Export (0) Print
Expand All

How to Search Message Tracking Logs

 

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2011-10-04

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to search the message tracking logs.

A message tracking log is a detailed log of all message activity as messages are transferred to and from an Microsoft Exchange Server 2007 computer that has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role installed. Exchange servers that have the Client Access server role or Unified Messaging server role don't have message tracking logs. You use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.

In the release to manufacturing (RTM) version of Exchange 2007 and in Exchange 2007 Service Pack 1 (SP1), you can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell and the Message Tracking tool in the Exchange Management Console to search for entries in the message tracking logs by using specific search criteria.

In Exchange 2007 SP1, you can use the new Exchange Management Shell script named GetMessageTrackingLogE2EwithTime.ps1 to search for specific entries in all message tracking logs on all Hub Transport servers and Mailbox servers in the Exchange organization. This is useful when you want to track the complete end-to-end path of a message as it travels through the Exchange organization.

When you perform a message tracking log search by using the Get-MessageTrackingLog cmdlet or the Message Tracking tool on a Hub Transport server or a Mailbox server, you can't access the message tracking logs on an Edge Transport server. If you want to search the message tracking logs on an Edge Transport server, you must run the Get-MessageTrackingLog cmdlet or the Message Tracking tool directly from the Edge Transport server.

A search of the message tracking logs depends on the Microsoft Exchange Transport Log Search service. If you disable or stop this service, you will cause no visible problems on the Exchange 2007 server other than loss of log search capabilities.

You can't copy the message tracking logs from an Exchange server and then use the Get-MessageTrackingLog cmdlet or the Message Tracking tool to search the copied logs on a different Exchange server. Also, if you save an existing message tracking log, the change in the date-time stamp of the message tracking log file breaks the query logic that is used to search the message tracking logs.

Although more than 20 data fields are available for every message tracking log entry, not every field can be used as a search filter. The search filters that are available in the Exchange Management Shell are also available in the Exchange Management Console, because the Exchange Management Console uses the Get-MessageTrackingLog cmdlet to search the message tracking logs. However, the Exchange Management Shell gives you more control over the search results.

The search filters described in the following list are available and operate in the same manner, whether you use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell or in the Message Tracking tool:

noteNote:
Use of a search filter that contains a partial value or multiple values is not supported unless otherwise noted.
  • Recipients   This search filter uses the recipient-address field. You must enter the complete e-mail address of the recipient. Multiple recipient values can be specified by using commas as a delimiter. Multiple individual recipients that are included in a single message are logged by using a single message tracking log entry. Unexpanded distribution group recipients are logged by using the distribution group's SMTP e-mail address.
  • Sender   This search filter uses the sender field. You must enter the complete e-mail address of the sender. The sender field contains the sender's e-mail address as specified in the Sender: header field, or in the From: header field if Sender: is not present.
  • Server   This search filter specifies the Exchange 2007 server that contains the message tracking logs to be searched. You can describe the server by using any of the following values:
    • Name
    • Fully qualified domain name (FQDN)
    • Distinguished name (DN)
    • Legacy Exchange DN
    • GUID
  • EventID   This search filter uses the event-id field. In the Message Tracking tool, you select the value of EventID from a drop-down list. In the Get-MessageTrackingLog cmdlet, you enter the value of EventID as text. However, the value must exactly match one of the possible EventID values. EventID is the event classification that is assigned to each message tracking log entry. The available values are BADMAIL, DEFER, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.
  • MessageID   This search filter uses the message-id field. MessageID is the value of the Message-ID: header field. If the Message-ID: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.
  • InternalMessageID   This search filter uses the internal-message-id field. InternalMessageID is a message identifier integer that is assigned by the Exchange 2007 server that is currently processing the message.
  • Subject    The parameter in the Get-MessageTrackingLog cmdlet is named MessageSubject. This search filter uses the message-subject field. Partial values are supported. This is the message's subject as specified in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet on Hub Transport servers and Edge Transport servers, and by the Set-MailboxServer cmdlet on Mailbox servers. By default, message subject logging is enabled. You can disable message subject logging by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $False.
  • Reference   This search filter uses the reference field. This field contains additional information for specific event types. For a DSN event, the reference field contains the MessageID: of the message that caused the DSN. For a SEND event, the reference field contains the MessageID: of any DSN messages. For a TRANSFER event, the reference field contains the MessageID: of the message that is being forked.
  • Start   This search filter uses the date-time field to look for message tracking entries that begin with the specified End date and time. You can use this filter by itself to retrieve all message tracking log entries after the specified date-time or as a lower limit with the End parameter.
  • End   This search filter uses the date-time field to look for message tracking entries up to but not including the specified End date and time. You can use this filter by itself to retrieve all message tracking log entries before the specified date-time or as an upper limit with the Start parameter.
noteNote:
The date-time field in the message tracking log stores information in Coordinated Universal Time (UTC). However, you should enter your date-time search criteria in the regional date-time format of the computer that you are using to perform the search. The message tracking log search tools automatically convert your regional date-time query into UTC. The search results are automatically converted from UTC back into your regional data-time format for display. The date-time field records the date-time of a particular message tracking event. The message origination date-time is the date-time that the message first enters the Exchange organization. The message origination date-time is stored in the message-info field for all SEND and DELIVER events.

