Some Exchange Server Event Sources IDs Examples and Descriptions

One of the most often performed tasks for administrators is that of troubleshooting their hardware and software products. Hardware can range from networking devices such as switches and routers to high-end multiprocessing server systems while software ranges from commercial off the shelf applications such as email servers to home-grown customized applications and major operating systems. And administration of all these products requires the ability to troubleshoot problem situations.

A major step in the troubleshooting process is the need to review the error logs and diagnose the cause of the error messages.

Error logs can help administrators to troubleshoot almost any problem associated with the Exchange server operation.  Knowing where in the error logs to look and what to look for can save any administrator valuable time and money.

The Microsoft Event Viewer can help administrators to review the application log and the system log files for errors, warnings, and informational events that are related to the operation of Exchange Server, the SMTP service, and other applications. Administrators should make it a practice to review the log files as their first step in the troubleshooting process. Reviewing the log files can help administrators to identify the cause of email message flow issues based on the event sources and their IDs.

Here is a list of some of the more common event sources, their IDs, some examples and their descriptions.

1. MSExchangeTransport   Events that are recorded when SMTP is used to route messages.
2. IMAP4Svc   Events that are related to the service that allows users to access mailboxes and public folders through IMAP4.
3. MSExchangeAL   Events that are related to the service that addresses e-mail messages through address lists.
4. MSExchangeIS   Events that are related to the service that allows access to the Exchange Information Store service.
5. MSExchangeMTA   Events that are related to the service that allows X.400 connectors to use the message transfer agent (MTA).
6. MSExchangeMU   Events that are related to the metabase update service, a component that reads information from Active Directory and transposes it to the local IIS metabase.
7. MSExchangeSA   Events that are recorded when Exchange uses Active Directory to store and share directory information.
8. MSExchangeSRS   Events that are recorded when Site Replication Service (SRS) is used to replicate computers running Exchange 2003 with computers running Exchange 5.5.
9. POP3Svc   Events that are recorded whenever Post Office Protocol version 3 (POP3) is used to access e-mail.
10. ESE  Events related to Exchange Server’s Extensible Storage Engine
11. Event Source: POP3SVC     Event Category: Content     Engine Event ID: 1023     Date: 9/09/2008 Time: 10:18:52     User: N/A     Computer: SERVER      Description: Error 0×8004050a occurred while rendering message 0001-0000000b11ca for download for user
12. Event Source: smtpsvc     Event Category: None     Event ID: 4006     Date: 4/4/2008     Time: 11:00:11 AM     User: N/A     Computer: XXXXX          Description:     Message delivery to the host ‘(IP address)’ failed while delivering to the remote domain ‘domainname.com’ for the following reason: The remote server did not respond to a connection attempt.
13. Event log ID: 1025     Source: MSExchangeIS mailbox     Category: General     Type: warning     user: N/A     Description: An error occurred on database ” first storage groupmailbox database” Function name or description of problem:restrict/ SetsearchCriteria     Error:1162 Warning: fail to apply search optimization tofolder (FID 1-214F20xxx)retrying without optimization.
14. MSExchangeAL – Address Lists – Example ID 8026, network problem, or LDAP configuration
15. MSExchangeIS – Exchange Information Store – Example ID 9518, trying to start a store which is offline
16. MSExchangeMTA – Message delivery – Example ID 9411, disk is full MTA needs 10 MB free space
17. MSExchangeSA – Active Directory related (System Attendant) – Example ID 9543. Permissions error
18. MSExchangeTransport – SMTP Routing – Example, ID 4000, possible cause DNS with incorrect MX record
19. Event Source: MSExchangeActiveSyncNotify     Component: Microsoft Exchange Transport     Event ID: 994     Version:  6.5.7638.0     Message:  Following connector’s link state is suppressed because it either points to or comes from a leaf RG node.     Explanation: Exchange automatically suppresses a connector’s link state if Exchange determines that it is not needed. There is probably only a single path between servers in a leaf routing group.
20. Event Source: Exchange Migration     Event Category: Move Mailbox     Event ID: 1007     Date:  3/08/2008     Time:  4:24:48     User:  N/A     Computer: SERVER     Description:   Mailbox ‘(user name)’ has been moved.
21. Event Source: Exchange Migration     Event Category: Move Mailbox     Event ID: 9354     Date:  3/08/2008     Time:  4:25:01     User:  N/A     Computer: SERVER     Description:  Mailbox ‘CN=John Smith,OU=USERS,DC=domain,DC=local’ is deleted from the Exchange store ‘CN=Mail Store,CN=First Storage Group,CN=InformationStore,CN=EXCHANGE2003SERVER,CN=Servers, CN=First Administrative Group, CN=Administrative Groups,CN=Exchange Organisation,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=domain,DC=local’ on server ‘exchange2003server.domain.local’.
22. Event Source: MSExchangeIS Mailbox Store     Event Category: Rules     Event ID: 1154     Date:  3/08/2008     Time:  5:00:33     User:  N/A     Computer: SERVER     Description:Rule synchronization has successfully completed.   The mailbox folder is Top of Information StoreInbox on database “Storage GroupMailbox Database”.   The distinguished name of the owning mailbox is /o=Exchange Organisation/ou=First Administrative Group/cn=Recipients/cn=johnsmith.
23. Event Source: MSExchangeCluster     Event Category: Services     Event ID: 1005     Date:  6/08/2006     Time:  2:00:43     User:  N/A     Computer: SERVER     Description: Exchange HTTP Virtual Server Instance 101 (XCH-VN02) : The IsAlive check for this resource failed.
24. Event Source: MSExchangeIS Mailbox Store     Event Category: Rules     Event ID: 1154     Date:  16/08/2007     Time:  15:00:43     User:  N/A    Computer: SERVER     Description:  Rule synchronization has successfully completed.
25. Event Source: ESE     Version: (version number)     Component: Microsoft Exchange Extensible Storage Engine     Message: <process name> (<process id>) <instance> The backup has been stopped because it was halted by the client or the connection with the client failed. A possible cause for this is the use of a virus scanning application enabled in Exchange Server 2003 Service Pack 1.