Mastering Message Tracking v1.00

Download as pdf or txt
Download as pdf or txt
You are on page 1of 74

© Copyright 2010 LockLAN Systems Pty Ltd

The right of LockLAN Systems Pty Ltd to be identified as author and copyright owner of this work is
asserted by LockLAN Systems Pty Ltd in accordance with Australian copyright laws as determined by the
Australian Copyright Council.

Copyright extends to any and all countries in which this publication is purchased and/or viewed and/or
read.

All rights reserved. No part of this publication may be reproduced or transmitted, in any form by any
means without the prior written permission of the author, nor be otherwise circulated in any form of
binding or cover other than that in which it is published and without a similar condition being imposed
on the subsequent purchaser.

The purchaser of this publication indemnifies Paul Cunningham and LockLAN Systems Pty Ltd and its
directors, officers, employees and agents from and against all losses, claims, damages and liabilities
which arise out of any use of this publication and/or any application of its content.

To buy a copy of this ebook visit http://exchangeserverpro.com/ebooks.

About the Author

Paul Cunningham is a Microsoft Exchange Server MVP and is the publisher


of Exchange Server Pro.

He is also an MCP, MCSA, MCSE, MCTS, and an MCITP for Exchange Server 2007,
2010 and 2013. Connect with Paul on Twitter, LinkedIn and Google+.

About the Reviewer

Michael Van Horenbeeck is a technology consultant, Microsoft Certified Solutions Master (MCSM), and
Exchange Server MVP from Belgium. He publishes a blog, contributes to the UC Architects podcast, and
you can also find him on Twitter.
Table of Contents
Introduction .................................................................................................................................................. 1
How Message Tracking Works ...................................................................................................................... 2
Exchange Server Roles .............................................................................................................................. 3
Message Tracking Log Files ....................................................................................................................... 4
Message Tracking Log File Names ........................................................................................................ 5
Message Tracking Log File Structure..................................................................................................... 6
Message Tracking Log Contents............................................................................................................ 6
Configuring Your Exchange Servers for Message Tracking ........................................................................... 7
Enabling Message Tracking ....................................................................................................................... 8
Enabling Message Tracking Using the Exchange 2010 Management Console ..................................... 8
Enabling Message Tracking Using the Exchange 2013 Admin Center .................................................. 9
Enabling Message Tracking Using PowerShell .................................................................................... 11
Configuring the Message Tracking Log Path ........................................................................................... 13
Configuring Message Tracking Log Retention ......................................................................................... 15
Considerations for a Message Tracking Server Configuration ................................................................ 17
Permissions Required for Message Tracking Log Searches .................................................................... 18
Message Tracking with Delivery Reports .................................................................................................... 21
Enabling and Disabling Read Tracking .................................................................................................... 21
End User Delivery Reports ...................................................................................................................... 21
Administrator Delivery Reports Using the Exchange Control Panel/Exchange Admin Center ............... 25
Administrator Delivery Reports Using PowerShell ................................................................................. 26
Performing Message Tracking Log Searches............................................................................................... 29
Using the Exchange Toolbox for Exchange Server 2010 ......................................................................... 29
Searching Message Tracking Logs with PowerShell ................................................................................ 31
Getting Started with Get-MessageTrackingLog .................................................................................. 31
Interpreting the Output ...................................................................................................................... 32
Handling the Default Resultsize .......................................................................................................... 41
Run Long Queries Once by Collecting Results in a Variable ............................................................... 42
Each Single Message is Multiple Log Entries....................................................................................... 43
Sorting Results by Timestamp ............................................................................................................. 43
Sending Message Tracking Log Output to Text File ............................................................................ 45
Dealing with System.String[] in Exported Message Tracking Log Data............................................... 46
Message Tracking Log Search Parameters .............................................................................................. 48
Searching Message Tracking Logs by Time and Date Range ............................................................... 48
Searching Message Tracking Logs by Sender or Recipient Email Address .......................................... 54
Searching Message Tracking Logs by Email Subject ........................................................................... 59
Searching Message Tracking Logs by MessageID ............................................................................... 60
Searching Message Tracking Logs by Event ID .................................................................................... 61
Calculating Message Latency .................................................................................................................. 62
From the Trenches .................................................................................................................................. 63
Using Log Parser to Analyze Message Tracking Log Data ........................................................................... 64
Final Word on Message Tracking Logs ........................................................................................................ 67
Appendix A – Message Tracking Log Data .................................................................................................. 68
Message Tracking Log Fields ................................................................................................................... 68
Message Tracking Log Event Types ......................................................................................................... 69
Message Tracking Log Source Values ..................................................................................................... 70
Introduction
As an Exchange Server administrator I will often spend hours each week searching through message
tracking logs, because:

 I’ve been asked to track the delivery of a single email message (you can call this “message
forensics” if you like, it sounds cool)
 I’m troubleshooting a server load issue
 I’m analysing overall email traffic patterns in the organization

There is no doubt in my mind that message tracking is one of the critical skills for an Exchange Server
administrator.

In this guide I will take you through:

 An overview of how message tracking works in Exchange Server


 The steps for configuring your Exchange Servers with the correct message tracking options for
your environment
 Examples of how to use the Exchange management tools to quickly and efficiently perform
message tracking log searches
 Other handy uses for message tracking log data

After reading this guide you’ll have an understanding of this important Exchange Server feature, and
have gained new skills that you can use in your day to day support and troubleshooting.

1
How Message Tracking Works
Message tracking is an Exchange Server feature that records detailed log files of email traffic as
messages are transferred between Exchange Servers within the organization, and between different
roles, services and components on individual servers. This is referred to as the transport pipeline.

This diagram shows the relationship between different components of the transport pipeline on an
Exchange Server 2013 Mailbox server. As you can see there are quite a few pieces involved in the
delivery of an email from sender to recipient. In fact there are even more when you include the
Frontend Transport service on Client Access servers; however it is not shown in this diagram because
the Frontend Transport service does not perform any message tracking logging.

2
The Exchange Server 2010 transport pipeline is a little different due to the server role architecture
differences between Exchange 2010 and 2013.

But the details are not as important as simply understanding that many of those steps in the pipeline
will appear in your message tracking log searches and provide you with insights into what happened to
an email message. Later in this guide we will look at some examples of message tracking log entries that
will demonstrate this.

Exchange Server Roles


The Exchange Server roles that can record message tracking logs are the Hub Transport, Edge Transport,
and Mailbox roles.

Server roles have changed a little during the evolution from Exchange 2007 to Exchange 2010 and again
to Exchange 2013. Some roles have been consolidated into other roles, and some roles do not exist in all
versions.

Here is a table to help you understand which server roles in which versions of Exchange can be involved
in message tracking.

Exchange 2007 Exchange 2010 Exchange 2013


Client Access Server No No No
Hub Transport Server Yes Yes n/a
Mailbox Server Yes Yes Yes
Unified Messaging No No n/a
Server
Edge Transport Server Yes Yes n/a

The information and examples in this guide will refer to Exchange Server 2010 and Exchange Server
2013.

For the purposes of this guide Exchange Server 2007 will not be covered in detail. However if you are
still running Exchange 2007 in your organization you will find that most, if not all, of the advice and
examples for Exchange 2010 can also be applied to Exchange 2007.

3
Message Tracking Log Files
Message tracking logs files are simply text files in CSV (comma-separated value) format, and are stored
by default in the <installpath>\TransportRoles\Logs\MessageTracking folder on the Exchange server.

You can open a message tracking log file with a text editor such as Notepad, or by importing it as
comma-delimited data into Microsoft Excel, and then read the contents on screen.

4
As a first glance you can sometimes spot useful information by visually inspecting a message tracking log
file. However this is not the most efficient way to search message tracking logs.

When you perform message tracking log searches the files are read by the Microsoft Exchange Transport
Log Search service, which you are communicating with using the Exchange management tools.

You don’t actually need to access the files themselves directly to perform a search, unless you are
reading them with a separate analysis tool such as Log Parser (which we’ll look at in a later chapter).

Message Tracking Log File Names


Message tracking log files follow a naming convention based on the server roles that are installed on the
Exchange server, the date, and the number of log files generated on that day.

For Exchange Server 2010 the file names are:

 MSGTRKyyyymmdd-nnnn.log on Hub Transport and Edge Transport servers


 MSGTRKMyyyymmdd-nnnn.log on Mailbox servers

If an Exchange 2010 server has multiple server roles installed then you will see a mixture of file names in
the message tracking folder location.

For Exchange Server 2013 the file names are:

 MSGTRKyyyymmdd-nnnn.log for the Transport service on Mailbox servers


 MSGTRKMAyyyymmdd-nnnn.log for moderated transport (messages that are approved or
rejected by an designated moderator)
 MSGTRKMDyyyymmdd-nnnn.log for messages delivered to mailboxes by the Transport Delivery
service on Mailbox servers
 MSGTRKMSyyyymmdd-nnnn.log for messages delivered to mailboxes by the Transport
Submission service on Mailbox servers

For Exchange Server 2013 the files will only appear on Mailbox or multi-role servers. Exchange 2013
servers that are installed with only the Client Access server role will not have any message tracking log
files present.

For both versions of Exchange Server the “yyyymmdd-nnnn” placeholder has the same purpose:

 yyyymmdd is the UTC date that the file was created (not the local date on the server)
 nnnn is a number that increases if multiple files are created on the same day

Although you won’t need to go manually hunting for log files of a particular naming convention it is
important to understand that this convention exists, because only those files matching the naming
conventions are:

 searched by the Microsoft Exchange Transport Log Search service

5
 included in retention calculations (eg maximum directory size, maximum file age, both of which
we’ll look at in a later chapter)

Message Tracking Log File Structure


A message tracking log file begins with some header information that looks similar to this.

#Software: Microsoft Exchange Server


#Version: 14.0.0.0
#Log-type: Message Tracking Log
#Date: 2013-09-12T23:39:04.019Z
#Fields:

 Software – this will be Microsoft Exchange Server


 Version – the version of Exchange Server. 14.x.x.x is Exchange 2010, 15.x.x.x is Exchange 2013.
 Date – the UTC time when the file was created (the Z stands for Zulu, which is just another way
of saying UTC)
 Fields – a long, comma-delimited list of field names for the log data itself

Each log entry is written on a single line, with the data itself comma-delimited to correspond to the field
names in the log file header.

Message Tracking Log Contents


The “#Fields:” line of the log file contains a very long, comma-delimited list of field names for the log
data.

Most of the fields have descriptive names that make it easy to understand the purpose of that field (eg,
“date-time” or “sender-address”). There are too many to list here, so the full list has been added to
Appendix A of this guide.

Because the field names don’t match up with the parameters used when searching message tracking
logs in PowerShell you don’t really need to memorise them. However it is good to be aware that the log
contents are structured in that way if you are ever using other tools such as Log Parser to analyse
message tracking log files, as those tools will make use of the field names.