In the Exchange Management Shell, the Get-MessageTrackingLog cmdlet offers more control over the number of search results to display by using the ResultSize parameter. By default, a search displays up to 1,000 results. However, you can change the maximum value to a specific number. Alternatively, you can display all results by using the value of Unlimited. The Message Tracking tool in the Exchange Management Console doesn't have a way to customize the maximum number of search results that are displayed.

The following table lists the search filters that are available by using the Get-MessageTrackingLog cmdlet in the Exchange Management Shell.

Search filters that are available by using the Get-MessageTrackingLog cmdlet

Search filter Corresponding field in the message tracking log

End

date-time

EventId

event-id

InternalMessageId

internal-message-id

MessageId

message-id

MessageSubject

message-subject

Recipients

recipient-address

Reference

reference

ResultSize

None. This parameter limits the number of results that are displayed by the search.

Sender

sender-address

Start

date-time

All the parameters that are available with the Get-MessageTrackingLog cmdlet are optional. If you enter the Get-MessageTrackingLog cmdlet without any parameters, you will see a display of the last 1,000 message tracking log entries.

  • UNRESOLVED_TOKEN_VAL(<rte:RBAC_ProcedureFragment>)

    Run the following command:

    Get-MessageTrackingLog <SearchFilters>
    

    For example, to search the message tracking log for all entries from 7/28/2006 8:00 AM to 7/28/2006 5:00 PM for all FAIL events sent by pat@contoso.com, run the following command:

    Get-MessageTrackingLog -ResultSize Unlimited -Start "7/28/2006 8:00AM" -End "7/28/2006 5:00PM" -EventId "Fail" -Sender "pat@contoso.com" 
    

When you perform a message tracking log search by using the Get-MessageTrackingLog cmdlet, not all the fields are displayed for each message tracking event. The following table lists the fields that are displayed by default by the Get-MessageTrackingLog cmdlet.

Fields that are displayed by default by the Get-MessageTrackingLog cmdlet

Search field Corresponding field in the message tracking log

EventId

event-id

Source

message-source

Sender

sender-address

Recipients

recipient-address

MessageSubject

message-subject

You can control the output of the Get-MessageTrackingLog cmdlet by using command output options in the Exchange Management Shell as described in the following list:

  • You can control the output format of the message tracking log search. You can display the results in a list or in a table.
    importantImportant:
    Although the table format seems like a good choice for an output format, it may not be the best choice. If the field displayed in the table has values that are long, the values are truncated to fit in the columns of the table. Truncation also occurs if you try to display too many fields at the same time. The complete field values are always present if you use the list format. To view more columns, you can also increase the width of the Exchange Management Shell window from the default value of 80 characters. You adjust the size of the Exchange Management Shell window in the properties of the Exchange Management Shell window.
  • You can display or hide specific fields that are returned from a message tracking log search. Wildcard characters are supported (*).
  • You can send the results of the search to a file.

The field names displayed by the results from the Get-MessageTrackingLog cmdlet are the same field names that you can use to filter the search results. These field names are slightly different from the actual field names that are stored in the message tracking log. The following table juxtaposes the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet.

