Share via


Search Message Tracking Logs

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

This topic describes how to use the Exchange Management Console or the Exchange Management Shell to search the message tracking logs.

A message tracking log is a detailed log of all message activity as messages are transferred to and from a Microsoft Exchange Server 2010-based computer that has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role installed. Exchange servers that have the Client Access server role or Unified Messaging server role don't have message tracking logs. You can use message tracking logs for message forensics, for mail flow analysis, for reporting, and for troubleshooting.

You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell and the Message Tracking tool in the Toolbox in the Exchange Management Console to search for entries in the message tracking logs by using specific search criteria.

Before You Begin

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the ”Message tracking” entry in the Transport Permissions topic.

For more information about permissions, about delegating roles, and about the rights that are required to administer Exchange 2010, see Understanding Permissions.

When you search the message tracking log on a Hub Transport server or a Mailbox server, you cannot access the message tracking logs on an Edge Transport server. If you want to search the message tracking logs on an Edge Transport server, you must run the Get-MessageTrackingLog cmdlet or the Message Tracking tool directly from the Edge Transport server.

A search of the message tracking logs depends on the Microsoft Exchange Transport Log Search service. If you disable or stop this service, you cannot search the message tracking log files. However, stopping this service does not affect other features in Exchange.

Important

You cannot copy the message tracking log files from a server that is running Microsoft Exchange and then search them by using the Get-MessageTrackingLog cmdlet or the Message Tracking tool. Also, if you save an existing message tracking log, the change in the date and time stamp on the message tracking log file breaks the query logic that Exchange uses to search the message tracking logs.

Criteria for Message Tracking Log Searches

Although many data fields are available for every message tracking log entry, not every field can be used as a search filter. Additionally, the Exchange Management Shell provides more flexibility for searching because of the many search filters that are available for use with the Get-MessageTrackingLog cmdlet.

Common Search Filters Used with the Get-MessageTrackingLog Cmdlet

The search filters described in the following list are available for use with the Get-MessageTrackingLog cmdlet in the Exchange Management Shell:

Note

Use of a search filter that contains a partial value or multiple values is not supported unless otherwise noted.

  • Recipients   This search filter uses the recipient-address field. You must enter the complete e-mail address of the recipient. Multiple recipient values can be specified by using commas as a delimiter. Multiple individual recipients that are included in a single message are logged by using a single message tracking log entry. Unexpanded distribution group recipients are logged by using the distribution group's SMTP e-mail address.

  • Sender   This search filter uses the sender field. You must enter the complete e-mail address of the sender. The sender field contains the sender's e-mail address as specified in the Sender: header field, or in the From: header field if Sender: is not present.

  • Server   This search filter specifies the Exchange server that contains the message tracking logs to be searched. You can describe the server by using any of the following values:

    • Name

    • Fully qualified domain name (FQDN)

    • Distinguished name (DN)

    • Legacy Exchange DN

    • GUID

  • EventID   This search filter uses the event-id field. In the Message Tracking tool, you select the value of EventID from a drop-down list. In the Get-MessageTrackingLog cmdlet, you enter the value of EventID as text. However, the value must exactly match one of the possible EventID values. EventID is the event classification that is assigned to each message tracking log entry. The available values are as follows:

    • BADMAIL

    • DEFER

    • DELIVER

    • DSN

    • EXPAND

    • FAIL

    • POISONMESSAGE

    • RECEIVE

    • REDIRECT

    • RESOLVE

    • SEND

    • SUBMIT

    • TRANSFER

  • MessageID   This search filter uses the message-id field. MessageID is the value of the Message-ID: header field. If the Message-ID: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.

  • InternalMessageID   This search filter uses the internal-message-id field. InternalMessageID is a message identifier integer that is assigned by the Exchange server that is currently processing the message.

  • Subject    The parameter in the Get-MessageTrackingLog cmdlet is named MessageSubject. This search filter uses the message-subject field. Partial values are supported. This is the message's subject as specified in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet on Hub Transport servers and Edge Transport servers, and by the Set-MailboxServer cmdlet on Mailbox servers. By default, message subject logging is enabled. You can disable message subject logging by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $False.