One of the fields is “event-id”, which is used to log the message events that are occurring as the email
message is processed through the transport pipeline (eg SUBMIT, SEND, DELIVER). Again, there are too
many to list here, so the full list has been added to Appendix A of this guide.

As you become proficient with message tracking log searches you will get used to seeing the most
common event IDs show up in most of your searches. Later in this guide as we look at how to perform
message tracking log searches we will discuss how to read and interpret these event IDs.

6
Configuring Your Exchange Servers for
Message Tracking
The default message tracking configuration does provide some useful log data, but may not be an ideal
configuration for your environment. Even if the default configuration suits you perfectly it is still worth
understanding how message tracking is configured, and how those configuration options impact your
ability to do message tracking log searches.

In this chapter we’ll go through each of the message tracking configuration options that are available in
Exchange Server, and then look at some of the factors you can take into consideration when planning a
configuration to suit your environment.

A default configuration for Exchange Server 2010 and Exchange Server 2013 is:

 Message tracking is enabled


 Log retention is 30 days
 The maximum log directory size is 1000Mb (1Gb)
 The maximum log file size is 10Mb
 The tracking log directory is set to <install path>\TransportRoles\Logs\MessageTracking
 Subject logging is enabled

Here is an example of how the default configuration looks when queried using PowerShell.

[PS] C:\>Get-TransportServer -Identity E14MB1 | Select *messagetracking*

MessageTrackingLogEnabled True :
MessageTrackingLogMaxAge :
30.00:00:00
MessageTrackingLogMaxDirectorySize :
1000 MB (1,048,576,000 bytes)
MessageTrackingLogMaxFileSize :
10 MB (10,485,760 bytes)
MessageTrackingLogPath :
C:\Program Files\Microsoft\Exchange
Server\V14\TransportRoles\Logs\
MessageTracking
MessageTrackingLogSubjectLoggingEnabled : True

Note: In Exchange Server 2013 the services previously associated with the Hub Transport server role
now reside on the Mailbox server role. This means that Get-TransportService/Set-TransportService
and Get-MailboxServer/Set-MailboxServer can be used in Exchange 2013 and will achieve the same
outcomes. However for the sake of simplicity, and to avoid using cmdlets that are being deprecated,
this guide will use Get-TransportService/Set-TransportService in Exchange 2013 examples.

7
Some of these configuration options can be viewed and modified using the Exchange Management
Console for Exchange Server 2010, or the Exchange Admin Center for Exchange Server 2013. We’re
going to take a closer look at those in the next part of this chapter.

I will also demonstrate the use of PowerShell for managing the message tracking configuration as this
allows all of the configuration items to be viewed and modified.

Let’s take a look through each of the configuration options so that you can review your own
environment.

Enabling Message Tracking


Message tracking is enabled by default, and for most organizations having it enabled is the ideal
configuration. However if you have taken over the administration of Exchange from someone else it is
worth checking that message tracking is still enabled on your servers.

Enabling Message Tracking Using the Exchange 2010


Management Console
Message tracking can be enabled and disabled for Exchange 2010 within the Exchange Management
Console.

Navigate to the Server Configuration  Hub Transport section.

8
Right-click on a server and choose Properties. On the Log Settings tab you can enable or disable
message tracking, and configure the log directory.

Enabling Message Tracking Using the Exchange 2013 Admin


Center
For Exchange 2013 message tracking can be enabled and disabled in the Exchange Admin Center.

Navigate to the Servers section.

9
Select a server and click the edit (pencil) icon.

In the Transport Logs section you can enable or disable message tracking, and configure the log
directory.

10
Enabling Message Tracking Using PowerShell
In both versions of Exchange Server it is easier to use PowerShell to check whether message tracking is
enabled for all of your servers.

For Exchange 2010 Hub Transport and Edge Transport servers:

[PS] C:\>Get-TransportServer | Select Name,MessageTrackingLogEnabled

Name MessageTrackingLogEnabled
---- -------------------------
BR-EX2010-MB True
HO-EX2010-MB1 False
HO-EX2010-MB2 True
HO-EX2010-EDGE True

For Exchange 2010 Mailbox servers:

[PS] C:\>Get-MailboxServer | Select Name,MessageTrackingLogEnabled

Name MessageTrackingLogEnabled
---- -------------------------
BR-EX2010-MB True
HO-EX2010-MB1 False
HO-EX2010-MB2 True
HO-EX2010-PF True

Note: In Exchange Server 2010 the Hub Transport server is configured with Set-TransportServer and
the Mailbox server is configured with Set-MailboxServer. However if both roles are installed on the
same Exchange 2010 server, as they are in the examples above, there is only one message tracking
configuration for the entire server, not one for each separate role. Both sets of cmdlets can be used
to get or set the message tracking configuration for the entire Exchange 2010 server.

11
For Exchange 2013 Mailbox servers:

[PS] C:\>Get-TransportService | Select Name,MessageTrackingLogEnabled

Name MessageTrackingLogEnabled
---- -------------------------
E15MB1 True
E15MB2 True
E15MB3 False

If you locate servers that do not have message tracking enabled you can quickly enable it using
PowerShell.

For Exchange 2010 Hub Transport and Edge Transport servers:

[PS] C:\>Set-TransportServer HO-EX2010-MB1 –MessageTrackingLogEnabled $true

For Exchange 2010 Mailbox servers:

[PS] C:\>Set-MailboxServer HO-EX2010-MB1 –MessageTrackingLogEnabled $true

For Exchange 2013 Mailbox servers:

PS] C:\>Set-TransportService E15MB3 –MessageTrackingLogEnabled $true

Review your servers to confirm that message tracking is enabled. If it is not enabled, before you do
enable it check whether the servers have adequate free disk space to begin storing message tracking
logs.

If you have any concerns about the available disk space for storing message tracking logs then wait until
you’ve read the sections later in this chapter on configuring the log path and maximum log folder size.

12
Configuring the Message Tracking Log Path
The message tracking log path determines where the actual log files will be written to on the server. This
needs to be a folder located on a volume on the Exchange Server itself (i.e. it can’t be a UNC path to a
network share).

By default the message tracking log path is set to a sub-folder of the Exchange installation folder, for
example if Exchange Server 2010 is installed to the C: drive then the path will be:

C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

For most environments the disk activity that message tracking log generates is not harmful to server
performance. However some organizations will prefer to store the message tracking logs on a different
volume than the Exchange installation resides on, for reasons such as allowing a very large amount of
log data to be retained without causing low free disk space on the system volume.

The message tracking log path for Exchange Server 2010 can be configured in the Exchange
Management Console.

In the previous section of this chapter you saw where the log directory could be configured using the
Exchange 2010 and 2013 management consoles.

In both versions of Exchange Server it is easier to use PowerShell to configure view the message tracking
log paths.

For Exchange 2010 Hub Transport and Edge Transport servers the Get-TransportServer cmdlet is used:

[PS] C:\>Get-TransportServer | Select Name,MessageTrackingLogPath

Name MessageTrackingLogPath
---- ----------------------
HO-EX2010-MB1 C:\Program Files\Microsoft\Exchange
Server\V14\TransportRoles\Logs\MessageTracking
HO-EX2010-MB2 C:\Program Files\Microsoft\Exchange
Server\V14\TransportRoles\Logs\MessageTracking
BR-EX2010-MB C:\Program Files\Microsoft\Exchange
Server\V14\TransportRoles\Logs\MessageTracking
HO-EX2007-MB1 C:\Program Files\Microsoft\Exchange
Server\TransportRoles\Logs\MessageTracking

13
For Exchange 2010 Mailbox servers the Get-MailboxServer cmdlet is used:

[PS] C:\>Get-MailboxServer | Select Name,MessageTrackingLogPath

For Exchange 2013 Mailbox servers the Get-TransportService cmdlet is used:

[PS] C:\>Get-TransportService | Select Name,MessageTrackingLogPath

You can also modify the message tracking log path in PowerShell.

For Exchange 2010 Hub Transport and Edge Transport servers the Set-TransportServer cmdlet is used:

[PS] C:\>Set-TransportServer HO-EX2010-MB1 -MessageTrackingLogPath


"D:\Logs\MessageTracking"

For Exchange 2010 Mailbox servers the Set-MailboxServer cmdlet is used:

[PS] C:\>Set-MailboxServer HO-EX2010-MB1 -MessageTrackingLogPath


"D:\Logs\MessageTracking"

For Exchange 2013 Mailbox servers the Set-TransportService cmdlet is used:

[PS] C:\>Set-TransportService E15MB1 -MessageTrackingLogPath


"D:\Logs\MessageTracking"

14
Configuring Message Tracking Log Retention
Message tracking log retention is an important consideration for Exchange Server administrators. If log
files aren’t available for a period of time that you’ve been asked to perform a search for, then it makes it
impossible to respond to those requests unless you are able to restore the files from a backup. On the
other hand, if too much log data is retained then you may encounter disk space issues.

The goal is to strike a balance between retaining too much log data that takes up a lot of disk space, and
retaining too little information such that troubleshooting historical issues becomes difficult.

The two retention settings to configure so that you can strike that balance are the maximum (max) age,
and max directory size.

[PS] C:\>Get-TransportService E15MB1 | Select messagetrackinglogmax*

MessageTrackingLogMaxAge : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 1000 MB (1,048,576,000 bytes)
MessageTrackingLogMaxFileSize : 10 MB (10,485,760 bytes)

The max age is the number of days that the message tracking log files will be retained. The default is 30
days, and you can easily increase it to a longer duration which may be more desirable in your
environment.

For example, to set the max age to 90 days:

[PS] C:\>Set-TransportService E15MB1 -MessageTrackingLogMaxAge 90.00:00:00

The format of that duration is “Days.Hours:Minutes:Seconds”, so “90.00:00:00” means 90 days.

A longer duration means more log data is available for support or forensic cases without having to
restore files from backup.

15
Of course you will likely want all of your servers to have the same max log age configured.

[PS] C:\>Get-TransportService | Select name,messagetrackinglogmaxage

Name MessageTrackingLogMaxAge
---- ------------------------
E15MB1 90.00:00:00
E15MB2 30.00:00:00
E15MB3 30.00:00:00

You can see in the output above that two of the servers are still configured with a 30 day max age. To
set all servers to the same max log age of 90 days I would use this command:

[PS] C:\>Get-TransportService | Set-TransportService -MessageTrackingLogMaxAge


90.00:00:00

The second retention configuration option is the max directory size. This is the maximum amount of
tracking log data that the server will retain, regardless of how many days you’ve configured the max log
age to.

So for example, if you have a max log age of 90 days, and a max directory size of 1000 Mb, the server
will discard the oldest log files once the directory has reached 1000 Mb in size even if it only has 30 or 60
days’ worth of log files in it.

