Understanding Message Tracking

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

A message tracking log is a detailed log of all message activity as messages are transferred to and from a computer that is running Microsoft Exchange Server 2010 and that has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role installed. Exchange servers that have the Client Access server role or Unified Messaging server role installed don't have message tracking logs. You use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.

You can use the Set-TransportServer cmdlet for all message tracking configuration tasks on a Hub Transport server or Edge Transport server. You can use the Set-MailboxServer cmdlet for all message tracking configuration tasks on a Mailbox server. For servers that have the Hub Transport server role and the Mailbox server role installed, you can use the Set-TransportServer cmdlet or the Set-MailboxServer cmdlet. You can use these cmdlets to make the following message tracking configuration changes:

  • Enable or disable message tracking: The default is enabled.

  • Specify the location of the message tracking log files

  • Specify a maximum size for the individual message tracking log files: The default is 10 MB.

  • Specify a maximum size for the directory that contains the message tracking log files: The default is 1000 MB.

  • Specify maximum age for the message tracking log files: The default is 30 days.

  • Enable or disable message subject logging in the message tracking logs The default is enabled.

Note

You can also use the Exchange Management Console on a Hub Transport server or Edge Transport server to enable or disable message tracking, and to specify the location of the message tracking log files.

Exchange 2010 uses log rotation to limit the message tracking logs based on both file size and age. This helps limit the hard disk space that is used by the log files.

Structure of the Message Tracking Log Files

By default, the message tracking log files exist in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking.

The naming convention for log files in the message tracking log directory depends on the server role that is installed. On a Hub Transport server or an Edge Transport server, the log files are named MSGTRKyyyymmdd-nnnn.log. On a Mailbox server, the log files are named MSGTRKMyyyymmdd-nnnn.log. When the Hub Transport server role and Mailbox server role are installed on the same server, separate log files that use these different name prefixes are created in the message tracking log directory.

The placeholders in the log file names represent the following information:

  • The placeholder yyyymmdd is the coordinated universal time (UTC) date on which the log file was created. yyyy = year, mm = month, and dd = day.

  • The placeholder nnnn is an instance number that starts at the value of 1 daily for each message tracking log file name prefix.

Information is written to each log file until the file size reaches its maximum specified value for each log file. Then, a new log file that has an incremented instance number is opened. This process is repeated throughout the day. The log file rotation functionality deletes the oldest log files when either of the following conditions is true:

  • A log file reaches its maximum specified age.

  • The message tracking log directory reaches its maximum specified size.

    Important

    The maximum size of the message tracking log directory is calculated as the total size of all log files that have the same name prefix. Other files that do not follow the name prefix convention are not counted in the total directory size calculation. Renaming old log files or copying other files into the message tracking log directory could cause the directory to exceed its specified maximum size. When the Hub Transport server role and the Mailbox server role are installed on the same server, the maximum size of the message tracking log directory is not the specified maximum size, because the message tracking log files that are generated by the different server roles have different name prefixes. When the Hub Transport server role and the Mailbox server role are installed on the same server, the maximum size of the message tracking log directory is two times the specified value.

The message tracking log files are text files that contain data in the comma-separated value (CSV) format. Each message tracking log file has a header that contains the following information:

  • #Software:   The name of the software that created the message tracking log file. Typically, the value is Microsoft Exchange Server.

  • #Version:   The version number of the software that created the message tracking log file. Currently, the value is 14.0.0.0.

  • #Log-Type:   The value of this field is Message Tracking Log.

  • #Date:   The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • #Fields:   The comma-delimited field names that are used in the message tracking log files. The following fields are listed:

Information that is Written to the Message Tracking Log

The message tracking log stores each message event on a single line in the log. The events types that are used to classify each message event are explained in Table 1.

Table 1   Event Types that are Used to Classify Each Message Event

Event name Description

BADMAIL

A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned.

DELIVER

A message was delivered to a mailbox.

DEFER

Message delivery was delayed.

DSN

A delivery status notification (DSN) was generated.

DUPLICATEDELIVER

A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of two distribution groups. Duplicate messages are detected and removed by the information store.

EXPAND

A distribution group was expanded.

FAIL

Message delivery failed.

POISONMESSAGE

A message is put in the poison message queue or removed from the poison message queue.

RECEIVE

A message was received and committed to the database. The RECEIVE event can be SMTP receive (Source: SMTP) or mail submitted by STOREDRIVER (Source: STOREDRIVER).