  • Reference   This search filter uses the reference field. This field contains additional information for specific event types. For a DSN event, the reference field contains the MessageID: of the message that caused the DSN. For a SEND event, the reference field contains the MessageID: of any DSN messages. For a TRANSFER event, the reference field contains the MessageID: of the message that is being forked.

  • Start   This search filter uses the date-time field to look for message tracking entries that begin with the specified End date and time. You can use this filter by itself to retrieve all message tracking log entries after the specified date-time or as a lower limit with the End parameter.

  • End   This search filter uses the date-time field to look for message tracking entries up to but not including the specified End date and time. You can use this filter by itself to retrieve all message tracking log entries before the specified date-time or as an upper limit with the Start parameter.

Note

The date-time field in the message tracking log stores information in Coordinated Universal Time (UTC). However, you should enter your date-time search criteria in the regional date-time format of the computer that you are using to perform the search. The message tracking log search tools automatically convert your regional date-time query into UTC. The search results are automatically converted from UTC back into your regional data-time format for display. The date-time field records the date-time of a particular message tracking event. The message origination date-time is the date-time that the message first enters the Exchange organization. The message origination date-time is stored in the message-info field for all SEND and DELIVER events.

Search Filters that are Different in the Exchange Management Console and the Exchange Management Shell

In the Exchange Management Shell, the Get-MessageTrackingLog cmdlet offers more control over the number of search results to display by using the ResultSize parameter. By default, a search displays up to 1,000 results. However, you can change the maximum value to a specific number. Alternatively, you can display all results by using the value of Unlimited. The Message Tracking tool in the Exchange Management Console does not have a way to customize the maximum number of search results that are displayed.

Searching the Message Tracking Logs by Using the Exchange Management Shell

The following table lists the search filters that are available by using the Get-MessageTrackingLog cmdlet in the Exchange Management Shell.

Search filters that are available by using the Get-MessageTrackingLog cmdlet

Search filter Corresponding field in the message tracking log

End

date-time

EventId

event-id

InternalMessageId

internal-message-id

MessageId

message-id

MessageSubject

message-subject

Recipients

recipient-address

Reference

reference

ResultSize

None. This parameter limits the number of results that are displayed by the search.

Sender

sender-address

Start

date-time

All the parameters that are available with the Get-MessageTrackingLog cmdlet are optional. If you enter the Get-MessageTrackingLog cmdlet without any parameters, you will see a display of the last 1,000 message tracking log entries.

To use the Exchange Management Shell to search the message tracking logs

  • Run the following command:

    Get-MessageTrackingLog <SearchFilters>
    

    For example, to search the message tracking log for all entries from 3/28/2011 8:00 AM to 3/28/2011 5:00 PM for all FAIL events sent by pat@contoso.com, run the following command:

    Get-MessageTrackingLog -ResultSize Unlimited -Start "3/28/2011 8:00AM" -End "3/28/2011 5:00PM" -EventId "Fail" -Sender "pat@contoso.com" 
    

Controlling the Output of a Message Tracking Log Search Performed in the Exchange Management Shell

When you perform a message tracking log search by using the Get-MessageTrackingLog cmdlet, not all the fields are displayed for each message tracking event. The following table lists the fields that are displayed by default by the Get-MessageTrackingLog cmdlet.

Fields that are displayed by default by the Get-MessageTrackingLog cmdlet

Search field Corresponding field in the message tracking log

EventId

event-id

Source

message-source

Sender

sender-address

Recipients

recipient-address

MessageSubject

message-subject

You can control the output of the Get-MessageTrackingLog cmdlet by using command output options in the Exchange Management Shell according to the following guidelines:

  • You can control the output format of the message tracking log search. You can display the results in a list or in a table.

    Important

    Although the table format seems like a good choice for an output format, it may not be the best choice. If the field displayed in the table has values that are long, the values are truncated to fit in the columns of the table. Truncation also occurs if you try to display too many fields at the same time. The complete field values are always present if you use the list format. To view more columns, you can also increase the width of the Exchange Management Shell window from the default value of 80 characters. You adjust the size of the Exchange Management Shell window in the properties of the Exchange Management Shell window.