You can think of the max directory size as a safety catch to prevent the server’s disk drive from filling up
with an unexpectedly large amount of message tracking log data.

The default max directory size is 1000 Mb (or 1 Gb).

[PS] C:\>Get-TransportService | Select name,messagetrackinglogmaxdirectorysize

Name MessageTrackingLogMaxDirectorySize
---- ----------------------------------
E15MB1 1000 MB (1,048,576,000 bytes)
E15MB2 1000 MB (1,048,576,000 bytes)
E15MB3 1000 MB (1,048,576,000 bytes)

Servers these days tend to have large disk drives, and as we also saw earlier the log folder can be
changed to a different path if you wanted to use a larger disk drive to store the log files.

16
So I tend to increase the max directory size to several gigabytes in combination with a longer retention
age of 90 days. This is especially true in major sites that handle a large amount of traffic within an
organization.

[PS] C:\>Get-TransportService | Set-TransportService -


MessageTrackingLogMaxDirectorySize 4Gb

Note: When an Exchange 2010 server is installed with both the Hub Transport and Mailbox server
roles the tracking log files, with their different naming conventions, are counted separately when it
comes to enforcing the maximum directory size. This means that on a server with both roles
installed the actual maximum directory size is 2x the value you specify.

For Exchange Server 2013, even if no email is being sent and received by humans, there is a small
amount of message tracking log data that will be generated by the health probes and monitors that are
part of the Managed Availability feature.

You don’t need to do anything about this, just be aware that this is happening so you aren’t surprised to
see addresses like HealthMailboxa24b3b318f3b41648e5cbd68426fd53e@exchange2013demo.com in
your message tracking logs.

Note: You may notice the MessageTrackingLogMaxFileSize as well, which defaults to 10Mb. This is
the size that an individual message tracking log file can grow to before it is closed off and a new log
file created. There is no need to modify this setting.

Considerations for a Message Tracking Server


Configuration
In your own environment you will need to consider a variety of different factors to work out what the
best message tracking configuration is for your servers.

A consistent configuration across all of your servers will be the easiest to maintain.

However factors such as different volumes of message traffic in different sites, or different storage
capacity in servers of different age and specification, may cause you to vary the configuration on some
servers.

17
Servers that are in hub sites or internet-facing sites may process higher volumes of message traffic each
day, requiring a larger max directory size to accommodate the desired number of days of log retention.

Servers with low free disk space on the volume where Exchange is installed, or with a very low retention
period configured, may need a dedicated log drive to help manage capacity.

Your retention period needs to be long enough to suit your historical analysis needs, but not too long
that it might cause a disk space problem on your servers.

There are also security concerns for some organizations when it comes to message subject logging, and
a decision may need to be made to disable message subject logging.

Lastly, don’t forget Edge Transport servers. You will need to log on to them and configure them
separately, unlike your internal Exchange servers that can be easily configured in bulk using PowerShell.

Permissions Required for Message Tracking Log


Searches
Although end users can look at their own delivery reports, some administrative rights are required to
perform message tracking for other mailboxes in the organization.

The right to do message tracking log searches in an Exchange organization is granted to the Message
Tracking management role that is pre-configured when Exchange is installed1.

This role is assigned by default to these role groups:

 Organization Management
 Recipient Management
 Records Management

This means that an Exchange administrator who is already a member of the “Exchange Organization
Administrators” group, or a help desk operator who is already a member of the “Exchange Recipient
Administrators”, will already have the required rights to track messages.

Records Management has no members by default, but can be used when you are also assigning the
rights to configure features such as transport rules, retention policy tags, audit logs, and other
compliance features.

If you have a need to only assign rights to perform message tracking log searches, and nothing else, then
you can create a new role group in the Exchange Control Panel, in the Roles & Auditing section.

1
To learn more about Roles-Based Access Control go to TechNet: http://technet.microsoft.com/en-
us/library/dd298183(v=exchg.141).aspx

18
In this example I’ve created a role group called “Message Tracking RG” and assigned it the “Message
Tracking” role.

Create a Universal Security group in Active Directory and add it as a member of the new role group. For
this example I created a group called “Exchange Message Tracking”.

19
You can then add user accounts to that Universal Security group (either directly or by nesting another
group) to give them the rights to perform message tracking log searches. The only additional
requirement is that they have access to the Exchange Toolbox, the Exchange Management Shell, or
PowerShell with remoting to run the searches.

20
Message Tracking with Delivery Reports
Delivery reports provide an easy way for end users and administrators to check whether a message was
delivered, how long it took to deliver, and even whether it has been read by the recipients.

Some administrators such as help desk staff would likely find delivery reports, particularly those
generated using the Exchange Control Panel, to be much easier to use than the more complex and
detailed message tracking log searches.

Enabling and Disabling Read Tracking


The Exchange Server organization has the option to track read status on emails, so that the status can be
included in delivery reports. This option is disabled by default.

To see the current configuration use Get-OrganizationConfig.

[PS] C:\>Get-OrganizationConfig | Select ReadTrackingEnabled

ReadTrackingEnabled : False

To enable read tracking use Set-OrganizationConfig.

[PS] C:\>Set-OrganizationConfig -ReadTrackingEnabled $true

End User Delivery Reports


An under-used feature of Exchange is the ability for end users to use delivery reports to determine
whether a message was successfully delivered.

21
Delivery reports can be accessed in Outlook Web App by right-clicking a sent item and choosing Open
Delivery Report.

The delivery report will pop-up and provide the end user with some information that lets them see
whether the email message was delivered successfully to each recipient.

22
Delivery Reports can also be accessed by the end user in the Exchange Control Panel, which provides
very basic search functionality to search for messages based on the sender, recipients, and optionally
the subject line.

After selecting whether to search for messages that have been sent to a person, or received from a
person, the user can click the Select Users button and either choose an Address Book or Contacts entry,
or type an SMTP address directly into the Message Recipients field.

23
After clicking Search and waiting a few moments for the search results to appear the user can then see a
simple report with the details of individual messages that are listed in the search results.

24
Administrator Delivery Reports Using the Exchange
Control Panel/Exchange Admin Center
The Exchange Control Panel in Exchange Server 2010 provides the same interface for delivery reports as
we saw earlier for end user delivery reports. The key difference is that the “Mailbox to search” field is
also available to allow the administrator to search other mailboxes.

For Exchange 2013 the Exchange Admin Center provides a similar web interface for administrator
delivery reports, found in the Mail Flow  Delivery Reports section of the web console.

25
Administrator Delivery Reports Using PowerShell
Administrators who are assigned the Message Tracking management role (refer to the “Permissions
Required for Message Tracking Log Searches “ section for details) can also use PowerShell to retrieve
delivery reports.

There are two steps involved in this process. First a search is performed, then a second command is run
to get the delivery report information for a specific message.

To run the search use the Search-MessageTrackingReport cmdlet. This cmdlet has two required
parameters:

 Identity – the mailbox that the message tracking report is being searched for
 Sender – the sender of the message (if this is the same as the Identity then it can be left out)

Other common but optional search parameters include Recipients, Subject, and MessageID as three
additional common parameters.

[PS] C:\>Search-MessageTrackingReport -Identity "Alan Reid" -Recipients


"[email protected]" -Subject "Latest Sales Figures"

RunspaceId : 6fbade96-1ea5-48a1-ba2c-3add1fa6bcba
MessageTrackingReportId : Message-Id=<D914276AA2D0C0489E25D20BE79753D593569EA2@HO-
EX2010-MB1.exchangeserverpro.net>,Ser
ver=ho-ex2010-mb2.exchangeserverpro.net,Internal-
Id=592679,Sender=d379b31e-0996-46cb-a064-ee5
ff0bf13be,Domain=exchangeserverpro.net
SubmittedDateTime : 11/8/2013 11:03:14 AM
Subject : Latest sales figures
FromAddress : [email protected]
FromDisplayName : Alan Reid
RecipientAddresses : {[email protected]}
RecipientDisplayNames : {Alex Heyne}
Identity :
IsValid : True

If you get multiple results then the MessageID is a good value to use to narrow the search to one specific
message. The message ID is visible in the search results above or if you have access to look at the email
message itself you can retrieve it from the message headers.

[PS] C:\>$msg = Search-MessageTrackingReport -Identity "Alan Reid" -MessageId


D914276AA2D0C0489E25D20BE79753D593569EA2@HO-EX2010-MB1.exchangeserverpro.net

26
Having identified the specific message you wish to get a delivery report for you can pipe the output into
Get-MessageTrackingReport.

There are two types of reports you can output. The first is the summary report, that provides a summary
of the delivery status for all recipients of the message.

[PS] C:\>$msg = Search-MessageTrackingReport -Identity "Alan Reid" -MessageId


D914276AA2D0C0489E25D20BE79753D593569EA2@HO-EX2010-MB1.exchangeserverpro.net

[PS] C:\>Get-MessageTrackingReport -Identity $msg.MessageTrackingReportID -


ReportTemplate Summary

RunspaceId : 6fbade96-1ea5-48a1-ba2c-3add1fa6bcba
MessageTrackingReportId : Message-Id=<D914276AA2D0C0489E25D20BE79753D593569EA2@HO-
EX2010-MB1.exchangeserverpro.net>,Ser
ver=ho-ex2010-mb2.exchangeserverpro.net,Internal-
Id=592679,Sender=d379b31e-0996-46cb-a064-ee5
ff0bf13be,Domain=exchangeserverpro.net
SubmittedDateTime : 11/8/2013 11:03:14 AM
Subject : Latest sales figures
FromAddress : [email protected]
FromDisplayName : Alan Reid
RecipientAddresses : {[email protected]}
RecipientDisplayNames : {Alex Heyne}
DeliveredCount : 1
PendingCount : 0
UnsuccessfulCount : 0
TransferredCount : 0
RecipientTrackingEvents : {[email protected],Delivered,,2013-11-
08T11:03:15.5070000Z}
Identity :
IsValid : True

The other report is a detailed tracking report for one specific recipient. Remember that a message can
have multiple recipients, and even if only one recipient was included in the message you still need to tell
Get-MessageTrackingReport which recipient you want the detailed report for by using the –
RecipientPathFilter parameter.

