27 March 2009

Message Tracking in Exchange 2007

'Where did my mail go?' In order to answer this question, to troubleshoot mail problems and to analyse mail flow, the Exchange administrator can use message-tracking logs. Ben Lye elaborates on these essential logs and explains how you can use Powershell commands to search them for those emails that have gone adrift.

Exchange message tracking records the SMTP activity of messages being sent to and from Exchange servers running the Edge Transport or Hub Transport roles.  Exchange administrators can use message tracking logs for mail flow analysis as well as troubleshooting and answering the ever-familiar “where did my mail go” question.

Configuring Message Tracking

By default message tracking is enabled on any Exchange server which has the one or more of the Edge Transport, Hub Transport, or Mailbox roles installed.  The default settings are to store up to 30 days of log files in files of up to 10MB with a directory size limit of 250MB.

Message tracking settings can be retrieved using the Get-TransportServer cmdlet for Edge and Hub transport roles and the Get-MailboxServer cmdlet for Mailbox server roles.

681-image002.gif

To modify the message tracking settings you can use the Set-TransportServer and Set-MailboxServer cmdlets.  Using these cmdlets you can:

  • Enable or disable message tracking (enabled by default)
  • Enable or disable logging of message subject lines (enabled by default)
  • Set the maximum age of message tracking log files (30 days by default)
  • Set the maximum size of the log file directory (250MB by default)
  • Set the maximum size of each log file (10MB by default)
  • Change the path of the log file (‘C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking’ by default)

If you change the path of the message tracking log directory, then new log files will be written to the new path straight away, but existing log files are not moved or copied from the old path to the new path.

Old log files are removed when either the maximum directory size has been reached, or the log file is past the maximum age.  In the case of the maximum size being reached, the oldest log file is removed even though it may not have met the age limit.  Because of this, if you are in a site with many users and where a lot of e-mail is sent, you may want need to increase the maximum directory size as you might find that the log files are being deleted well before the maximum age is reached.

You can use this command to increase the maximum directory size to 2GB and the maximum log file age to 90 days (adjust the values as appropriate for your environment):

To configure Message Tracking you must be delegated the Exchange Organization Administrator role and be a member of the local Administrators group on the Exchange server.

Searching Message Tracking Logs

Once message tracking is configured, using either default or custom settings, you can use the message tracking data for testing, troubleshooting, or auditing mail flow.

Logs can be searched using with the Message Tracking Tool in the Exchange Management Console or the Get-MessageTrackingLog cmdlet in the Exchange Management Console.  Both methods use the same set of search filters, and in fact the Message Tracking Tool uses the Get-MessageTrackingLog cmdlet to perform the search.  Get-MessageTrackingLog gives the option of limiting the number of results returned, and the results can be converted into different formats.

Search results can be limited using the following filters:

Name

Description

Recipients

The complete e-mail address(es) of the message recipient(s).  Multiple values can be entered using a comma delimiter.

Sender

The complete e-mail address of the message sender.

Server

The server on which to search

EventID

The specific event to search for – for example, “SEND” or “DELIVER”

MessageID

Unique ID of the e-mail message

InternalMessageID

Server-specific message ID

Subject

Subject line of the e-mail message

Reference

Additional information for some event types

Start

Starting date/time

End

Ending date/time

To perform a search using the Message Tracking Tool, launch the Exchange Management Console, navigate to the Toolbox pane, and double-click “Message Tracking”.  After a brief check for updates you’ll be able to go to the Welcome Screen, where you can enter search parameters to begin looking for messages in the tracking logs.  While you are constructing your search a box at the bottom of the tool shows you the Get-MessageTrackingLog command which will be used to perform the search.

To perform a search using the Get-MessageTrackingLog cmdlet, searching the server EXCHANGE01 for messages sent from john@example.com to bill@example.net, sent between 12/3/2009 and 13/3/2009:

To perform the same search and return only the first 100 matching records:

If you are using Exchange 2007 SP1 you must be delegated the Exchange View-Only Administrator role to use the Get-MessageTrackingLog cmdlet.  If you are using Exchange 2007 RTM you need to be delegated the Exchange Server Administrator role and be a member of the local Administrators group on the target server.

Working With the Search Results

Once you have a search which returns the results you need, you may want to convert those results into other formats, perhaps to use for reports or to provide information to others.  PowerShell includes built-in cmdlets for re-formatting output data, and those can be used in conjunction with the Get-MessageTrackingLog cmdlet.  For the ‘Recipients’, ‘RecipentStatus’ and ‘Reference’ properties it’s necessary to convert the data so that it appears in the output files.

