The message tracking log stores each message event on a single line in the log. The events types that are used to classify each message event are explained in Table 1.
|
Event name
|
Description
|
|---|
|
BADMAIL
|
A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned.
|
|
DELIVER
|
A message was delivered to a mailbox.
|
|
DEFER
|
Message delivery was delayed.
|
|
DSN
|
A delivery status notification (DSN) was generated.
|
|
DUPLICATEDELIVER
|
A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of two distribution groups. Duplicate messages are detected and removed by the information store.
|
|
EXPAND
|
A distribution group was expanded.
|
|
FAIL
|
Message delivery failed.
|
|
POISONMESSAGE
|
A message is put in the poison message queue or removed from the poison message queue.
|
|
RECEIVE
|
A message was received and committed to the database. The RECEIVE event can be SMTP receive (Source: SMTP) or mail submitted by STOREDRIVER (Source: STOREDRIVER).
SMTP RECEIVE can be from any source that submits a message by using SMTP. For example, it can be a Hub Transport server role, an Edge Transport server role, a third-party message transfer agent (MTA), or a POP/IMAP client.
STOREDRIVER RECEIVE is logged by the Edge Transport process, and is the event that corresponds to a STOREDRIVER SUBMIT event. STOREDRIVER SUBMIT is logged by the Mail Submission process. These can be on the same server if both roles are installed locally or on different servers.
|
|
REDIRECT
|
A message was redirected to an alternative recipient after an Active Directory directory service lookup.
|
|
RESOLVE
|
A message's recipients were resolved to a different e-mail address after an Active Directory lookup.
|
|
SEND
|
A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.
|
|
SUBMIT
|
A SUBMIT event is logged by the Mail Submission service on an Exchange 2007 computer that is running the Mailbox server role. The SUBMIT event is logged when the service has successfully notified a Hub Transport server that a message is awaiting submission in the mailbox store.
The SourceContext property provides the Messaging Database (MDB) GUID, Mailbox GUID, Event sequence number, Message class, Creation time stamp of the client submission to store, and Client type. The Client type can be User (Outlook direct MAPI), RPCHTTP (Outlook Anywhere), Outlook Web Access, Exchange Web Services (EWS), Exchange ActiveSync, Assistants, or Transport. The message tracking logs that are generated by the Mailbox server role contain only SUBMIT events.
|
|
TRANSFER
|
Recipients were moved to a forked message because of content conversion, message recipient limits, or agents.
|
The message event information that is stored on each line is organized by fields. These fields are separated by commas. The field name is generally descriptive enough to determine the type of information that it contains. However, some fields may be blank, or the type of information that is stored in the field may change based on the message event type as described in Table 1. General descriptions of the fields that are used to classify each message tracking event are explained in Table 2.
|
Field name
|
Description
|
|---|
|
date-time
|
The UTC date-time of the message tracking event, which is represented in the ISO 8601 format. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
|
|
client-ip
|
The TCP/IP address of the messaging server or messaging client that submitted the message.
|
|
client-hostname
|
The name of the messaging server or messaging client that submitted the message.
|
|
server-ip
|
The TCP/IP address of the source or destination Exchange server.
|
|
server-hostname
|
The name of the destination server.
|
|
source-context
|
Extra information associated with the source field.
|
|
connector-id
|
The name of source or destination Send connector or Receive connector.
|
|
source
|
The Exchange transport component responsible for the message tracking event. The possible values for this field are as follows:
-
ADMIN for Replay directory submission
-
AGENT
-
DSN
-
GATEWAY for Foreign connector submission
-
PICKUP
-
ROUTING
-
SMTP
-
STOREDRIVER for MAPI submission
|
|
event-id
|
The message event type. These events are described fully in Table 1 earlier in this topic. The possible values are BADMAIL, DEFER, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.
|
|
internal-message-id
|
A message identifier that is assigned by the Exchange 2007 server that is currently processing the message.
A specific message's value of internal-message-id is different in the message tracking log of every Exchange 2007 server that is involved in the delivery of the message.
|
|
message-id
|
The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.
|
|
recipient-address
|
The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;).
|
|
recipient-status
|
This field is populated for a SEND event or a FAIL event.
|
|
total-bytes
|
The size of the message that includes attachments, in bytes.
|
|
recipient-count
|
The number of recipients in the message.
|
|
related-recipient-address
|
This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.
|
|
reference
|
This field contains additional information for specific types of events:
DSN The Reference field contains the Internet-Message-Id of the message that caused the DSN.
SEND The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages.
TRANSFER The Reference field contains the Internal-Message-Id of the message that is being forked.
For all other types of events, the Reference field is blank.
|
|
message-subject
|
The message's subject found in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet for Hub Transport servers and Edge Transport servers, or in the Set-MailboxServer cmdlet for Mailbox servers. By default, message subject tracking is enabled. Message subject logging can be disabled by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $false.
|
|
sender-address
|
The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.
|
|
return-path
|
The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.
|
|
message-info
|
This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
|