Exchange message tracking records the SMTP activity of messages being sent to and from Exchange servers running the Edge Transport or Hub Transport roles. Exchange administrators can use message tracking logs for mail flow analysis as well as troubleshooting and answering the ever-familiar “where did my mail go” question.
Configuring Message Tracking
By default message tracking is enabled on any Exchange server which has the one or more of the Edge Transport, Hub Transport, or Mailbox roles installed. The default settings are to store up to 30 days of log files in files of up to 10MB with a directory size limit of 250MB.
Message tracking settings can be retrieved using the Get-TransportServer cmdlet for Edge and Hub transport roles and the Get-MailboxServer cmdlet for Mailbox server roles.
To modify the message tracking settings you can use the Set-TransportServer and Set-MailboxServer cmdlets. Using these cmdlets you can:
- Enable or disable message tracking (enabled by default)
- Enable or disable logging of message subject lines (enabled by default)
- Set the maximum age of message tracking log files (30 days by default)
- Set the maximum size of the log file directory (250MB by default)
- Set the maximum size of each log file (10MB by default)
- Change the path of the log file (‘C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking’ by default)
If you change the path of the message tracking log directory, then new log files will be written to the new path straight away, but existing log files are not moved or copied from the old path to the new path.
Old log files are removed when either the maximum directory size has been reached, or the log file is past the maximum age. In the case of the maximum size being reached, the oldest log file is removed even though it may not have met the age limit. Because of this, if you are in a site with many users and where a lot of e-mail is sent, you may want need to increase the maximum directory size as you might find that the log files are being deleted well before the maximum age is reached.
You can use this command to increase the maximum directory size to 2GB and the maximum log file age to 90 days (adjust the values as appropriate for your environment):
|
1 |
[PS] C:\>Set-TransportServer EXCHANGE01 -MessageTrackingLogMaxDirectorySize 2GB -MessageTrackingLogMaxAge 90.00:00:00 |
To configure Message Tracking you must be delegated the Exchange Organization Administrator role and be a member of the local Administrators group on the Exchange server.
Searching Message Tracking Logs
Once message tracking is configured, using either default or custom settings, you can use the message tracking data for testing, troubleshooting, or auditing mail flow.
Logs can be searched using with the Message Tracking Tool in the Exchange Management Console or the Get-MessageTrackingLog cmdlet in the Exchange Management Console. Both methods use the same set of search filters, and in fact the Message Tracking Tool uses the Get-MessageTrackingLog cmdlet to perform the search. Get-MessageTrackingLog gives the option of limiting the number of results returned, and the results can be converted into different formats.
Search results can be limited using the following filters:
|
Name |
Description |
|
Recipients |
The complete e-mail address(es) of the message recipient(s). Multiple values can be entered using a comma delimiter. |
|
Sender |
The complete e-mail address of the message sender. |
|
Server |
The server on which to search |
|
EventID |
The specific event to search for – for example, “SEND” or “DELIVER” |
|
MessageID |
Unique ID of the e-mail message |
|
InternalMessageID |
Server-specific message ID |
|
Subject |
Subject line of the e-mail message |
|
Reference |
Additional information for some event types |
|
Start |
Starting date/time |
|
End |
Ending date/time |
To perform a search using the Message Tracking Tool, launch the Exchange Management Console, navigate to the Toolbox pane, and double-click “Message Tracking”. After a brief check for updates you’ll be able to go to the Welcome Screen, where you can enter search parameters to begin looking for messages in the tracking logs. While you are constructing your search a box at the bottom of the tool shows you the Get-MessageTrackingLog command which will be used to perform the search.
To perform a search using the Get-MessageTrackingLog cmdlet, searching the server EXCHANGE01 for messages sent from john@example.com to bill@example.net, sent between 12/3/2009 and 13/3/2009:
|
1 |
[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 -ResultSize 100 |
To perform the same search and return only the first 100 matching records:
|
1 |
[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 -ResultSize 100 |
If you are using Exchange 2007 SP1 you must be delegated the Exchange View-Only Administrator role to use the Get-MessageTrackingLog cmdlet. If you are using Exchange 2007 RTM you need to be delegated the Exchange Server Administrator role and be a member of the local Administrators group on the target server.
Working With the Search Results
Once you have a search which returns the results you need, you may want to convert those results into other formats, perhaps to use for reports or to provide information to others. PowerShell includes built-in cmdlets for re-formatting output data, and those can be used in conjunction with the Get-MessageTrackingLog cmdlet. For the ‘Recipients’, ‘RecipentStatus’ and ‘Reference’ properties it’s necessary to convert the data so that it appears in the output files.