[PS] C:\>Get-MessageTrackingReport -Identity $msg.MessageTrackingReportID -


RecipientPathFilter "[email protected]" -ReportTemplate
RecipientPath

RunspaceId : 6fbade96-1ea5-48a1-ba2c-3add1fa6bcba
MessageTrackingReportId : Message-Id=<D914276AA2D0C0489E25D20BE79753D593569EA2@HO-
EX2010-MB1.exchangeserverpro.net>,Ser
ver=ho-ex2010-mb2.exchangeserverpro.net,Internal-

27
Id=592679,Sender=d379b31e-0996-46cb-a064-ee5
ff0bf13be,Domain=exchangeserverpro.net
SubmittedDateTime : 1/1/0001 12:00:00 AM
Subject :
FromAddress :
FromDisplayName :
RecipientAddresses : {}
RecipientDisplayNames :
DeliveredCount : 0
PendingCount : 0
UnsuccessfulCount : 0
TransferredCount : 0
RecipientTrackingEvents : {[email protected],Submitted,,2013-11-
08T11:03:14.9500000Z, Alex.Heyne@exchang
eserverpro.net,Delivered,,2013-11-08T11:03:15.5070000Z}
Identity :
IsValid : True

As a final tip, if you’d like to see a neater output for the tracking events you can expand that property.
Here you can see the two tracking events expanded and shown in more detail.

[PS] C:\>Get-MessageTrackingReport -Identity $msg.MessageTrackingReportID -


RecipientPathFilter "[email protected]" -ReportTemplate
RecipientPath | Select -ExpandProperty RecipientTrackingEvents

Date : 11/8/2013 11:03:14 AM


RecipientAddress : [email protected]
RecipientDisplayName : Alex Heyne
Status : Pending
EventType : Submit
EventDescription : The message was submitted.
EventData :
Server :
Identity :
IsValid : True

Date : 11/8/2013 11:03:15 AM


RecipientAddress : [email protected]
RecipientDisplayName : Alex Heyne
Status : Delivered
EventType : Deliver
EventDescription : The message was successfully delivered.
EventData :
Server :
Identity :
IsValid : True

28
Performing Message Tracking Log Searches
In the previous chapter we looked at the configuration of message tracking for your Exchange Servers.
That configuration is mostly going to be a one-time activity, except for the occasional check to ensure
that the configuration is still correct.

Most of your time spent on message tracking will be in performing message tracking searches. So in this
chapter we’ll look at how you can make use of the different Exchange management tools to perform
message tracking searches.

Using the Exchange Toolbox for Exchange Server


2010
The Exchange Toolbox for Exchange 2010 can be found in the management console, and provides access
to mail flow troubleshooting tools.

In the Toolbox the Message Tracking tool launches the same Exchange Control Panel web interface that
we looked at earlier in this chapter.

29
The Tracking Log Explorer tool launches a GUI interface for searching message tracking logs.

The message Tracking Log Explorer provides a fairly user-friendly interface for administrators to perform
searches, but has a few limitations as well. Wildcard searches are not possible, nor are searches across
multiple servers simultaneously. And although reports files are automatically saved by the tool, they can
only be exported in XML format which is not as user-friendly as CSV would be.

So while the Tracking Log Explorer is decent tool for single server environments, in any larger
environment you will find PowerShell a much better way to perform message tracking log searches.

For Exchange 2013 there is an Exchange Toolbox that can be launched from the Start screen, however it
does not include any message tracking tools.

30
Searching Message Tracking Logs with PowerShell
Although administrator delivery reports or the message tracking log explorer are fine for simple
searches, they doesn’t work so well when you want to do wildcard searches, search multiple servers at
once, filter on more criteria, or export data for further analysis.

For those operations PowerShell is the way to go, and frankly once you’ve seen how powerful
PowerShell is for message tracking log searches you’ll probably never use the explorer tool again.

Getting Started with Get-MessageTrackingLog


Message tracking log searches are performed in the Exchange Management Shell by running the Get-
MessageTrackingLog cmdlet. You can run this cmdlet with no parameters on any Transport or Mailbox
server that is enabled for message tracking, and it will return the first 1000 results of the log entries on
that server.

You can also search a remote server using the -Server parameter. This is useful when you are running
the search from your own admin workstation or a separate management server, instead of while logged
on directly to an Exchange server. In fact, there is no real reason why you need to run the searches on
an Exchange server. Using the management tools remotely is far more convenient, as well as avoiding
problems such as very large searches consuming a lot of memory and impacting server performance.

[PS] C:\>Get-MessageTrackingLog -Server HO-EX2010-MB2

The Get-MessageTrackingLog cmdlet also accepts input from the pipeline. This is a very convenient way
to perform searches on multiple servers at once.

31
For example to search all Mailbox servers at once:

[PS] C:\>Get-MailboxServer | Get-MessageTrackingLog

You can pipe any group of servers into the cmdlet. For example, sometimes you may wish to search the
servers only within a particular site. Also, because I might need to work with that group of servers in a
few different commands I’ll usually collect those into a variable first, for example all Mailbox servers in
the “Sydney” site:

[PS] C:\>$servers = Get-ExchangeServer | where {$_.Site -match "Sydney" -and


$_.IsMailboxServer}

I can then pipe that array of servers into the Get-MessageTrackingLog cmdlet.

[PS] C:\>$servers | Get-MessageTrackingLog

Interpreting the Output


The default output for Get-MessageTrackingLog presents the information in a table with just a few
properties shown.

32
Displaying the output in a list instead, using the Format-List cmdlet, gives you more details to look at.

There’s still a lot of information there to interpret, so let’s take a closer look at an example. Here we
have Alan Reid sending his weekly marketing report to two distribution lists, with an additional recipient
in the BCC field.

33
Now let’s take a look at the message tracking log data for that message.

[PS] C:\>Get-ExchangeServer | Get-MessageTrackingLog -Sender


[email protected] -MessageSubject "Weekly Marketing Report" -Start
11/5/2013

At this stage don’t worry about the syntax of that command. You’ll learn all about how to run
commands just like that one a little later in this guide. For now let’s take a look at interpreting the
results themselves.

EventId Source Sender Recipients


------- ------ ------ ----------
RECEIVE STOREDRIVER [email protected] {HeadOfficeStaff@e...
SUBMIT STOREDRIVER [email protected] {}
EXPAND ROUTING [email protected] {Alex.Heyne@exchan...
EXPAND ROUTING [email protected] {Alan.Reid@exchang...
HAREDIRECT ROUTING [email protected] {Alannah.Shaw@exch...
TRANSFER ROUTING [email protected] {Alice.Mullins@exc...
RECEIVE SMTP [email protected] {Alex.Heyne@exchan...
SEND SMTP [email protected] {Alex.Heyne@exchan...
RECEIVE SMTP [email protected] {Alex.Heyne@exchan...
SEND SMTP [email protected] {Alex.Heyne@exchan...
DELIVER STOREDRIVER [email protected] {Harold.Bilson@exc...
DELIVER STOREDRIVER [email protected] {Alex.Heyne@exchan...
DELIVER STOREDRIVER [email protected] {Amanda.Agrawal@ex...
DUPLICATEDELIVER STOREDRIVER [email protected] {Alex.Heyne@exchan...
RECEIVE SMTP [email protected] {Alannah.Shaw@exch...
SEND SMTP [email protected] {Alannah.Shaw@exch...
DELIVER STOREDRIVER [email protected] {Alice.Mullins@exc...

To begin with there are two events; RECEIVE and SUBMIT for the STOREDRIVER source. To look closer at
the full details of these events I’ve piped the output into Format-List.

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:25 PM
ClientIp : fe80::fd7b:a095:931f:be8e
ClientHostname : HO-EX2010-MB1.exchangeserverpro.net
ServerIp : fe80::f148:390:568f:38dc%13
ServerHostname : HO-EX2010-MB2
SourceContext : 08D0A5850387A95D
ConnectorId :
Source : STOREDRIVER
EventId : RECEIVE
InternalMessageId : 586195
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>

34
Recipients : {[email protected],
[email protected], Alex.Heyne@e
xchangeserverpro.net}
RecipientStatus : {To, To, Cc}
TotalBytes : 30187
RecipientCount : 3
RelatedRecipientAddress :
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo : 04I:
MessageLatency :
MessageLatencyType : None

As you can see in Appendix A, a RECEIVE event means that a message was received from one of multiple
sources. One of those sources is a user mailbox, which is confirmed by the source of STOREDRIVER
which refers to MAPI submission from a mailbox.

I’ll pause at this stage to point out how valuable the tables in Appendix A are for you as you begin
interpreting more and more message tracking log data. There are a lot of events and sources to
remember, and nobody expects you to remember them all from the beginning. Use the tables as a
reference as much as you need to, until you become more familiar with the common events and
sources.

Next is the SUBMIT event, also with a source of STOREDRIVER.

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:25 PM
ClientIp : fe80::fd7b:a095:931f:be8e%15
ClientHostname : HO-EX2010-MB1
ServerIp :
ServerHostname : HO-EX2010-MB2
SourceContext : MDB:c97dee3d-656b-41da-aaaa-af6bdaae6ee9,
Mailbox:d379b31e-
0996-46cb-a064-ee5ff0bf13be, Event
:1046957, MessageClass:IPM.Note, CreationTime:2013-11-
05T11:38:24.474Z, ClientType:MOMT
ConnectorId :
Source : STOREDRIVER
EventId : SUBMIT
InternalMessageId :
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {}
RecipientStatus : {}
TotalBytes :
RecipientCount :
RelatedRecipientAddress :

35
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath :
MessageInfo : 2013-11-05T11:38:24.474Z;LSRV=HO-EX2010-
MB1.exchangeserverpro.net:TOTAL=1
MessageLatency : 00:00:01.3280000
MessageLatencyType : LocalServer

Again the tables in Appendix A tell us that SUBMIT means that a message was successfully transmitted
to the Transport service.

Next there are a number of ROUTING source events as the Transport service determines where the
messages need to be sent.

The first two events are EXPAND events, which occurs when a distribution list has been included as a
recipient of the message and needs to be expanded to determine the individual members. There are
two EXPAND events because two distribution lists were included in the email message.

Look closely and you can see the address of the distribution group, and the addresses of the individual
recipients the group was expanded to.

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:26 PM
ClientIp :
ClientHostname :
ServerIp :
ServerHostname : HO-EX2010-MB2
SourceContext : HO-DC.exchangeserverpro.net
ConnectorId :
Source : ROUTING
EventId : EXPAND
InternalMessageId : 586195
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {[email protected],
[email protected]}
RecipientStatus : {250 2.1.5 RESOLVER.GRP.Expanded; distribution list
expanded}
TotalBytes : 30187
RecipientCount : 2
RelatedRecipientAddress : [email protected]
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo :
MessageLatency :
MessageLatencyType : None

36
EventData :

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:26 PM
ClientIp :
ClientHostname :
ServerIp :
ServerHostname : HO-EX2010-MB2
SourceContext : HO-DC.exchangeserverpro.net
ConnectorId :
Source : ROUTING
EventId : EXPAND
InternalMessageId : 586195
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {[email protected],
[email protected],
Alice.Mullins@exchanges
erverpro.net, [email protected],
[email protected]}
RecipientStatus : {250 2.1.5 RESOLVER.GRP.Expanded; distribution list
expanded}
TotalBytes : 30187
RecipientCount : 5
RelatedRecipientAddress : [email protected]
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo :
MessageLatency :
MessageLatencyType : None
EventData :

Let’s jump ahead a little and look at some of the SMTP events that occurred.

