Simple Talk is now part of the Redgate Community hub - find out why

Message Tracking in Exchange 2007

'Where did my mail go?' In order to answer this question, to troubleshoot mail problems and to analyse mail flow, the Exchange administrator can use message-tracking logs. Ben Lye elaborates on these essential logs and explains how you can use Powershell commands to search them for those emails that have gone adrift.

Exchange message tracking records the SMTP activity of messages being sent to and from Exchange servers running the Edge Transport or Hub Transport roles.  Exchange administrators can use message tracking logs for mail flow analysis as well as troubleshooting and answering the ever-familiar “where did my mail go” question.

Configuring Message Tracking

By default message tracking is enabled on any Exchange server which has the one or more of the Edge Transport, Hub Transport, or Mailbox roles installed.  The default settings are to store up to 30 days of log files in files of up to 10MB with a directory size limit of 250MB.

Message tracking settings can be retrieved using the Get-TransportServer cmdlet for Edge and Hub transport roles and the Get-MailboxServer cmdlet for Mailbox server roles.


To modify the message tracking settings you can use the Set-TransportServer and Set-MailboxServer cmdlets.  Using these cmdlets you can:

  • Enable or disable message tracking (enabled by default)
  • Enable or disable logging of message subject lines (enabled by default)
  • Set the maximum age of message tracking log files (30 days by default)
  • Set the maximum size of the log file directory (250MB by default)
  • Set the maximum size of each log file (10MB by default)
  • Change the path of the log file (‘C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking’ by default)

If you change the path of the message tracking log directory, then new log files will be written to the new path straight away, but existing log files are not moved or copied from the old path to the new path.

Old log files are removed when either the maximum directory size has been reached, or the log file is past the maximum age.  In the case of the maximum size being reached, the oldest log file is removed even though it may not have met the age limit.  Because of this, if you are in a site with many users and where a lot of e-mail is sent, you may want need to increase the maximum directory size as you might find that the log files are being deleted well before the maximum age is reached.

You can use this command to increase the maximum directory size to 2GB and the maximum log file age to 90 days (adjust the values as appropriate for your environment):

To configure Message Tracking you must be delegated the Exchange Organization Administrator role and be a member of the local Administrators group on the Exchange server.

Searching Message Tracking Logs

Once message tracking is configured, using either default or custom settings, you can use the message tracking data for testing, troubleshooting, or auditing mail flow.

Logs can be searched using with the Message Tracking Tool in the Exchange Management Console or the Get-MessageTrackingLog cmdlet in the Exchange Management Console.  Both methods use the same set of search filters, and in fact the Message Tracking Tool uses the Get-MessageTrackingLog cmdlet to perform the search.  Get-MessageTrackingLog gives the option of limiting the number of results returned, and the results can be converted into different formats.

Search results can be limited using the following filters:




The complete e-mail address(es) of the message recipient(s).  Multiple values can be entered using a comma delimiter.


The complete e-mail address of the message sender.


The server on which to search


The specific event to search for – for example, “SEND” or “DELIVER”


Unique ID of the e-mail message


Server-specific message ID


Subject line of the e-mail message


Additional information for some event types


Starting date/time


Ending date/time

To perform a search using the Message Tracking Tool, launch the Exchange Management Console, navigate to the Toolbox pane, and double-click “Message Tracking”.  After a brief check for updates you’ll be able to go to the Welcome Screen, where you can enter search parameters to begin looking for messages in the tracking logs.  While you are constructing your search a box at the bottom of the tool shows you the Get-MessageTrackingLog command which will be used to perform the search.

To perform a search using the Get-MessageTrackingLog cmdlet, searching the server EXCHANGE01 for messages sent from to, sent between 12/3/2009 and 13/3/2009:

To perform the same search and return only the first 100 matching records:

If you are using Exchange 2007 SP1 you must be delegated the Exchange View-Only Administrator role to use the Get-MessageTrackingLog cmdlet.  If you are using Exchange 2007 RTM you need to be delegated the Exchange Server Administrator role and be a member of the local Administrators group on the target server.

Working With the Search Results

Once you have a search which returns the results you need, you may want to convert those results into other formats, perhaps to use for reports or to provide information to others.  PowerShell includes built-in cmdlets for re-formatting output data, and those can be used in conjunction with the Get-MessageTrackingLog cmdlet.  For the ‘Recipients’, ‘RecipentStatus’ and ‘Reference’ properties it’s necessary to convert the data so that it appears in the output files.

To convert the results to CSV format you can pipe the search command to the Export-CSV cmdlet.  This command will create a CSV file called C:\Temp\SearchResults.csv, exporting all the available fields:

This command will create a CSV file including only the timestamp, event ID, sender, recipients, and subject line:

Alternatively, to convert the results to HTML you can pipe the search command to the ConvertTo-HTML cmdlet.  Use this command to export the results to an HTML file showing the timestamp, event ID, sender, recipients, and subject line:

Advanced Searches

PowerShell scripts can be used to do some interesting manipulation of the message tracking log data.  Here are a few examples of what can be done without much effort.

Searching across multiple servers

Get-MessageTrackingLog only searches the message tracking logs of one server.  To search the logs on multiple machines we need to use a few lines of PowerShell code.

First, get the names of all the Hub Transport servers:

Then pipe them into a Get-MessageTrackingLog command, in this case looking for all email with the subject line “Important news” sent on March 13th.

This will return the message tracking information from all the hub transport servers in the Exchange organisation.  As with regular message tracking log searches, it’s possible to output this data to a reader-friendly HTML file.

Reporting on e-mail messages sent and received yesterday

Using PowerShell scripts it’s possible to use the message tracking logs to create reports.  This example will get the messages sent and received on the previous day for a group of mailboxes in a specific database.

The script works by finding all mailboxes in the DB1 database on the Exchange server EXCHANGE01, and searching the message tracking logs to find mail any RECEIVE and SEND events.  The Get-Mailbox command can be easily modified to find a different group of mailboxes or changed to return distribution groups or contacts.  The script could also be modified to search across multiple servers.

More information on configuring and managing message tracking and searching message tracking log files can be found on Microsoft TechNet:

How you log in to Simple Talk has changed

We now use Redgate ID (RGID). If you already have an RGID, we’ll try to match it to your account. If not, we’ll create one for you and connect it.

This won’t sign you up to anything or add you to any mailing lists. You can see our full privacy policy here.


Simple Talk now uses Redgate ID

If you already have a Redgate ID (RGID), sign in using your existing RGID credentials. If not, you can create one on the next screen.

This won’t sign you up to anything or add you to any mailing lists. You can see our full privacy policy here.