Data recovery out of “lost” or corrupted Transaction Logfiles ?
Many customers ask for data recovery out of corrupt transaction log files or “lost” transaction log files following a gap when running eseutil /ml e0X.
(Restore from backup running hard recovery being interrupted by a corrupted transaction log file)
In other words – can we extract data out of Transaction log files?
The answer is NO. The content is binary.
If we open transaction log files in notepad we only see few data in clear text like:
------------
From:
To:
Subject:
------------
Here is a sample to figure out what senders and recipients should be informed about potential data loss in case not all log files could be recovered in a restore scenario.
A good explanation using strings.exe to filter information out of transaction log is available in the familiar blog from Scott Oseychik
“Rough and Tough” guide to identifying patterns in transaction logs
https://blogs.msdn.com/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx
###########
1. Download the "Unix for Win32" utilities from https://downloads.sourceforge.net/unxutils/UnxUtils.zip?modtime=1172730504&big_mirror=0
2. Extract all files from the UnxUtils\usr\local\wbin subsirectory to C:\UNIX
3. Download strings.exe from https://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx, and place strings.exe into C:\UNIX
4. Make a C:\TMP directory (Unix tools need a Win32 equivalent of /tmp)
5. Make a directory for all your transaction log files (i.e. D:\customers\test), and place all the logs in this dir
6. From a cmd prompt, navigate to your C:\UNIX dir
7. Run the following command:
strings -q -n 16 D:\customers\test\*.log | cut -f3 -d: | sort | uniq -c | sort | tee c:\log-output.wri
What this is doing:
· Identifies all strings in the logs greater than 16 chars
· Removes the D:\customers\test\E00xxxx.log: from the output
· Sorts the output
· Finds all duplicate records, and retains a count
· Sorts the final output (ending with the largest # of occurrences)
· Writes all the output to c:\log-output.wri (use WordPad / write.exe to open; notepad.exe mangles the output)
############
Strings.exe command to filter for the following info out of transaction logs
==========================================================
------------
From:
To:
Subject:
------------
1. Create a text file called search.txt with exactly following content :
From:
To:
Subject:
2. Run following command and correct folder path appropriate:
strings.exe -q -n 8 C:\UNIX\Trans_Logfilesfolder\*.log | findstr /i /G:c:\UNIX\search.txt >> C:\UNIX\output.txt
( Prerequisites are step 1 to 6 from the blog above )
It does the following:
===============
-Look for data with a string length of 8
-handover to findstr.
-filter for criteria out of search.txt
-export result to output.txt
Example for OUTPUT.txt: (info crossed out to hide customer data)
===================
C:\UNIX\Logfiles_HA_RE\E033A952.log: From: XXXXXXX <<XXXX@DOMAIN_A.de>>
C:\UNIX\Logfiles_HA_RE\E033A952.log: Reply-To: XXXXXXX <XXXX@DOMAIN_B.de
C:\UNIX\Logfiles_HA_RE\E033A952.log: Subject: Re: Testmail Analyzer
C:\UNIX\Logfiles_HA_RE\E033A952.log: To: XXXXXXX <XXXX@DOMAIN_C.de
C:\UNIX\Logfiles_HA_RE\E033A952.log: Subject: Testmail Analyzer
C:\UNIX\Logfiles_HA_RE\E033A952.log: from: < XXXXXXX <XXXX@DOMAIN_D.de >
C:\UNIX\Logfiles_HA_RE\E033A952.log: To: < XXXXXXX <XXXX@DOMAIN_E.de >
C:\UNIX\Logfiles_HA_RE\E033A952.log: X-TBoneOriginalfrom: < XXXXXXX <XXXX@DOMAIN_Fde >
C:\UNIX\Logfiles_HA_RE\E033A952.log: X-TBoneOriginalTo: < XXXXXXX <XXXX@DOMAIN_G.de >
In case we have many log files to analyze, we need to filter the OUTPUT.txt appropriate in EXCEL or script based