SMTP RECEIVE can be from any source that submits a message by using SMTP. For example, it can be a Hub Transport server role, an Edge Transport server role, a third-party message transfer agent (MTA), or a POP/IMAP client.

STOREDRIVER RECEIVE is logged by the EdgeTransport.exe process, and is the event that corresponds to a STOREDRIVER SUBMIT event. STOREDRIVER SUBMIT is logged by the Mail Submission process. These events can be on the same server if both server roles are installed locally, or they can be on different servers.

Note

EdgeTransport.exe and MSExchangeTransport.exe are the executable files that are used by the Microsoft Exchange Transport service. This service runs on every Hub Transport server or Edge Transport server.

REDIRECT

A message was redirected to an alternative recipient after an Active Directory directory service lookup.

RESOLVE

A message's recipients were resolved to a different e-mail address after an Active Directory lookup.

SEND

A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.

SUBMIT

A SUBMIT event is logged by the Mail Submission service on an Exchange 2007 computer that is running the Mailbox server role. The SUBMIT event is logged when the service has successfully notified a Hub Transport server that a message is awaiting submission in the mailbox store.

The SourceContext property provides the Messaging Database (MDB) GUID, Mailbox GUID, Event sequence number, Message class, Creation time stamp of the client submission to store, and Client type. The Client type can be User (Outlook direct MAPI), RPCHTTP (Outlook Anywhere), Outlook Web Access, Exchange Web Services (EWS), Exchange ActiveSync, Assistants, or Transport. The message tracking logs that are generated by the Mailbox server role contain only SUBMIT events.

TRANSFER

Recipients were moved to a forked message because of content conversion, message recipient limits, or agents.

The message event information that is stored on each line is organized by fields. These fields are separated by commas. The field name is generally descriptive enough to determine the type of information that it contains. However, some fields may be blank, or the type of information that is stored in the field may change based on the message event type as described in Table 1. General descriptions of the fields that are used to classify each message tracking event are explained in Table 2.

Table 2   Fields that are Used to Classify Each Message Tracking Event

Field name Description

date-time

The UTC date-time of the message tracking event, which is represented in the ISO 8601 format. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

client-ip

The TCP/IP address of the messaging server or messaging client that submitted the message.

client-hostname

The name of the messaging server or messaging client that submitted the message.

server-ip

The TCP/IP address of the source or destination Exchange server.

server-hostname

The name of the destination server.

source-context

Extra information associated with the source field.

connector-id

The name of source or destination Send connector or Receive connector.

source

The Exchange transport component responsible for the message tracking event. The possible values for this field are as follows:

  • ADMIN for Replay directory submission

  • AGENT

  • DSN

  • GATEWAY for Foreign connector submission

  • PICKUP

  • ROUTING

  • SMTP

  • STOREDRIVER for MAPI submission

event-id

The message event type. These events are described fully in Table 1 earlier in this topic. The possible values are BADMAIL, DEFER, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.

internal-message-id

A message identifier that is assigned by Exchange 2010 server that is currently processing the message.

A specific message's value of internal-message-id is different in the message tracking log of every Exchange 2010 server that is involved in the delivery of the message.

message-id

The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.

recipient-address

The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;).

recipient-status

This field is populated for a SEND event or a FAIL event.

total-bytes

The size of the message that includes attachments, in bytes.

recipient-count

The number of recipients in the message.

related-recipient-address

This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.

reference

This field contains additional information for specific types of events:

DSN   The Reference field contains the Internet-Message-Id of the message that caused the DSN.

SEND   The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages.

TRANSFER   The Reference field contains the Internal-Message-Id of the message that is being forked.

For all other types of events, the Reference field is blank.

message-subject

The message's subject found in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet for Hub Transport servers and Edge Transport servers, or in the Set-MailboxServer cmdlet for Mailbox servers. By default, message subject tracking is enabled. Message subject logging can be disabled by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $false.

sender-address

The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.

return-path

The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.

message-info

This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell or the Message Tracking tool in the Exchange Management Console to search for messages by using specific message criteria.

Security Concerns for the Message Tracking Log

No message content is stored in the message tracking log. By default, the subject line of an e-mail message is stored in the message tracking log. You may want to disable message subject logging to comply with increased security or privacy requirements. Before you enable or disable message subject logging, make sure that you verify your organization's policy about revealing subject line information.

For More Information

For more information, see the following topics:

Configure Message Tracking

Search Message Tracking Logs

 © 2010 Microsoft Corporation. All rights reserved.