Because the message was being sent to recipients in both the head office and the branch office location
there are events logged for the sending of the message via SMTP to the branch office Transport server.

First, the head office server HO-EX2010-MB2 logs a SEND event as it queues the mail for delivery using
the Intra-Organization SMTP Send Connector (this is a special hidden send connector used to transmit
messages between different sites within your organization).

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:26 PM
ClientIp : 10.1.1.22
ClientHostname : HO-EX2010-MB2
ServerIp : 10.1.2.21
ServerHostname : BR-EX2010-MB.exchangeserverpro.net
SourceContext : 08D0A5850387A95E;250 2.6.0

37
<D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangese rverpro.net> [InternalId=101335]
Queued mail for delivery
ConnectorId : Intra-Organization SMTP Send Connector
Source : SMTP
EventId : SEND
InternalMessageId : 586195
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {[email protected]}
RecipientStatus : {250 2.1.5 Recipient OK}
TotalBytes : 30711
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo : 2013-11-05T11:38:24.474Z;LSRV=HO-EX2010-
MB2.exchangeserverpro.net:TOTAL=1
MessageLatency : 00:00:02.3760000
MessageLatencyType : LocalServer
EventData :

The branch office server BR-EX2010-MB logs a RECEIVE event as it receives the email via its default
receive connector.

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:26 PM
ClientIp : 10.1.1.22
ClientHostname : HO-EX2010-MB2.exchangeserverpro.net
ServerIp : 10.1.2.21
ServerHostname : BR-EX2010-MB
SourceContext : 08D0A58481FB12A4;2013-11-05T11:38:26.330Z;0
ConnectorId : BR-EX2010-MB\Default BR-EX2010-MB
Source : SMTP
EventId : RECEIVE
InternalMessageId : 101335
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {[email protected]}
RecipientStatus : {}
TotalBytes : 31122
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo : 0cI:
MessageLatency :

38
MessageLatencyType : None
EventData : {[FirstForestHop, BR-EX2010-MB.exchangeserverpro.net]}

Finally let’s look at some of the events that indicate the message was delivered. First there is a DELIVER
event from source STOREDRIVER on the branch office server BR-EX2010-MB.

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:27 PM
ClientIp :
ClientHostname : BR-EX2010-MB
ServerIp :
ServerHostname : BR-EX2010-MB
SourceContext : 08D0A58481FB12A5;2013-11-05T11:38:26.814Z;0
ConnectorId :
Source : STOREDRIVER
EventId : DELIVER
InternalMessageId : 101335
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {[email protected]}
RecipientStatus : {Marketing Reports}
TotalBytes : 31088
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo : 2013-11-05T11:38:24.474Z;SRV=HO-EX2010-
MB1.exchangeserverpro.net:TOTAL=0;SRV=HO-EX2010-MB2.ex
changeserverpro.net:TOTAL=1;SRV=BR-EX2010-
MB.exchangeserverpro.net:TOTAL=1
MessageLatency : 00:00:03.2150000
MessageLatencyType : EndToEnd
EventData : {[RuleCacheCorruptions,
SMTP:[email protected]:Inbox
|SMTP:[email protected]:Marketing Reports],
[MailboxDatabaseName, mb-br-01], [DatabaseHealth, -1]}

Then there is a DUPLICATEDELIVER event, which Appendix A tells us is due to the recipient being
included in the message more than once (in this case because he was in a distribution group as well as
the CC field), so the duplicate message is delivered and then removed by the information store.

RunspaceId : 5006f1cc-bca1-4396-9475-331ceaeb07e6
Timestamp : 11/5/2013 9:38:28 PM
ClientIp :
ClientHostname : BR-EX2010-MB
ServerIp :
ServerHostname : BR-EX2010-MB
SourceContext : 08D0A58481FB12A5;2013-11-05T11:38:26.814Z;1

39
ConnectorId :
Source : STOREDRIVER
EventId : DUPLICATEDELIVER
InternalMessageId : 101336
MessageId : <D914276AA2D0C0489E25D20BE79753D5935686BB@HO-EX2010-
MB1.exchangeserverpro.net>
Recipients : {[email protected]}
RecipientStatus : {Marketing Reports}
TotalBytes : 31134
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Weekly Marketing Report
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo : 2013-11-05T11:38:24.474Z
MessageLatency :
MessageLatencyType : None
EventData : {[MailboxDatabaseName, mb-br-01], [DatabaseHealth, -1]}

The EventData field even tells us which mailbox database the message was delivered to.

Speaking of EventData, did you notice something in the previous DELIVER log entry?

EventData : {[RuleCacheCorruptions,
SMTP:[email protected]:Inbox
|SMTP:[email protected]:Marketing Reports],
[MailboxDatabaseName, mb-br-01], [DatabaseHealth, -1]}

As it turns out Alex Heyne has an inbox rule set up on his mailbox.

[PS] C:\>Get-InboxRule -Mailbox Alex.Heyne | ft -auto

Name Enabled Priority RuleIdentity


---- ------- -------- ------------
Weekly Marketing Report True 1 7949471912088829953

40
And that inbox rule is configured to move the “Weekly Marketing Report” out of the inbox and into a
folder within his mailbox.

[PS] C:\>Get-InboxRule -Mailbox Alex.Heyne | Select Name,Description | fl

Name : Weekly Marketing Report


Description : If the message:
the message includes specific words in the subject 'Weekly
Marketing Report'
Take the following actions:
move the message to folder 'Marketing Reports'

And the EventData field gives us a clue that this has occurred, which is very useful to know if you are
tracking down what happened to a message that was delivered but that the recipient claims they never
saw in their inbox.

From the example above we’ve been able to track the message through the transport pipeline and even
be able to tell that it was moved by an inbox rule in one of the recipient’s mailboxes. Can you see how
powerful message tracking log searches are for determine exactly what happened to an email?

Now let’s learn more about how to actually run message tracking log searches in PowerShell.

Handling the Default Resultsize


You may find that you are often running message tracking log searches that return several thousand
results. However, by default the cmdlet will return only 1000 results. This is the default behaviour of
many of the Exchange cmdlets, such as Get-Mailbox.

Because of this, you should try to get in to the habit of using the -Resultsize parameter to return a
larger, or even unlimited, number of results when running Get-MessageTrackingLog.

[PS] C:\>Get-TransportServer | Get-MessageTrackingLog -Resultsize unlimited

Be warned, some searches can return hundreds of thousands, or even millions of results. These results
are stored in memory by PowerShell, and on more than one occasion I’ve found myself dealing with
several gigabytes of memory being consumed by PowerShell.exe. Again this is a good reason to avoid
running the searches while logged on directly to an Exchange server.

So, use the unlimited resultsize with caution, and only when using the management tools from a
separate admin server or workstation.

41
Run Long Queries Once by Collecting Results in a Variable
When you’re performing investigative searches of your message tracking logs, particularly across
multiple servers, those queries can take a long time to return the results.

If you then found you needed to adjust the query, for example to be more specific, or to format the
results in a different way, you would have to wait a long time for the query to run a second time as well.

So a more efficient approach is to collect your query results into a variable, particularly very broad
queries that take a long time to run, so that you can filter and sort the collected data without having to
re-run the query.

For example, if I want to investigate reports of email problems sending to Chris Brown, I can run one
broad query across all Mailbox servers and collect the results in a variable I will call $msgs.

[PS] C:\>$msgs = Get-MailboxServer | Get-MessageTrackingLog -Recipients


"[email protected]" -resultsize unlimited

I’ve now got thousands of records (13927 of them in this case) that I can begin to filter and dissect in
different ways without having to re-run my query.

[PS] C:\>$msgs.count
13297

For example I can find the top 10 senders to Chris Brown within seconds, instead of re-running the
entire Get-MessageTrackingLog search again.

[PS] C:\>$msgs | Group-Object -Property Sender | Select-Object name,count | sort


count -desc | select -first 5 | ft –auto

Name Count
---- -----
[email protected] 980
[email protected] 953
[email protected] 943
[email protected] 927
[email protected] 919

42
The command above took just a few seconds to complete, while re-running the full log search again
could take several minutes. So you can see that by collecting the results into a variable the first time all
of the subsequent analysis of that data is able to be performed much faster.

Each Single Message is Multiple Log Entries


You’ll notice as you begin looking at message tracking logs that each individual email message generates
multiple log entries.

This is because each message goes through multiple events in the process of getting from sender to
recipient, that the number of events will vary depending on how the message needs to be routed
throughout your organization, as well as whether it is successfully delivered or not.

So a single email message may record a series of events such as RECEIVE, DEFER, TRANSFER, DELIVER,
SEND and many more:

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
RECEIVE SMTP Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
DEFER STORE... Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
DUPLI... STORE... Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
RECEIVE STORE... Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
DELIVER STORE... Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
RESUBMIT DUMPSTER Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
TRANSFER STORE... Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish
SEND SMTP Famida.Ghtoray@exchangeserverp...
{[email protected]} Prolix apropos embellish

Sorting Results by Timestamp


When you are searching multiple servers the results sometimes come back out of order, because the
servers are searched in an order that may be different to the order in which the email message passed
through them.

43
Using PowerShell we can quickly sort any results by timestamp so that we can read the tracking log
entries in the order that reflects the actual steps the message followed.

[PS] C:\>$msgs = Get-MailboxServer | Get-MessageTrackingLog -Recipients


"[email protected]" -resultsize unlimited -MessageSubject "Foppish
audacious"

EventId Source Sender Recipients


------- ------ ------ ----------
RECEIVE STORE... [email protected]
{chris.brown@exchange2013demo....
SUBMIT STORE... [email protected]
{chris.brown@exchange2013demo....
DELIVER STORE... [email protected]
{chris.brown@exchange2013demo....
HAREC... SMTP [email protected]
{chris.brown@exchange2013demo....
HADIS... SMTP [email protected]
{chris.brown@exchange2013demo....
HARED... SMTP [email protected]
{chris.brown@exchange2013demo....
RECEIVE SMTP [email protected]
{chris.brown@exchange2013demo....
AGENT... AGENT [email protected]
{chris.brown@exchange2013demo....
SEND SMTP [email protected]
{chris.brown@exchange2013demo....

[PS] C:\>$msgs | Sort-Object Timestamp

EventId Source Sender Recipients


------- ------ ------ ----------
RECEIVE STORE... [email protected]
{chris.brown@exchange2013demo....
RECEIVE SMTP [email protected]
{chris.brown@exchange2013demo....
HARED... SMTP [email protected]
{chris.brown@exchange2013demo....
AGENT... AGENT [email protected]
{chris.brown@exchange2013demo....
HAREC... SMTP [email protected]
{chris.brown@exchange2013demo....
SUBMIT STORE... [email protected]
{chris.brown@exchange2013demo....
SEND SMTP [email protected]
{chris.brown@exchange2013demo....
DELIVER STORE... [email protected]
{chris.brown@exchange2013demo....
HADIS... SMTP [email protected]
{chris.brown@exchange2013demo....