Comparing the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet

Field name that is used in the message tracking log Field name that is used to filter the Get-MessageTrackingLog results

date-time

Timestamp

client-ip

ClientIp

client-hostname

ClientHostname

server-ip

ServerIp

server-hostname

ServerHostname

source-context

SourceContext

connector-id

ConnectorId

source

Source

event-id

EventId

internal-message-id

InternalMessageId

message-id

MessageId

recipient-address

Recipients

recipient-status

RecipientStatus

total-bytes

TotalBytes

recipient-count

RecipientCount

related-recipient-address

RelatedRecipientAddress

reference

Reference

message-subject

MessageSubject

sender-address

Sender

return-path

ReturnPath

message-info

MessageInfo

  • Use the following command:

    Get-MessageTrackingLog <SearchFilters> | <Format-Table | Format-List> <FieldNames> <OutputFileOptions>
    

    For example, to search the message tracking logs for the first 1,000 Send events, display the results that are shown in list format, display the values of any field names that begin with "Send" or "Receive," and write the results to a new file that is named "C:\send search.txt", run the following command:

    Get-MessageTrackingLog -EventId "Send" | Format-List Send*,Receive* > "C:\send search.txt"
    

A message property that remains constant as it travels throughout the Exchange organization is the value of the MessageID: header field. This value is named InternetMessageId in queue viewing utilities, and MessageId in the message tracking log utilities. After you have determined the value of MessageID:, you can search for that message in the message tracking logs on every Hub Transport server or Mailbox server in the Exchange organization.

  • Use the following command:

    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "<messageid>" | Select-Object <commaseparatedfieldnames> | Sort-Object -Property <field>
    

    For example, to search the message tracking logs on all Hub Transport servers and Mailbox servers for any entries related to a message that has a MessageID: of ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com, to display the fields date-time, server-hostname, client-hostname, source, event-id, and recipient-address for each entry, and to sort the results by the date-time field, run the following command:

    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com" | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp
    

For detailed syntax and parameter information, see Get-MessageTrackingLog.

For more information about command output options in the Exchange Management Shell, see Working with Command Output.

As noted earlier in this topic, Exchange 2007 SP1 includes an Exchange Management Shell script named GetMessageTrackingLogE2EwithTime.ps1. This script uses the Get-MessageTrackingLog cmdlet to search the message tracking logs of all Hub Transport servers and all Mailbox servers in the Exchange organization for the specified message criteria. You can also use the script to search the message tracking logs of a specific list of Hub Transport servers and Mailbox servers.

The script uses the parameters that are described in the following table.

Parameters that are used by the GetMessageTrackingLogE2EwithTime.ps1 script

Parameter Required or optional Description

MessageId

This parameter is required when a value for the MessageSubject parameter isn't specified.

This parameter searches for message tracking log entries with the specified Message-ID: header field in the message.

MessageSubject

This parameter is required when a value for the MessageId parameter isn't specified.

This parameter searches for message tracking log entries that contain the specified text string in the Subject: header field in the message. If you specify an empty string value for the MessageSubject parameter, the resulting search will query all the entries in the message tracking log.

End

Optional

This parameter searches for message tracking log entries up to, but not including, the specified End date and time by using the regional format of the computer on which the cmdlet is run. The date that you specify is converted automatically into the UTC format that is used internally by Exchange 2007 to store entries in the message tracking logs.

Sender

Optional

This parameter searches for message tracking log entries with the specified sender's SMTP e-mail address. If you specify a value for the Sender parameter, and the message sender is an internal sender that can be resolved, the message tracking log search will begin on the sender's home Mailbox server.

Servers

Optional

This parameter specifies a comma-separated list of the names of Hub Transport servers or Mailbox servers. This parameter limits the search of the message tracking logs to the specified servers.

Start

Optional

This parameter searches for message tracking log entries starting with the specified Start date and time by using the regional format of the computer on which the cmdlet is run. The date that you specify is converted automatically into the UTC format that is used internally Exchange 2007 to store entries in the message tracking logs.

You must identify the specific message for which you are searching by using the MessageId or MessageSubject parameter. If you don't specify a value for the Sender parameter or the Server parameter, the message tracking log search begins on the Hub Transport server or Mailbox server on which the GetMessageTrackingLogE2EwithTime.ps1 script is run.