To convert the results to CSV format you can pipe the search command to the Export-CSV cmdlet. This command will create a CSV file called C:\Temp\SearchResults.csv, exporting all the available fields:
|
1 |
[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | Select Timestamp, ClientIp, ClientHostname, ServerIp, ServerHostname, SourceContext, ConnectorId, Source, EventId, InternalMessageId, MessageId, {$_.Recipients}, {$_.RecipientStatus}, TotalBytes, RecipientCount, RelatedRecipientAddress, {$_.Reference}, MessageSubject, Sender, ReturnPath, MessageInfo | Export-CSV C:\Temp\SearchResults.csv |
This command will create a CSV file including only the timestamp, event ID, sender, recipients, and subject line:
|
1 |
[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | Select Timestamp, EventID, Sender, {$_.Recipients}, MessageSubject | Export-CSV C:\Temp\SearchResults.csv |
Alternatively, to convert the results to HTML you can pipe the search command to the ConvertTo-HTML cmdlet. Use this command to export the results to an HTML file showing the timestamp, event ID, sender, recipients, and subject line:
|
1 |
[PS] C:\>Get-MessageTrackingLog -Server EXHUB-00-UK -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | ConvertTo-Html Timestamp, EventID, Sender, {$_.Recipients}, MessageSubject | Set-Content C:\Temp\logs.html |
Advanced Searches
PowerShell scripts can be used to do some interesting manipulation of the message tracking log data. Here are a few examples of what can be done without much effort.
Searching across multiple servers
Get-MessageTrackingLog only searches the message tracking logs of one server. To search the logs on multiple machines we need to use a few lines of PowerShell code.
First, get the names of all the Hub Transport servers:
|
1 |
[PS] C:\>$hubs = Get-TransportServer |
Then pipe them into a Get-MessageTrackingLog command, in this case looking for all email with the subject line “Important news” sent on March 13th.
|
1 |
[PS] C:\>$hubs | Get-MessageTrackingLog -MessageSubject "Important news" -Start "13/03/2009 00:00:00" -End "13/03/2009 23:59:59" |
This will return the message tracking information from all the hub transport servers in the Exchange organisation. As with regular message tracking log searches, it’s possible to output this data to a reader-friendly HTML file.
|
1 |
[PS] C:\>$hubs | Get-MessageTrackingLog -MessageSubject "Important news" -Start "13/03/2009 00:00:00" -End "13/03/2009 23:59:59" | ConvertTo-Html ServerHostname, Timestamp, EventID, Sender, {$_.Recipients}, MessageSubject | Set-Content C:\Temp\logs.html |
Reporting on e-mail messages sent and received yesterday
Using PowerShell scripts it’s possible to use the message tracking logs to create reports. This example will get the messages sent and received on the previous day for a group of mailboxes in a specific database.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# Get the start date for the tracking log search $Start = (Get-Date -Hour 00 -Minute 00 -Second 00).AddDays(-1) # Get the end date for the tracking log search $End = (Get-Date -Hour 23 -Minute 59 -Second 59).AddDays(-1) # Declare an array to store the results $Results = @() # Get the SEND events from the message tracking logs $Sent = Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Start $Start -End $End -resultsize unlimited # Get the RECEIVE events the message tracking logs $Received = Get-MessageTrackingLog -Server EXCHANGE01 -EventID RECEIVE -Start $Start -End $End -resultsize unlimited # Get the mailboxes we want to report on $Mailboxes = Get-Mailbox -Database "EXCHANGE01\SG1\DB1" # Set up the counters for the progress bar $Total = $Mailboxes.Count $Count = 1 # Sort the mailboxes and pipe them to a For-Each loop $Mailboxes | Sort-Object -Property DisplayName | ForEach-Object { # Update the progress bar $PercentComplete = $Count / $Total * 100 Write-Progress -Activity "Message Tracking Log Search" -Status "Processing mailboxes" -percentComplete $PercentComplete # Declare a custom object to store the data $Stats = "" | Select-Object Name,Sent,Received # Get the email address for the mailbox $Email = $_.WindowsEmailAddress.ToString() # Set the Name property of our object to the mailbox's display name $Stats.Name = $_.DisplayName # Set the Sent property to the number of messages sent $Stats.Sent = ($Sent | Where-Object { ($_.EventId -eq "SEND") -and ($_.Sender -eq $email) }).Count # Set the Received property to the number of messages received $Stats.Received = ($Received | Where-Object { ($_.EventId -eq "RECEIVE") -and ($_.Recipients -match $email) }).Count # Add the statistics for this mailbox to our results array $Results += $Stats # Increment the progress bar counter $Count += 1 } # Output the results $Results |
The script works by finding all mailboxes in the DB1 database on the Exchange server EXCHANGE01, and searching the message tracking logs to find mail any RECEIVE and SEND events. The Get-Mailbox command can be easily modified to find a different group of mailboxes or changed to return distribution groups or contacts. The script could also be modified to search across multiple servers.
More information on configuring and managing message tracking and searching message tracking log files can be found on Microsoft TechNet:
http://technet.microsoft.com/en-us/library/aa997984.aspx
Load comments