To convert the results to CSV format you can pipe the search command to the Export-CSV cmdlet.  This command will create a CSV file called C:\Temp\SearchResults.csv, exporting all the available fields:

This command will create a CSV file including only the timestamp, event ID, sender, recipients, and subject line:

Alternatively, to convert the results to HTML you can pipe the search command to the ConvertTo-HTML cmdlet.  Use this command to export the results to an HTML file showing the timestamp, event ID, sender, recipients, and subject line:

 

Advanced Searches

PowerShell scripts can be used to do some interesting manipulation of the message tracking log data.  Here are a few examples of what can be done without much effort.

Searching across multiple servers

Get-MessageTrackingLog only searches the message tracking logs of one server.  To search the logs on multiple machines we need to use a few lines of PowerShell code.

First, get the names of all the Hub Transport servers:

Then pipe them into a Get-MessageTrackingLog command, in this case looking for all email with the subject line “Important news” sent on March 13th.

This will return the message tracking information from all the hub transport servers in the Exchange organisation.  As with regular message tracking log searches, it’s possible to output this data to a reader-friendly HTML file.

Reporting on e-mail messages sent and received yesterday

Using PowerShell scripts it’s possible to use the message tracking logs to create reports.  This example will get the messages sent and received on the previous day for a group of mailboxes in a specific database.

The script works by finding all mailboxes in the DB1 database on the Exchange server EXCHANGE01, and searching the message tracking logs to find mail any RECEIVE and SEND events.  The Get-Mailbox command can be easily modified to find a different group of mailboxes or changed to return distribution groups or contacts.  The script could also be modified to search across multiple servers.

More information on configuring and managing message tracking and searching message tracking log files can be found on Microsoft TechNet:

http://technet.microsoft.com/en-us/library/aa997984.aspx

http://technet.microsoft.com/en-us/library/bb124375.aspx

http://technet.microsoft.com/en-us/library/bb124926.aspx

Keep up to date with Simple-Talk

For more articles like this delivered fortnightly, sign up to the Simple-Talk newsletter

This post has been viewed 66555 times – thanks for reading.

Tags: , , ,

  • Rate
    [Total: 38    Average: 4.3/5]
  • Share

Ben Lye is a senior systems administrator at a multi-national software company. He has over 10 years experience supporting and administering Windows and Exchange, and has been MCSE and MCP certified since 1999. Ben is passionate about automating and streamlining routine tasks, and enjoys creating and using tools which make day-to-day administration easier.

View all articles by Ben Lye

  • S├ębastien

    Count condition on sent mail
    # Set the Sent property to the number of messages sent
    $Stats.Sent = ($Sent | Where-Object { ($_.EventId -eq “SEND”) -and ($_.Sender -eq $email) }).Count

    This point only count messages which are sent with a SMTP source.

    To count all message which are sent by a user you can add this condition :
    $Stats.Sent = ($Sent | Where-Object { (($_.EventId -eq “SEND”) -or ($_.EventId -eq “RECEIVE”)) -and ($_.Sender -eq $email) }).Count

  • Arptro

    error in script
    Hi,

    When I run the script I receive the following error regarding the progress count:

    Attempted to divide by zero.
    At C:ADMINNYC.PS1:36 char:28
    + $PercentComplete = $Count / <<<< $Total * 100
    Write-Progress : Cannot validate argument. The argument cannot be null, empty,
    or contain a null value.
    At C:ADMINNYC.PS1:38 char:103
    + Write-Progress -Activity “Message Tracking Log Search” -Status “Processing ma
    ilboxes” -percentComplete <<<< $PercentComplete

  • akther_mohd

    How can i run this script
    Hi Ben

    Only need to put it in EMS to get the result? please tell me how to get the output

  • damon27

    automate it
    hi ben,

    how do i automate this script?

    [PS] C:>Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | Select Timestamp, ClientIp, ClientHostname, ServerIp, ServerHostname, SourceContext, ConnectorId, Source, EventId, InternalMessageId, MessageId, {$_.Recipients}, {$_.RecipientStatus}, TotalBytes, RecipientCount, RelatedRecipientAddress, {$_.Reference}, MessageSubject, Sender, ReturnPath, MessageInfo | Export-CSV C:TempSearchResults.csv

    please help.

    I want to run it everyday and start date is the date yesterday and the end date is the current date.

  • Samstep

    Searching for specific Subject- Exchange 2007 SP1
    How to search for emails with specific subject and see how many users got the emails? Thanks

  • Samstep

    Searching for specific Subject- Exchange 2007 SP1
    How to search for emails with specific subject and see how many users got the emails? Thanks