  • You can display or hide specific fields that are returned from a message tracking log search. Wildcard characters (*) are supported.

  • You can send the results of the search to a file.

The field names displayed by the results from the Get-MessageTrackingLog cmdlet are the same field names that you can use to filter the search results. These field names differ slightly from the actual field names that are stored in the message tracking log. The following table juxtaposes the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet.

Comparing the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet

Field name that is used in the message tracking log Field name that is used to filter the Get-MessageTrackingLog results

date-time

Timestamp

client-ip

ClientIp

client-hostname

ClientHostname

server-ip

ServerIp

server-hostname

ServerHostname

source-context

SourceContext

connector-id

ConnectorId

source

Source

event-id

EventId

internal-message-id

InternalMessageId

message-id

MessageId

recipient-address

Recipients

recipient-status

RecipientStatus

total-bytes

TotalBytes

recipient-count

RecipientCount

related-recipient-address

RelatedRecipientAddress

reference

Reference

message-subject

MessageSubject

sender-address

Sender

return-path

ReturnPath

message-info

MessageInfo

To use the Exchange Management Shell to Control the Output of a Search of the Message Tracking Logs

  • Use the following command:

    Get-MessageTrackingLog <SearchFilters> | <Format-Table | Format-List> <FieldNames> <OutputFileOptions>
    

    For example, to search the message tracking logs for the first 1,000 Send events, display the results that are shown in list format, display the values of any field names that begin with "Send" or "Receive," and write the results to a new file that is named "C:\send search.txt", run the following command:

    Get-MessageTrackingLog -EventId "Send" | Format-List Send*,Receive* > "C:\send search.txt"
    

Searching the Message Tracking Logs for a Message on Multiple Servers by Using the Exchange Management Shell

A message property that remains constant as it travels throughout the Exchange organization is the value of the MessageID: header field. This value is named InternetMessageId in queue viewing utilities, and MessageId in the message tracking log utilities. After you have determined the value of MessageID:, you can search for that message in the message tracking logs on every Hub Transport server or Mailbox server in the Exchange organization.

To use the Exchange Management Shell to Search Message Tracking Log Entries for a Specific Message Across all Hub Transport Servers and Mailbox Servers

  • Use the following command:

    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "<messageid>" | Select-Object <commaseparatedfieldnames> | Sort-Object -Property <field>
    

    For example, to search the message tracking logs on all Hub Transport servers and Mailbox servers for any entries related to a message that has a MessageID: of ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com, to display the fields date-time, server-hostname, client-hostname, source, event-id, and recipient-address for each entry, and to sort the results by the date-time field, run the following command:

    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com" | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp
    

For detailed syntax and parameter information, see Get-MessageTrackingLog.

For more information about command output options in the Exchange Management Shell, see Exchange Management Shell.

Searching the Message Tracking Logs by Using the Exchange Management Console

To use the Exchange Management Console to Search the Message Tracking Log

  1. Start the Exchange Management Console.

  2. In the console tree, click Toolbox. In the result pane, click Message Tracking. In the action pane, click Open tool.

  3. Log on to Outlook Web App when you are prompted.

  4. In the Select what to manage list, click My Organization, and then click Reporting in the navigation pane.

  5. Set the search criteria for your message tracking log search by configuring the values for the following available options:

    • Mailbox to search Click Browse, and then select the appropriate mailbox.

    • Search for messages sent to Click this option if you want to search for sent messages, and then click Select users to select one or more users.

    • Search for messages received from Alternatively, click this option to search for received messages, and then click Select a user to select the particular recipient.

    • Search for these words in the subject line Enter the search criteria text if you want to search for messages that contain a particular subject.

  6. Click Search, and then review the results in the Search Results pane.

For More Information

For more information, see the following topics:

Understanding Message Tracking

Configure Message Tracking

 © 2010 Microsoft Corporation. All rights reserved.