The following table lists the fields that are displayed in the results of the GetMessageTrackingLogE2EwithTime.ps1 script.

Fields that are displayed in the results of the GetMessageTrackingLogE2EwithTime.ps1 script

Displayed field Corresponding field in the message tracking log

TimeStamp

date-time

EventId

event-id

Source

message-source

Sender

sender-address

RecipientCount

recipient-count

InternalMessageID

internal-message-id

Reference

reference

SourceContext

source-context

The results of the script are displayed in table format with fields as columns. The whole value of each field is displayed in each column. If the fields are too wide, the display truncates the remaining columns. As explained earlier in this topic, to view more columns, you can increase the width of the Exchange Management Shell window from the default value of 80 characters. You adjust the size of the Exchange Management Shell window in the properties of the Exchange Management Shell window.

  • Use the following command:

    GetMessageTrackingLogE2EwithTime.ps1 <-MessageId "message id" | -MessageSubject "message subject"> -<Other Optional Parameters>
    

    For example, to search the message tracking logs on all Hub Transport servers and Mailbox servers for any entries that are related to a message that contains the text string "financial report" from the sender "chris@contoso.com", run the following command:

    GetMessageTrackingLogE2EwithTime.ps1 -MessageSubject "financial report" -Sender "chris@contoso.com"
    

For more information about Exchange Management Shell scripts, see Scripting with the Exchange Management Shell.

  1. Open the Exchange Management Console.

  2. In the console tree, click Toolbox. In the result pane, click Message Tracking. In the action pane, click Open tool.

  3. In the Message Tracking Parameters dialog box, set the search criteria for your message tracking log search by selecting the check box next to the search criteria name and entering a value for the search criteria. To remove search criteria, clear the check box next to the search criteria name. By default, the following search criteria are selected and values are provided:

    • EventID with a value of RECEIVE
    • Start with a value of the date-time that the Message Tracking tool was opened
    • End with a value of the date-time that the Message Tracking tool was opened

    If you select the Recipient check box and enter a partial value in the Recipient field, you can populate the rest of the recipient's e-mail address by clicking Resolve Recipient. This feature only works on Hub Transport servers or Mailbox servers to resolve the names of mailbox users or mail-enabled contacts that exist in the Exchange 2007 organization.

    If you select the Sender check box and enter a partial value in the Sender field, you can populate the rest of the sender's e-mail address by clicking Resolve Sender. This feature only works on Hub Transport servers or Mailbox servers to resolve the names of mailbox users or mail-enabled contacts that exist in the Exchange 2007 organization.

    You can also populate the Server field with the name of the Mailbox server on which the sender's mailbox resides by clicking Server from Sender. If you want to use that server name as search criteria, remember to select the Server check box.

    noteNote:
    As you enter your search criteria, the equivalent Get-MessageTrackingLog command is populated in the Exchange Management Shell command field.
  4. To execute your search, click Next.

If the search produces no results in the Message Tracking Results dialog box, click Go Back and change your search criteria in the Message Tracking Parameters dialog box. If a syntax error exists in any of your search criteria, an error message will be displayed.

If the search produces results, the results are displayed in a tabular layout in the Message Tracking Results dialog box. Every field is displayed for every message tracking log entry on every row. To sort the results by field, click the column heading of any column.

To start a new search, select an individual cell or a whole row in the results table and then click Next. This action returns you to the Message Tracking Parameters dialog box.

noteNote:
When you return to the Message Tracking Parameters dialog box, the message tracking log search criteria in the Message Tracking Parameters dialog box are populated with the values from the message tracking entry that you selected previously. Although all the existing search criteria are populated, only the following search criteria are active by default: Server, MessageID, Start, and End. The value of Start is 10 minutes before the timestamp of the selected message tracking log entry. The value of End is 10 minutes after the timestamp of the selected message tracking log entry

If you want to perform another message tracking log search, accept or modify the selected criteria and then click Next.

To reset all the search criteria to the default values as if you just opened the Message Tracking tool, in the console tree, click Restart current task.

To return to the Message Tracking tool, in the console tree, click Restart current task.

To close the Message Tracking tool, click Close.

To ensure that you are reading the most up-to-date information and to find additional Exchange Server 2007 documentation, visit the Exchange Server TechCenter.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft