Click here to monitor SSC
  • Av rating:
  • Total votes: 34
  • Total comments: 6
Ben Lye

Message Tracking in Exchange 2007

27 March 2009

'Where did my mail go?'. In order to answer this question, to troubleshoot mail problems and to analyse mail flow, the Exchange administrator can use message-tracking logs. Ben Lye elaborates on these essential logs and explains how you can use Powershell commands to search them for those emails that have gone adrift.

Exchange message tracking records the SMTP activity of messages being sent to and from Exchange servers running the Edge Transport or Hub Transport roles.  Exchange administrators can use message tracking logs for mail flow analysis as well as troubleshooting and answering the ever-familiar “where did my mail go” question.

Configuring Message Tracking

By default message tracking is enabled on any Exchange server which has the one or more of the Edge Transport, Hub Transport, or Mailbox roles installed.  The default settings are to store up to 30 days of log files in files of up to 10MB with a directory size limit of 250MB.

Message tracking settings can be retrieved using the Get-TransportServer cmdlet for Edge and Hub transport roles and the Get-MailboxServer cmdlet for Mailbox server roles.

To modify the message tracking settings you can use the Set-TransportServer and Set-MailboxServer cmdlets.  Using these cmdlets you can:

  • Enable or disable message tracking (enabled by default)
  • Enable or disable logging of message subject lines (enabled by default)
  • Set the maximum age of message tracking log files (30 days by default)
  • Set the maximum size of the log file directory (250MB by default)
  • Set the maximum size of each log file (10MB by default)
  • Change the path of the log file (‘C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking’ by default)

If you change the path of the message tracking log directory, then new log files will be written to the new path straight away, but existing log files are not moved or copied from the old path to the new path.

Old log files are removed when either the maximum directory size has been reached, or the log file is past the maximum age.  In the case of the maximum size being reached, the oldest log file is removed even though it may not have met the age limit.  Because of this, if you are in a site with many users and where a lot of e-mail is sent, you may want need to increase the maximum directory size as you might find that the log files are being deleted well before the maximum age is reached.

You can use this command to increase the maximum directory size to 2GB and the maximum log file age to 90 days (adjust the values as appropriate for your environment):

[PS] C:\>Set-TransportServer EXCHANGE01 -MessageTrackingLogMaxDirectorySize 2GB –MessageTrackingLogMaxAge 90.00:00:00

To configure Message Tracking you must be delegated the Exchange Organization Administrator role and be a member of the local Administrators group on the Exchange server.

Searching Message Tracking Logs

Once message tracking is configured, using either default or custom settings, you can use the message tracking data for testing, troubleshooting, or auditing mail flow.

Logs can be searched using with the Message Tracking Tool in the Exchange Management Console or the Get-MessageTrackingLog cmdlet in the Exchange Management Console.  Both methods use the same set of search filters, and in fact the Message Tracking Tool uses the Get-MessageTrackingLog cmdlet to perform the search.  Get-MessageTrackingLog gives the option of limiting the number of results returned, and the results can be converted into different formats.

Search results can be limited using the following filters:

Name

Description

Recipients

The complete e-mail address(es) of the message recipient(s).  Multiple values can be entered using a comma delimiter.

Sender

The complete e-mail address of the message sender.

Server

The server on which to search

EventID

The specific event to search for – for example, “SEND” or “DELIVER”

MessageID

Unique ID of the e-mail message

InternalMessageID

Server-specific message ID

Subject

Subject line of the e-mail message

Reference

Additional information for some event types

Start

Starting date/time

End

Ending date/time

To perform a search using the Message Tracking Tool, launch the Exchange Management Console, navigate to the Toolbox pane, and double-click “Message Tracking”.  After a brief check for updates you’ll be able to go to the Welcome Screen, where you can enter search parameters to begin looking for messages in the tracking logs.  While you are constructing your search a box at the bottom of the tool shows you the Get-MessageTrackingLog command which will be used to perform the search.

To perform a search using the Get-MessageTrackingLog cmdlet, searching the server EXCHANGE01 for messages sent from john@example.com to bill@example.net, sent between 12/3/2009 and 13/3/2009:

[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 –ResultSize 100

To perform the same search and return only the first 100 matching records:

[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 –ResultSize 100

If you are using Exchange 2007 SP1 you must be delegated the Exchange View-Only Administrator role to use the Get-MessageTrackingLog cmdlet.  If you are using Exchange 2007 RTM you need to be delegated the Exchange Server Administrator role and be a member of the local Administrators group on the target server.

Working With the Search Results

Once you have a search which returns the results you need, you may want to convert those results into other formats, perhaps to use for reports or to provide information to others.  PowerShell includes built-in cmdlets for re-formatting output data, and those can be used in conjunction with the Get-MessageTrackingLog cmdlet.  For the ‘Recipients’, ‘RecipentStatus’ and ‘Reference’ properties it’s necessary to convert the data so that it appears in the output files.

To convert the results to CSV format you can pipe the search command to the Export-CSV cmdlet.  This command will create a CSV file called C:\Temp\SearchResults.csv, exporting all the available fields:

[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | Select Timestamp, ClientIp, ClientHostname, ServerIp, ServerHostname, SourceContext, ConnectorId, Source, EventId, InternalMessageId, MessageId, {$_.Recipients}, {$_.RecipientStatus}, TotalBytes, RecipientCount, RelatedRecipientAddress, {$_.Reference}, MessageSubject, Sender, ReturnPath, MessageInfo | Export-CSV C:\Temp\SearchResults.csv

This command will create a CSV file including only the timestamp, event ID, sender, recipients, and subject line:

[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | Select Timestamp, EventID, Sender, {$_.Recipients}, MessageSubject | Export-CSV C:\Temp\SearchResults.csv

Alternatively, to convert the results to HTML you can pipe the search command to the ConvertTo-HTML cmdlet.  Use this command to export the results to an HTML file showing the timestamp, event ID, sender, recipients, and subject line:

[PS] C:\>Get-MessageTrackingLog -Server EXHUB-00-UK -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | ConvertTo-Html Timestamp, EventID, Sender, {$_.Recipients}, MessageSubject | Set-Content C:\Temp\logs.html

 

Advanced Searches

PowerShell scripts can be used to do some interesting manipulation of the message tracking log data.  Here are a few examples of what can be done without much effort.

Searching across multiple servers

Get-MessageTrackingLog only searches the message tracking logs of one server.  To search the logs on multiple machines we need to use a few lines of PowerShell code.

First, get the names of all the Hub Transport servers:

[PS] C:\>$hubs = Get-TransportServer

Then pipe them into a Get-MessageTrackingLog command, in this case looking for all email with the subject line “Important news” sent on March 13th.

[PS] C:\>$hubs | Get-MessageTrackingLog -MessageSubject "Important news" -Start "13/03/2009 00:00:00" -End "13/03/2009 23:59:59"

This will return the message tracking information from all the hub transport servers in the Exchange organisation.  As with regular message tracking log searches, it’s possible to output this data to a reader-friendly HTML file.

[PS] C:\>$hubs | Get-MessageTrackingLog -MessageSubject "Important news" -Start "13/03/2009 00:00:00" -End "13/03/2009 23:59:59" | ConvertTo-Html ServerHostname, Timestamp, EventID, Sender, {$_.Recipients}, MessageSubject | Set-Content C:\Temp\logs.html

Reporting on e-mail messages sent and received yesterday

Using PowerShell scripts it’s possible to use the message tracking logs to create reports.  This example will get the messages sent and received on the previous day for a group of mailboxes in a specific database.

# Get the start date for the tracking log search

$Start = (Get-Date -Hour 00 -Minute 00 -Second 00).AddDays(-1)

# Get the end date for the tracking log search

$End = (Get-Date -Hour 23 -Minute 59 -Second 59).AddDays(-1)

# Declare an array to store the results

$Results = @()

# Get the SEND events from the message tracking logs

$Sent = Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Start $Start -End $End -resultsize unlimited

# Get the RECEIVE events the message tracking logs

$Received = Get-MessageTrackingLog -Server EXCHANGE01 -EventID RECEIVE -Start $Start -End $End -resultsize unlimited

# Get the mailboxes we want to report on

$Mailboxes = Get-Mailbox -Database "EXCHANGE01\SG1\DB1"

# Set up the counters for the progress bar

$Total = $Mailboxes.Count

$Count = 1

# Sort the mailboxes and pipe them to a For-Each loop

$Mailboxes | Sort-Object -Property DisplayName | ForEach-Object {

# Update the progress bar

$PercentComplete = $Count / $Total * 100

Write-Progress -Activity "Message Tracking Log Search" -Status "Processing mailboxes" -percentComplete $PercentComplete

# Declare a custom object to store the data

$Stats = "" | Select-Object Name,Sent,Received

# Get the email address for the mailbox

$Email = $_.WindowsEmailAddress.ToString()

# Set the Name property of our object to the mailbox's display name

$Stats.Name = $_.DisplayName

# Set the Sent property to the number of messages sent

$Stats.Sent = ($Sent | Where-Object { ($_.EventId -eq "SEND") -and ($_.Sender -eq $email) }).Count

# Set the Received property to the number of messages received

$Stats.Received = ($Received | Where-Object { ($_.EventId -eq "RECEIVE") -and ($_.Recipients -match $email) }).Count

# Add the statistics for this mailbox to our results array

$Results += $Stats

# Increment the progress bar counter

$Count += 1

}

# Output the results

$Results

The script works by finding all mailboxes in the DB1 database on the Exchange server EXCHANGE01, and searching the message tracking logs to find mail any RECEIVE and SEND events.  The Get-Mailbox command can be easily modified to find a different group of mailboxes or changed to return distribution groups or contacts.  The script could also be modified to search across multiple servers.

