Level Output

Fatal

All fatal error tracing statements.

Error

All fatal error tracing statements, plus those mentioning other errors.

Warning

All error and fatal error tracing statements, plus those with a warning.

Information

All warning, error, and fatal error tracing statements, plus a set of statements containing additional information. This is the default.

Verbose

All information, warning, error, and fatal error tracing statements, plus statements containing more information about normal operation.

Noise

All possible tracing statements. This results in high levels of "noise" in the trace log.

To configure tracing levels
  1. Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell.

  2. At the Windows PowerShell command prompt, enter the following:

      Copy Code
    Set-FseTracing -Level level
    

This example sets the level to Warning:

Set-FseTracing -Level Warning

Configuring tracing flags

To indicate what functions are being traced, use the -Flags parameter of Set-FseTracing. This permits a finer level of control. You may specify multiple flags as a comma-separated array. The following table describes the available flags.

Flag Enabled by default Function

Default

-

Restores all default values

All

-

Enables all tracing flags

Antispam

Yes

Antispam scanning

EngineAdapters

Yes

Scan-engine interface adapters

EngineUpdates

Yes

Traces engine updating pipeline

FileNavigators

Yes

File parsers

Generic

Yes

Output with no flag specified

HResult

Yes

Return codes from function calls

ScanJobs

Yes

Scanning processes

ThreatScanning

Yes

Coordinates engines when data is being scanned and cleaned

Common

No

Core product functionality

Configuration

No

Configuration changes

IPC

No

Inter-process communication between workload hook and scanning processes

Stack

No

Program stack call

Statistics

No

Performance counter-related functionality

To configure tracing flags
  1. Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell.

  2. At the Windows PowerShell command prompt, enter the following:

      Copy Code
    Set-FseTracing -flag flags
    

This example sets the Stack flag:

Set-FseTracing -flag Stack

This example sets the engine adapters, threat scanning, and generic flags:

Set-FseTracing -flag EngineAdapters,ThreatScanning,Generic

Configuring maximum tracing log size

In order to indicate the maximum size of the trace log, use the -MaxLogSize parameter of Set-FseTracing.

The maximum trace log size is specified in megabytes (MB). The minimum size is 16 MB, and the maximum size is 1024 MB (1 gigabyte), which is the default value. The maximum trace log size value includes the combined value of the program log (ProgramLog.etl) plus any archived program logs (located in the ProgramLogArchive directory). The maximum size for any single program log is 512 MB, or half the configured total.

To configure the maximum trace log size
  1. Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell.

  2. At the Windows PowerShell command prompt, enter the following command:

      Copy Code
    Set-FseTracing -MaxLogSize MaxLogSize
    

This example sets a trace log size limit of 768 MB for all program logs:

Set-FseTracing -MaxLogSize 768

In this example, the maximum file size for any single program log is 384 MB.

After changing the maximum tracing log size setting, restart the tracing session in order for the change to take effect.

To restart the tracing session
  1. At the Windows PowerShell command prompt, stop the tracing session by entering the following command:

      Copy Code
    Logman stop FssTracingSession –ets
    
  2. Stop the Forefront Server Protection Controller service by entering the following command:

      Copy Code
    Net stop FSCController
    
  3. Start the Forefront Server Protection Controller service (which automatically starts the tracing session) by entering the following command:

      Copy Code
    Net start FSCController
    

Configuring the flush frequency

To indicate the frequency (in seconds) of writing (flushing) buffered tracing events to the trace log, use the -FlushFrequency parameter of Set-FseTracing. The buffer is always flushed when filled or when the trace is ended, regardless of the value of flush frequency.

The frequency can be any positive integer. The default of 0 means that buffers are flushed as soon as they become full.

To configure the flush frequency
  1. Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell.

  2. At the Windows PowerShell command prompt, enter the following:

      Copy Code
    Set-FseTracing -FlushFrequency frequency
    

This example sets a flush frequency of 10 seconds:

Set-FseTracing -FlushFrequency 10