44
Sending Message Tracking Log Output to Text File
With the number of properties returned by even a simple message tracking log search it is impossible to
fit in the width of a typical PowerShell window. And the default output for Get-MessageTrackingLog only
displays a small number of the properties that it actually returns.

Piping output to the Format-List cmdlet will display all of the information, but you may still find that to
be difficult to read within a PowerShell window.

[PS] C:\>Get-MailboxServer | Get-MessageTrackingLog -Sender


[email protected] -Start (Get-Date).AddDays(-1) | Format-List

Sometimes it will simply be easier to read the data by outputting it to a text file using Out-File, and
opening it in Notepad.

[PS] C:\>Get-MailboxServer | Get-MessageTrackingLog -Sender


[email protected] -Start (Get-Date).AddDays(-1) | Format-List | Out-
File C:\Temp\messagetracking.txt

45
I do recommend you use this technique of outputting to text file often, especially when you are just
beginning to learn about message tracking, as it helps to build your understanding of the data that
message tracking log searches return and how that data can be used to filter complex searches.

Dealing with System.String[] in Exported Message Tracking Log


Data
At some stage you will want to export some message tracking log data to CSV for further analysis in
Excel.

46
If you were to pipe the output from the previous example into the Export-CSV cmdlet you will notice
that some of the fields, such as Recipients, will appear as System.String[] in the output file.

To resolve this issue you need to first pipe your Get-MessageTrackingLog results into Select-Object and
select the Recipients and RecipientStatus fields like this:

... | Select-Object eventid, sender, timestamp,


@{Name="Recipients";Expression={$_.recipients}},
@{Name="RecipientStatus";Expression={$_.recipientstatus}}, messagesubject |
Export-CSV filename.csv

This will give you the correct exported data.

47
Message Tracking Log Search Parameters
Let’s look at some specific examples of message tracking log searches using PowerShell.

Searching Message Tracking Logs by Time and Date Range


First I will demonstrate a few different ways that you can specify time and date ranges for message
tracking log searches. This is a useful technique because it can speed up your searches by minimizing the
amount of log data that the search inspects.

As an example of this speed difference, here is the result of Get-MessageTrackingLog for all logs on a
single server.

[PS] C:\>Measure-Command {Get-MessageTrackingLog -ResultSize Unlimited}


TotalSeconds : 161.8412674

In contrast, here is a search of only the last 24 hours of message tracking logs.

[PS] C:\>Measure-Command {Get-MessageTrackingLog -Start (Get-Date).AddHours(-24) -


ResultSize Unlimited}
TotalSeconds : 8.235824

161 seconds to fetch all the message tracking log data, or just 8 seconds to fetch the last 24 hours of
message tracking log data.

If you’re wondering about that “AddHours(-24)” bit don’t worry, we’ll get to that shortly.

But you can see that in a very large environment you will save yourself a lot of time by knowing how to
narrow your message tracking log searches with time and date ranges.

There are two parameters for specifying time and date ranges when running the Get-
MessageTrackingLog cmdlet.

 -Start – the point in time to start returning log entries. If omitted the search will begin at the
first entry of the oldest message tracking log file on the server.
 -End – the point in time to stop returning log entries, up to but not including the time/date
specified. If omitted the search will end at the last entry of the latest message tracking log file
on the server.

Both parameters accept values in the System.DateTime format, meaning mm/dd/yyyy hh:mm:ss.

48
An example of a valid date would be “9/19/2012”. This US-style date format is even used on non-US
systems.

Get-MessageTrackingLog -Start 9/19/2012

Another example would be “9/19/2012 13:00:00”. Quotes need to be used when specifying both a date
and time because there is a space between them. A good habit to get into is to always use quotes for
date/time strings.

Get-MessageTrackingLog -Start "9/19/2012 13:00:00"

Often you will find yourself in situations where you want to search the logs for a period of time without
having to work out the exact start or end time for the search.

For example, you may wish to search only the last hour of logs because somebody has asked you to help
troubleshoot a lost email that they only sent within the last hour.

In these situations the Get-Date cmdlet can be used to provide relative time/date ranges. This is actually
how I perform most of my own searches.

Get-Date returns a DateTime object (and outputs a human-friendly version of it to your shell).

[PS] C:\>Get-Date
Thursday, 20 September 2012 10:35:05 PM

We also get several methods that are of use to us in this situation.

[PS] C:\>get-date | Get-Member


TypeName: System.DateTime
Name MemberType Definition
---- ---------- ----------
Add Method System.DateTime Add(System.TimeSpan value)
AddDays Method System.DateTime AddDays(double value)
AddHours Method System.DateTime AddHours(double value)
AddMilliseconds Method System.DateTime AddMilliseconds(double value)
AddMinutes Method System.DateTime AddMinutes(double value)
AddMonths Method System.DateTime AddMonths(int months)

49
AddSeconds Method System.DateTime AddSeconds(double value)
AddTicks Method System.DateTime AddTicks(long value)
AddYears Method System.DateTime AddYears(int value)

I tend to use the AddHours and AddDays methods the most. Here is an example of Get-Date on its own,
and then Get-Date using the AddHours method to subtract one hour.

[PS] C:\>Get-Date
Thursday, 20 September 2012 10:35:05 PM

[PS] C:\>(Get-Date).AddHours(-1)
Thursday, 20 September 2012 9:35:18 PM

So now let’s combine that with the Get-MessageTrackingLog -Start parameter to search the message
tracking logs only for the last hour.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1)

Pretty simple stuff right? So let’s look at some more examples.

Remember as we go through each of these examples that you may need to use “-ResultSize Unlimited”
for searches that are expected to return more than 1000 results. As a general rule I use it on all searches
just to save time.

To search one entire day using start and finish dates you might be tempted to specify the same date
value as both the start and end date, but this will return an error.

[PS] C:\>Get-MessageTrackingLog -Start 9/17/2012 -End 9/17/2012 -ResultSize unlimited

The search time range was incorrectly specified. The End and Start parameter values can't
be the same.
+ CategoryInfo : InvalidArgument: (:) [], LocalizedException
+ FullyQualifiedErrorId : 7A353D3

50
The correct method is to specify the next day as the end date, remembering that the time/date value
used for -End is excluded from the results.

[PS] C:\>Get-MessageTrackingLog -Start 9/17/2012 -End 9/18/2012 -ResultSize


unlimited

In the above example only log entries occurring between 9/17/2012 00:00:00 and 9/17/2012 23:59:59
will be returned.

Obviously another way of achieving that is to specify those exact hours/minutes/seconds in your search.

[PS] C:\>Get-MessageTrackingLog -Start "9/17/2012 00:00:00" -End "9/18/2012 00:00:00" -


ResultSize unlimited

That is more typing for the exact same result, so you may as well stick to the more efficient method of
simply specifying the date on its own.

As a follow on from the previous example it should by now be clear that you can search between any
precise start and end times.

Just remember that the hh:mm:ss can be either 24-hour time or AM/PM. If you do not specify AM/PM
and enter an ambiguous time such as “11:59:59” then the time will be interpreted as AM.

For example, this will search to 11:59:59 PM.

[PS] C:\>Get-MessageTrackingLog -Start "9/17/2012 00:00:00" -End "9/17/2012


11:59:59 PM" -ResultSize unlimited

And this will also search to 11:59:59 PM, because the time is specified using 24-hour format.

[PS] C:\>Get-MessageTrackingLog -Start "9/17/2012 00:00:00" -End "9/17/2012


23:59:59" -ResultSize unlimited

51
But this will search to 11:59:59 AM, because ambiguous times will default to 24 hour format.

[PS] C:\>Get-MessageTrackingLog -Start "9/17/2012 00:00:00" -End "9/17/2012


11:59:59" -ResultSize unlimited

You may also wish to combine fixed and relative time/date values in your search.

For example, a search of all messages starting from noon on 17th September and ending 8 hours later.

[PS] C:\>Get-MessageTrackingLog -Start "9/17/2012 12:00:00" -End (Get-Date


"17/9/2012 12:00:00").AddHours(8) -ResultSize unlimited

This may seem like a strange example, but the reason I’m using it is to demonstrate one little gotcha
with DateTime values.

On my server the regional settings as set to “English (Australia)” for time, meaning the format is
dd/mm/yyyy instead of the US mm/dd/yyy.

This means that I need to use US format for Get-MessageTrackingLog, but Australian format for Get-
Date.

But I can avoid this confusion and also save a little typing by capturing the start date in a variable first,
that I can then re-use in my Get-MessageTrackingLog command, because once the DateTime object has
been capture in a variable the regional settings become irrelevant and each cmdlet is able to interpret it
correctly regardless.

[PS] C:\>$date = Get-Date "17/9/2012 12:00:00"

[PS] C:\>Get-MessageTrackingLog -Start $date -End $date.AddHours(8) -ResultSize


unlimited

52
This method also gives you the advantage of a fixed point in time if you were running multiple searches
moving through the logs hour by hour as I sometimes do.

[PS] C:\>Get-MessageTrackingLog -Start $date.AddHours(-2) -End $date.AddHours(-1)


-ResultSize unlimited

[PS] C:\>Get-MessageTrackingLog -Start $date.AddHours(-3) -End $date.AddHours(-2)


-ResultSize unlimited

[PS] C:\>Get-MessageTrackingLog -Start $date.AddHours(-4) -End $date.AddHours(-3)


-ResultSize unlimited

As a final example, remember that earlier I mentioned that a good practice is to capture your message
tracking log search results into a variable so that you can quickly and easily filter those results down
further without needing to re-run your search.

[PS] C:\>$msgs = Get-MessageTrackingLog -Start 9/17/2012 -End 9/18/2012 -


ResultSize unlimited

You can then simply use Where-Object to return more specific time/date ranges from the data already
captured in that variable, using the TimeStamp value.

For example, where in the previous command I collected all message tracking log entries for the 17th of
September, I can now quickly filter that down to only those entries that were written between 14:00
and 14:05.

[PS] C:\>$msgs | Where-Object {$_.TimeStamp -gt "9/17/2012 14:00:00" -and


$_.TimeStamp -lt "9/17/2012 14:05:00"}

When using comparison operators against DateTime values remember that -gt (greater than) means
“after/later than” and -lt (less than) means “before/earlier than”.

As you can see when you become familiar with the use of time/date ranges you can perform very fast,
very precise message tracking log searches on your Exchange Servers using PowerShell.