More information on configuring and managing message tracking and searching message tracking log files can be found on Microsoft TechNet:

http://technet.microsoft.com/en-us/library/aa997984.aspx

http://technet.microsoft.com/en-us/library/bb124375.aspx

http://technet.microsoft.com/en-us/library/bb124926.aspx

Ben Lye

Author profile:

Ben Lye is a senior systems administrator at a multi-national software company. He has over 10 years experience supporting and administering Windows and Exchange, and has been MCSE and MCP certified since 1999. Ben is passionate about automating and streamlining routine tasks, and enjoys creating and using tools which make day-to-day administration easier.

Search for other articles by Ben Lye

Rate this article:   Avg rating: from a total of 34 votes.


Poor

OK

Good

Great

Must read
Have Your Say
Do you have an opinion on this article? Then add your comment below:
You must be logged in to post to this forum

Click here to log in.


Subject: Count condition on sent mail
Posted by: Sébastien (view profile)
Posted on: Wednesday, August 12, 2009 at 2:35 AM
Message: # Set the Sent property to the number of messages sent
$Stats.Sent = ($Sent | Where-Object { ($_.EventId -eq "SEND") -and ($_.Sender -eq $email) }).Count

This point only count messages which are sent with a SMTP source.

To count all message which are sent by a user you can add this condition :
$Stats.Sent = ($Sent | Where-Object { (($_.EventId -eq "SEND") -or ($_.EventId -eq "RECEIVE")) -and ($_.Sender -eq $email) }).Count

Subject: error in script
Posted by: Arptro (view profile)
Posted on: Tuesday, November 03, 2009 at 6:37 PM
Message: Hi,

When I run the script I receive the following error regarding the progress count:

Attempted to divide by zero.
At C:\ADMIN\NYC.PS1:36 char:28
+ $PercentComplete = $Count / <<<< $Total * 100
Write-Progress : Cannot validate argument. The argument cannot be null, empty,
or contain a null value.
At C:\ADMIN\NYC.PS1:38 char:103
+ Write-Progress -Activity "Message Tracking Log Search" -Status "Processing ma
ilboxes" -percentComplete <<<< $PercentComplete

Subject: How can i run this script
Posted by: akther_mohd (view profile)
Posted on: Saturday, April 03, 2010 at 2:01 AM
Message: Hi Ben

Only need to put it in EMS to get the result? please tell me how to get the output

Subject: automate it
Posted by: damon27 (view profile)
Posted on: Saturday, October 09, 2010 at 9:45 PM
Message: hi ben,

how do i automate this script?

[PS] C:\>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | Select Timestamp, ClientIp, ClientHostname, ServerIp, ServerHostname, SourceContext, ConnectorId, Source, EventId, InternalMessageId, MessageId, {$_.Recipients}, {$_.RecipientStatus}, TotalBytes, RecipientCount, RelatedRecipientAddress, {$_.Reference}, MessageSubject, Sender, ReturnPath, MessageInfo | Export-CSV C:\Temp\SearchResults.csv

please help.

I want to run it everyday and start date is the date yesterday and the end date is the current date.

Subject: Searching for specific Subject- Exchange 2007 SP1
Posted by: Samstep (view profile)
Posted on: Thursday, October 28, 2010 at 9:27 AM
Message: How to search for emails with specific subject and see how many users got the emails? Thanks

Subject: Searching for specific Subject- Exchange 2007 SP1
Posted by: Samstep (view profile)
Posted on: Friday, October 29, 2010 at 7:50 AM
Message: How to search for emails with specific subject and see how many users got the emails? Thanks

 

Top Rated

Migrating to Microsoft BPOS - Part II
 In his last article, Johan gave us a crystal clear guide to preparing to migrate from an on-premises... Read more...

Emulating the Exchange 2003 RUS for Out-of-Band Mailbox Provisioning in Exchange 2007
 Exchange's Recipient Update Service was important in Exchange 2000 or 2003 in order to complete the... Read more...

The Postmasters
 The Exchange Team introduces themselves, and keeps you up-to-date Read more...

For this Exchange Server Archiver, “Transparency” Fits
 Sometimes, it is a great relief when a user of your software gives it a tough test and then reports... Read more...

Hunting in Packs, Seamless-ness and Happy Holidays
 I attended DevConnections (Exchange) last month and was blown away by the technical talks. Speakers... Read more...

Most Viewed

Upgrade Exchange 2003 to Exchange 2010
  In this article, the first of two in which Jaap describes how to move from Exchange Server 2003... Read more...

Upgrade Exchange 2003 to Exchange 2010 - Part II
 In Jaap's second article on upgrading straight from Exchange Server 2003 to 2010, he explains how to... Read more...

Goodbye Exchange ExMerge, Hello Export-Mailbox
 ExMerge was a great way of exporting a mailbox to an Exchange PST file, or for removing all occurences... Read more...

Exchange E-mail Addresses and the Outlook Address Cache
 Because Exchange auto-complete cache uses X.500 addresses for e-mail sent to addresses within the... Read more...

Using Exchange 2007 for Resource Booking
 The process of booking various resources to go with a meeting room just got a whole lot easier with... Read more...

Why Join

Over 400,000 Microsoft professionals subscribe to the Simple-Talk technical journal. Join today, it's fast, simple, free and secure.