Karthik Murugesan Posted on October 19th, 2013

Every SharePoint administrator has a SharePoint troubleshooting workflow. Surprisingly some of them still involve logging into each server in the farm and opening the recent log file using notepad… only to watch notepad crash on them.

One of the major gripe I hear from new SharePoint administrators is how difficult it is to go through SharePoint logs. It gets worse if you have multiple servers in your farm, and each log files as are uncontrollably huge, browsing through these trace logs can be disorienting. You have to review them from all of your servers.

“My log files are so huge I can’t even open them with SharePoint Log Viewer.”

First of all there is no reason for your individual log files to be so large that you can’t even open them with SharePoint Log Viewer. Lets say for some reason you want to have every logging level turned on. Managing your individual log file size is key. Lets look at a simple workflow to help alleviate some of these issues and help get to the root cause within minutes, every time.

Log Cut Interval

Managing individual log file size is the first thing you want to look at. By default, a new log file is created every 30 minutes. There is no way to control the file size by specifying the max file size. But you can control how often a new file gets created.

The following code snippet configures SharePoint to create a new trace log every 5 minutes.

Set-SPDiagnosticConfig -LogCutInterval 5

Check your SharePoint log directory and you will see much smaller, manageable log files since they get rolled every 5 minutes.

Merging and Querying Logs

Most of the time you are hunting for the root cause with a “Correlation ID”. Use the following PowerShell commands to query log files filtered by “Correlation ID”.

Merge-SPLogFile PowerShell command lets you gather a set of events from all the servers in the farm to a single log file. By default, Merge-SPLogFile merges events from the last hour from each server in the farm and saves it in a file on the server you executed the command. This creates a timer job and might take a while to run and I don’t recommend running this command without filtering events by “Correlation ID”.

Merge-SPLogFile -path "D:SharePointLogs719e70a4-19a2-4777-9911-9228155ba60d.log" -Correlation "719e70a4-19a2-4777-9911-9228155ba60d"

With this all the events related to that “Correlation ID” is now in a single file and now you can use SharePoint Log Viewer and do whatever you want with it.

Troubleshooting Workflow

So your troubleshooting workflow should be as follows.

  1. Make sure Log Cut Interval is set to generate smaller individual log files
  2. Get the  “Correlation ID”
  3. Merge the log files by “Correlation ID” so you don’t have to hop into multiple Web Servers
  4. Open the merged log file using SharePoint Log Viewer
  5. In most cases you will have 10 or 15 events logged for that “Correlation ID”

Good Luck!


Leave a reply

Your email address will not be published.