53
Searching Message Tracking Logs by Sender or Recipient Email
Address
Next I’m going to demonstrate a few techniques for searching logs based on sender or recipient email
address.

The Get-MessageTrackingLog cmdlet provides two parameters for specifying sender and recipient email
addresses as search criteria.

 Sender – a single SMTP address for the sender of the email message
 Recipients – one or more SMTP addresses for the recipients of the email message

Both parameters are optional, so if they are omitted the search will return all senders, all recipients, or
all of both.

To demonstrate the use of these parameters consider the following email message sent from Alan Reid
to three recipients.

Because I happen to know that this test message was sent within the last hour it is not very difficult for
me to search for by combining the -Sender parameter with the -Start parameter to search within a
time/date range.

[PS] C:\>Get-MessageTrackingLog -Sender [email protected] -Start


(Get-Date).AddHours(-1)

54
EventId Source Sender Recipients
MessageSubject
------- ------ ------ ---------- -----
---------
SUBMIT STORE... [email protected] {}
Payroll report for September
RECEIVE SMTP [email protected] {David.Gower@exchangeserverpro...
Payroll report for September
DELIVER STORE... [email protected] {Alex.Heyne@exchangeserverpro....
Payroll report for September
DELIVER STORE... [email protected] {David.Gower@exchangeserverpro...
Payroll report for September

However, if I were searching over a broader time range I may see more results than I really want to see.

[PS] C:\>Get-MessageTrackingLog -Sender [email protected]

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
SUBMIT STORE... [email protected] {}
Descry turmoil deviance
SUBMIT STORE... [email protected] {}
Impending abeyance recitals ba...
SUBMIT STORE... [email protected] {}
Egress
SUBMIT STORE... [email protected] {}
Presage visceral penurious
SUBMIT STORE... [email protected] {}
Stipple voluble blatant stymie
SUBMIT STORE... [email protected] {}
Inured
SUBMIT STORE... [email protected] {}
Heinous mercurial
SUBMIT STORE... [email protected] {}
Relapse smolder
SUBMIT STORE... [email protected] {}
Meeting minutes
SUBMIT STORE... [email protected] {}
Supine poignant
SUBMIT STORE... [email protected] {}
Indigence denigrate swerve vig...
SUBMIT STORE... [email protected] {}
Jocular
SUBMIT STORE... [email protected] {}
Oblivious apropos condone savant
SUBMIT STORE... [email protected] {}
Obdurate splice penitent

55
SUBMIT STORE... [email protected] {}
Extenuate aplomb obtain eulogy
SUBMIT STORE... [email protected] {}
Cursory cryptic rescind euphoria
SUBMIT STORE... [email protected] {}
Lucubrate ruffian
SUBMIT STORE... [email protected] {}
Indigence umbrage
SUBMIT STORE... [email protected] {}
Emaciate valiant tractable
SUBMIT STORE... [email protected] {}
Volatile fission cajole
SUBMIT STORE... [email protected] {}
Concord legacy chisel fagged
SUBMIT STORE... [email protected] {}
Egress reconcile contrite cred...
SUBMIT STORE... [email protected] {}
Abstruse salacious constrict
SUBMIT STORE... [email protected] {}
Unearth recreancy paucity
SUBMIT STORE... [email protected] {}
A meeting #1
SUBMIT STORE... [email protected] {}
A meeting #2
SUBMIT STORE... [email protected] {}
Assuage foppish
SUBMIT STORE... [email protected] {}
Clamor austere collusion
SUBMIT STORE... [email protected] {}
Waffle saturnine

...snip!

So in the case where I want to search a broader time window, but see fewer irrelevant results, I can
combine the -Sender and -Recipients parameters in my search command.

It doesn’t matter whether the recipient was in the To, CC, or BCC of the message, the search will return
any match regardless. Here the “Payroll report for September” email shown above is found even though
Alex Heyne was one of several recipients and was in the CC field.

[PS] C:\>Get-MessageTrackingLog -Sender [email protected] -


Recipients [email protected]

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------

56
RECEIVE SMTP [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
DELIVER STORE... [email protected]
{Alex.Heyne@exchangeserverpro.... Payroll report for September

You can specify multiple recipient SMTP addresses simply by separating them with a comma. When you
do this the condition is an “or” not an “and”. In other words, any messages with any one of the
recipients will be returned in the results, they do not need to be messages sent to all the recipients.

To demonstrate that, here we can see the payroll email sent to Alex and David, as well as another email
sent only to David, are both returned in the same results.

[PS] C:\>Get-MessageTrackingLog -Sender [email protected] -


Recipients [email protected],[email protected]

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
RECEIVE SMTP [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
DELIVER STORE... [email protected]
{Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER STORE... [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
RECEIVE SMTP [email protected]
{David.Gower@exchangeserverpro... Also how about lunch?
DELIVER STORE... [email protected]
{David.Gower@exchangeserverpro... Also how about lunch?

Unfortunately wildcard searches are not allowed with the -Sender and -Recipient parameters.

For example, this will return no results.

[PS] C:\>Get-MessageTrackingLog -Recipients *@gmail.com

However, you can use wildcards if you pipe the output of Get-MessageTrackingLog into Where-Object
instead.

57
In this situation it is wise to limit the search to a specific date range for better performance. Or, if you do
need to search the entire set of log files remember to use “-Resultsize Unlimited”.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object


{$_.recipients -like "*@gmail.com"}

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
RECEIVE STORE... [email protected] {[email protected]}
Email to the internet!
TRANSFER ROUTING [email protected] {[email protected]}
Email to the internet!
SEND SMTP [email protected] {[email protected]}
Email to the internet!

You can see that the wildcard is used with the -like comparison operator, but another technique is to
use the -match comparison operator which doesn’t require the wildcard character.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object


{$_.recipients -match "gmail"}

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
RECEIVE STORE... [email protected] {[email protected]}
Email to the internet!
TRANSFER ROUTING [email protected] {[email protected]}
Email to the internet!
SEND SMTP [email protected] {[email protected]}
Email to the internet!

The same use of Where-Object with -like or -match also applies to the sender email address.

As you can see the -Sender and -Recipients parameters give us some flexibility when searching message
tracking logs. However in some cases we need to use the more powerful capabilities of Where-Object
for wildcard and partial string matching.

58
Searching Message Tracking Logs by Email Subject
We’ve looked at searching Exchange Server message tracking logs by time/date range, and by sender or
recipient email address.

Now it is time to look at how to use the email message subject as the search criteria.

The first thing to be aware of is that the message subject is an optional item for message tracking logs.
Although the default setting is for subject logging to be enabled, you should verify that it is still
configured that way if you wish to be doing log searches using the subject line as the criteria.

Configuring subject line logging was covered earlier in this guide.

One of the nice things about using the -MessageSubject parameter for the Get-MessageTrackingLog
cmdlet is that it already returns partial match results, so there is no need to pipe to Where-Object for
wildcard searches or partial matches.

[PS] C:\>Get-MessageTrackingLog -MessageSubject "payroll"

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
RECEIVE SMTP [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
DELIVER STORE... [email protected]
{Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER STORE... [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
SUBMIT STORE... [email protected] {}
Payroll report for September

However, if we want to search on multiple criteria with and/or conditions we still need to use Where-
Object.

[PS] C:\>Get-MessageTrackingLog -ResultSize Unlimited | Where-Object


{$_.MessageSubject -match "payroll" -or $_.MessageSubject -match "meeting"}

EventId Source Sender Recipients


MessageSubject
------- ------ ------ ----------
--------------
RECEIVE SMTP [email protected]
{[email protected]} A meeting #1

59
HARED... ROUTING [email protected]
{[email protected]} A meeting #1
SEND SMTP [email protected]
{[email protected]} A meeting #1
RECEIVE STORE... [email protected]
{homeetingroom1@exchangeserver... A meeting about paper
TRANSFER ROUTING [email protected]
{homeetingroom1@exchangeserver... A meeting about paper
DELIVER STORE... [email protected]
{homeetingroom1@exchangeserver... A meeting about paper
RECEIVE STORE... homeetingroom1@exchangeserverp...
{Mahera.Bawa@exchangeserverpro... Accepted: A meeting about paper
DELIVER STORE... homeetingroom1@exchangeserverp...
{Mahera.Bawa@exchangeserverpro... Accepted: A meeting about paper
RECEIVE SMTP [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
DELIVER STORE... [email protected]
{Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER STORE... [email protected]
{David.Gower@exchangeserverpro... Payroll report for September
SUBMIT STORE... [email protected] {}
Meeting minutes
SUBMIT STORE... [email protected] {}
A meeting #1
SUBMIT STORE... [email protected] {}
A meeting #2
SUBMIT STORE... [email protected] {}
Payroll report for September

As you can see searching message tracking logs based on message subject is quite simple.

Searching Message Tracking Logs by MessageID


All of the examples so far can return just a few results or many thousands of results depending on how
precise your search criteria are.

But in some cases you will be able to search for just the log entries for one specific message if you know
the message ID. Searching by message ID across multiple servers is a good way to avoid returning too
many results, and instead only return the specific log entries you’re interested in.

Each email message has a unique message ID that is recorded in message tracking logs. The nature of
this property is such that you probably won’t know at the start of an investigation, but you may uncover
it through other message tracking log searches, which then allows you to begin running searches
specifically for that message ID.

60
For example, let’s say your investigation begins by searching the mailbox server that the sender of a
message is located on, and reviewing the message subject and message ID.

[PS] C:\>$msgs = Get-MessageTrackingLog –Server ho-ex2010-mb1 -Sender


[email protected] -Start (Get-Date).AddDays(-7)

[PS] C:\>$msgs | fl MessageSubject,MessageID

MessageSubject : A test
MessageId : <D914276AA2D0C0489E25D20BE79753D590ADE73A@HO-EX2010-
MB1.exchangeserverpro.net>

MessageSubject : Payroll report


MessageId : <D914276AA2D0C0489E25D20BE79753D590ADF1C6@HO-EX2010-
MB1.exchangeserverpro.net>

MessageSubject : Reticent astute spurious


MessageId : <D914276AA2D0C0489E25D20BE79753D590ADF1D1@HO-EX2010-
MB1.exchangeserverpro.net>

MessageSubject : Forage cordial forgery


MessageId : <D914276AA2D0C0489E25D20BE79753D590ADF36B@HO-EX2010-
MB1.exchangeserverpro.net>

The message subject “Payroll report” is of interest to us, so we can perform a new search across the
entire organization based on the message ID of that message.

[PS] C:\>$logs = Get-ExchangeServer | Get-MessageTrackingLog -MessageId


"D914276AA2D0C0489E25D20BE79753D590ADF1C6@HO-EX2010-MB1.exchangeserverpro.net"

Searching Message Tracking Logs by Event ID


The event ID of the message tracking log entry can also be used as a search criteria. One of the scenarios
in which this is useful is when searching for all instances of a events that indicate a problem, such as FAIL
or POISONMESSAGE.

