Today, I noticed that one of our logs drives are filling up rapidly. I was able to move the unused logs to a different drive but the logs continued to grow (check this link on how to move the unused logs https://wikipinoy.wordpress.com/2014/08/18/how-to-free-up-exchange-log-drive-space-when-it-fills-up/).
Here are some things you can do to figure out what is causing the logs to fill up:
1. I just migrated 3 iPhone users yesterday to the mailbox and I thought they may be causing issues. Confirmed with the users that they have not installed the latest IOS yet. Here is an article from Microsoft that talks about that.
2. To confirm my suspicion, I downloaded EXMON (http://www.microsoft.com/en-us/download/details.aspx?id=11461) from Microsoft and installed it on my Exchange Server. And ran a trace to find out what user may be causing the issue. And bingo, the 3 users I migrated last night showed in the top 5 users with the highest CPU usage and Log bytes.
You can either ask the users to update to the latest version of IOS or follow Microsoft’s recommendation in the link in step 1.
Note: Also check the logs in your Exchange server for any errors. I noticed that large amounts of NDRs with Event ID 2028 (MSExchangeIS Public Store) causes the logs to fill up in my case.
If you are getting this error when trying to re-launch EXMON, make sure that there are no processes running for this app.
From the command prompt, run logman query -ets to find out if ‘Exchange Event Trace’ is running.
Run the commands logman stop “Exchange Event Trace” -ets to stop