Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5007 Source: MSExchangeSA

An error occurred during the message tracking decode operation. Function: <error description>.
Make sure that Exchange-related services are not running on the passive cluster node.
In my case this occured because the computer browser service was stopped. I've just started it and the log and tracking path for exchange was enabled.
In our cluster environment, the IMAP4 service was running on both the Active and the Passive node. Once the service was stopped on the Passive node, the problem disappeared.
- Error: 0xc0070021 - The process cannot access the file because another process has locked a portion of the file - I have discovered that this was caused by the backup software. The system writes to the files once the backup lock has been removed, so expect a lot of entries in the log for about 30 seconds.
- Error: "0xc0070070" = ERROR_DISK_FULL - This problem can be caused by low disk space on the Exchange Information Store Drive. Free up disk space and then restart the Exchange System Attendant to resolve the issue. See ME555435 for details about this event.

- Error: "ScSaveGatewayTrackingDataEx - 0x80070005 - Access denied" -  See ME329773 for a hotfix applicable to Microsoft Exchange Server 2000.

As per Microsoft: "This event typically occurs when Message Tracking cannot write to its log file. This event indicates that Message Tracking is not functional". See MSEX2K3DB for more details.
This behavior can occur if you add a space at the end of the name for the resource for which you are setting the dependency. See ME281796 and ME832037 to fix this problem.
- Error: "ScSaveGatewayTrackingDataEx. 0x80070005 - Access denied" - Turned out to be a permission issue on the "servername.log" folder. The service account did not have the modify permission.
Error: "ScWriteLog:ScWriteField. 0xc0020021 - <<The process cannot access the file because another process has locked a portion of the file.>>" - As per Microsoft: "The SA processor utilization may be very high while the Microsoft Exchange Message Transfer Agent (MTA) throughput seems low. " See the following articles for more details: ME198733, ME161935, ME152310.
Error: "ScSaveGatewayTrackingDataEx - 0xc0070057 - The parameter is incorrect." - This problem can occur because the message tracking decode operation does not work properly on certain specific code page e-mail subjects. The latest Exchange 2000 service pack should resolve the issue. See ME313570 and ME308397.

Error: "0xc0070003  The system cannot find the path specified." - As per Microsoft, this event ID message is common on Cluster servers but it is not restricted to Cluster Servers. It occurs because the msExchDataPath attribute on the server object does not have the right value. See ME288362 for resolution.
Multiple event 5007's were appearing about every 30 seconds, and the logging directory c:\program files\exchsrvr\yourservernamehere.log was not being used by the server.To resolve, I removed the share c:\program files\exchsrvr\yourservernamehere.log, created a share in the old directory c:\exchsrvr\yourservernamehere.log and recreated the share permissions. Additional Info From MS:
The attribute msExchDataPath on the server object is the base directory where the System Attendant writes the tracking log files, but it appends the servername.log to this, such that if the server is named servername, the value for msExchangeDataPath is x:\exchsrvr then the actual path that the tracking logs would be written to would be x:\exchsrvr\servername.log This is common on Cluster Servers.

Ensure that msExchDataPath is pointed properly, AND that it contains a directory SERVERNAME.log. In this case the tracking log path had been changed in the Registry and the tracking.log directory had not been recreated at the new path and shared:.
Ensure that the tracking.log path is present at the path specified in the registry, and is shared as "tracking.log"
* * *
Microsoft specifies that it might be caused by backup software which is backing up the log file while the SA is trying to write to it. This was indeed the case on my 2 servers that exhibited this particular error. I changed the time that BackupExec backed up these servers and the error went away.
Error: "ScSaveGatewayTrackingDataEx. 0x80070005 - Access denied." I had this happen on one of my many exchange servers. Check the following:
1. Check your Exchange services to see if anything is running as anything other than Local System Account.
2. If so, set it back to to run as Local System Account and then restart. There is barely any information on this particular event and it might affect the way certain backup software works so be aware.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.