[PS] C:\>$Get-MessageTrackingLog -Server SRVEXCPR01 -EventId FAIL

61
Calculating Message Latency
Exchange Server ships with a script that can take input from a message tracking log search and calculate
the message latency for you.

For example, let’s say you have retrieved the message tracking log data for a specific message ID.

[PS] C:\>$msg = Get-ExchangeServer | Get-MessageTrackingLog -MessageId


D914276AA2D0C0489E25D20BE79753D593569EA2@HO-EX2010-MB1.exchangeserverpro.net

The ConvertTo-MessageLatency.ps1 script is located in the $exscripts folder. Pipe the output of Get-
MessageTrackingLog into the script to see the latency calculations.

[PS] C:\>cd $exscripts


[PS] C:\Program Files\Microsoft\Exchange Server\V14\scripts>$msg | .\ConvertTo-
MessageLatency.ps1

In the results you will see the latency values for individual servers and Transport components.

This script is handy if you don’t have direct access to the message headers to use an analysis tool to
calculate the message latency, or when you want to troubleshoot latency that occurred inside specific
Transport components that may not appear in normal message headers.

62
From the Trenches
In the introduction to this guide I stated that I will often spend hours each week searching through
message tracking logs, because:

 I’ve been asked to track the delivery of a single email message


 I’m troubleshooting a server load issue
 I’m analysing overall email traffic patterns in the organization

To give you some more ideas about how message tracking can be used in these situations I’ve published
a few real world cases on my website, Exchange Server Pro2, that go beyond simply tracking the delivery
of a few specific email messages.

In each of these cases message tracking logs provided valuable insight into the issue and helped with the
investigation and resolution of the problem.

 The Case of the Hub Transport Server Load Imbalance3


 The Case of the 24,368 Read Receipts4
 The Case of the 739,254 NDR Message Loop5

2
http://exchangeserverpro.com/
3
http://exchangeserverpro.com/case-hub-transport-server-load-imbalance/
4
http://exchangeserverpro.com/real-world-case-read-receipts/
5
http://exchangeserverpro.com/exchange-server-ndr-loop-distribution-list/

63
Using Log Parser to Analyze Message
Tracking Log Data
As noted earlier opening a message tracking log in Notepad or Excel is a fairly inefficient way of
analysing the data it contains. For most message tracking log searches the best approach is to use Get-
MessageTrackingLog as demonstrated in the previous chapters of this guide.

However, as a structured text file the message tracking log file contains some useful information that
can be extracted using a tool such as Log Parser.

Originally developed for IIS log file analysis, Log Parser is a command-line utility that uses a SQL
expression syntax to query text-based log files.

It is a very fast and effective way to extract aggregate data from log files. Here are a few examples that
I’ve published on Exchange Server Pro6:

 Calculate Daily Email Traffic using Message Tracking Logs and Log Parser7
 Calculate Hourly Email Traffic using Message Tracking Logs and Log Parser8
 Reporting Exchange Server 2010 Message Tracking Event IDs with Log Parser9
 Report Top Sender IP’s on Exchange Server 2010 using Log Parser10

6
http://exchangeserverpro.com
7
http://exchangeserverpro.com/daily-email-traffic-message-tracking-log-parser/
8
http://exchangeserverpro.com/calculate-hourly-email-traffic-using-message-tracking-log-parser/
9
http://exchangeserverpro.com/exchange-2010-message-tracking-event-ids-log-parser/
10
http://exchangeserverpro.com/exchange-2010-report-top-sender-ips-log-parser/

64
Microsoft also released Log Parser Studio11, a free graphical tool for running Log Parser queries and
generating reports.

After installing Log Parser Studio, which also requires Log Parser itself to be installed, you simply need to
configure the paths to any log files that you wish to analyse. These may be auto-detected if you’re
installing directly onto an Exchange server.

In addition to a large number of reports for features such as ActiveSync, Log Parser Studio also includes
some message tracking log analysis reports.

11
http://gallery.technet.microsoft.com/Log-Parser-Studio-cd458765

65
Some of the reports output to CSV file while others can also be used to generate a chart.

You can even export reports to PowerShell scripts so that they can be run directly in your PowerShell
console or as scheduled tasks.

66
Final Word on Message Tracking Logs
In this chapter we’ve looked at how message tracking works, how to configure message tracking on your
Exchange servers, and examples of using PowerShell to perform message tracking log searches.

Searching message tracking logs is a very powerful skill to learn and you will get better and faster the
more you use it, so I really encourage you not to let the initial learning curve put you off.

Here is my recommendations for you from here:

1. Review the message tracking log configuration for your servers


2. Analyze the configuration, your business and technical needs, and make any configuration
changes that you need to
3. Begin performing message tracking log searches for email messages that you have sent or
received, and look closely at the data that is returned to become familiar with the different
events
4. Take every opportunity to do a message tracking log search using PowerShell while you are
working on support cases for your customers, until you are able to perform the searches quickly
and accurately every time

I hope you’ve enjoyed reading this guide and have learned some useful new skills along the way.

67
Appendix A – Message Tracking Log Data
Message Tracking Log Fields
Message tracking logs store each event on a single line in a comma-delimited text log file. The following
table lists the field names for the comma-delimited log.

Field Name Description


date-time The date/time of the event in UTC time.
client-ip The IP address of the server or client that submitted the message.
client-hostname The host name of the server or client that submitted the message.
server-ip The IP address of the server. This field is not populated for all
events, as some events do not involve IP connectivity between two
hosts or components.
server-hostname The host name of the server.
source-context Extra information about the source (see source field below)
connector-id The name of the send connector or receive connector when one is
involved in message transfer between two hosts.
source The transport component of Exchange Server responsible for the
message tracking event. Refer to the Sources table below.
event-id The message event type. Refer to the Event Types table below.
internal-message-id A message ID unique used by the server that is processing the
message. This value is unique to that specific server.
message-id The unique message ID, also found in the headers of the email
message. This value remains constant for the life of the message.
network-message-id A unique message ID that is constant across multiple copies of the
same message, eg messages sent to distribution list members
whose mailboxes are located on different servers in the
organization.
recipient-address The email addresses of the recipients of the message, separated by
a semicolon when there are multiple recipients
recipient-status The recipient status code for each recipient-address.
total-bytes The size of the message including attachments.
recipient-count The number of recipients the message is being sent to.
related-recipient-address Relevant for the EXPAND, REDIRECT and RESOLVE events to record
other email addresses that are relevant for the message.
reference Additional information for some specific events. The contents of
this field vary depending on the context of the event.
message-subject The subject line of the email message. This field is not populated if
message subject logging is disabled.
sender-address The sender of the email message.
return-path The return email address for the message (not necessarily the same
as the sender-address).
message-info Additional information for some specific events.
directionality The direction of the message.
tenant-id Not used for on-premises Exchange servers.

68
original-client-ip The IP address of the original client that sent the message.
original-server-ip The IP address of the original server.
custom-data Additional data for some specific event types, eg, the GUID of a
transport rule that acted on the message.

Message Tracking Log Event Types


The event-id field records the event type for each line in a message tracking log file. The following table
lists the event types that can occur as a message is processed.

Event Name Description


AGENTINFO Used by transport agents that log custom data.
BADMAIL A message that was submitted by the Pickup or Replay directories
but can’t be delivered.
DEFER The message has been delayed for delivery.
DELIVER The message was delivered to a mailbox.
DSN A delivery status notification was generated for the message.
DUPLICATEDELIVER A duplicate message, eg due to a recipient being a member of
multiple distribution groups that are nested in the group that the
email was sent to, was delivered (duplicated are removed by the
information store).
DUPLICATEEXPAND During expansion of a distribution group a duplicate recipient was
found.
DUPLICATEREDIRECT An alternate recipient for the message was found to already be a
recipient of the message.
EXPAND A distribution group included in the message recipients was
expanded to determine the members.
FAIL The message delivery has failed.
HADISCARD A shadow message has been discarded because the primary copy of
the message has been successfully delivered to the next hop.
HARECEIVE A shadow message was received by the server.
HAREDIRECT A shadow message has been created.
HAREDIRECTFAIL A shadow message has failed to be created.
INITMESSAGECREATED A message sent to a moderated recipient has been sent to the
arbitration mailbox to wait for approval.
LOAD A message was successfully loaded at boot.
MODERTOREXPIRE A message sent to a moderated recipient expired without being
approved or rejected.
MODERATORAPPROVE A message sent to a moderated recipient has been approved.
MODERATORREJECT A message sent to a moderated recipient has been rejected.
MODERATORSALLNDR All approval requests sent to the moderators for a moderated
recipient were undeliverable.
NOTIFYMAPI A message has been detected in the outbox of a mailbox.
NOFIFYSHADOW A message has been detected in the outbox of a mailbox, and a
shadow copy of the message needs to be created.

69
POISONMESSAGE The message was placed into, or removed from, the poison
message queue.
PROCESS The message was processed successfully.
RECEIVE A message was received by the server from one of multiple sources
(eg receive connector, Pickup/Replay directories, mailbox user).
REDIRECT A message was redirected to an alternate recipient.
RESOLVE A message recipient was resolved to a different email address.
RESUBMIT A message was resubmitted from Safety Net.
RESUBMITDEFER A message that was resubmitted from Safety Net was deferred
(delayed).
RESUBMITFAIL A message that was resubmitted from Safety Net has failed.
SEND A message was sent between two servers over SMTP.
SUBMIT A message was successfully transmitted to the Transport service.
SUBMITDEFER Submission of the message to the Transport service was deferred
(delayed).
SUBMITFAIL Submission of the message to the Transport service failed.
SUPPRESSED Transmission of the message was suppressed.
THROTTLE The message was throttled.
TRANSFER Recipients of the message were moved to a forked message.

Message Tracking Log Source Values


The source field of message tracking logs lists the component of the transport pipeline that is
responsible for that event. The following table lists the sources for message tracking events.

Source Value Description


ADMIN Human intervention, eg a message being deleted from the queue by
an administrator.
AGENT A transport agent, eg an antivirus program.
APPROVAL Events relating to moderated recipients.
DNS Domain Name System
DSN Delivery Status Notification
GATEWAY A foreign connector
MAILBOXRULE An inbox rule
ORAR An Originator Requested Alternate Recipient.
PICKUP The Pickup directory.
POISONMESSAGE The poison message identifier.
PUBLICFOLDER A mail-enabled public folder.
QUEUE A queue.
REDUNDANCY Shadow Redundancy
ROUTING The routing resolution component of the categorizer.
SAFETYNET Safety Net
SMTP Submitted or received using SMTP
STOREDRIVER MAPI submission from a mailbox

70

You might also like