Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-10-21
This topic describes how to use the Exchange Management Console or the Exchange Management Shell to search the message tracking logs.
A message tracking log is a detailed log of all message activity as messages are transferred to and from a Microsoft Exchange Server 2010-based computer that has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role installed. Exchange servers that have the Client Access server role or Unified Messaging server role don't have message tracking logs. You can use message tracking logs for message forensics, for mail flow analysis, for reporting, and for troubleshooting.
You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell and the Message Tracking tool in the Toolbox in the Exchange Management Console to search for entries in the message tracking logs by using specific search criteria.
Before You Begin
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the ”Message tracking” entry in the Transport Permissions topic.
For more information about permissions, about delegating roles, and about the rights that are required to administer Exchange 2010, see Understanding Permissions.
When you search the message tracking log on a Hub Transport server or a Mailbox server, you cannot access the message tracking logs on an Edge Transport server. If you want to search the message tracking logs on an Edge Transport server, you must run the Get-MessageTrackingLog cmdlet or the Message Tracking tool directly from the Edge Transport server.
A search of the message tracking logs depends on the Microsoft Exchange Transport Log Search service. If you disable or stop this service, you cannot search the message tracking log files. However, stopping this service does not affect other features in Exchange.
 Important: |
|---|
| You cannot copy the message tracking log files from a server that is running Microsoft Exchange and then search them by using the Get-MessageTrackingLog cmdlet or the Message Tracking tool. Also, if you save an existing message tracking log, the change in the date and time stamp on the message tracking log file breaks the query logic that Exchange uses to search the message tracking logs. |
Criteria for Message Tracking Log Searches
Although many data fields are available for every message tracking log entry, not every field can be used as a search filter. Additionally, the Exchange Management Shell provides more flexibility for searching because of the many search filters that are available for use with the Get-MessageTrackingLog cmdlet.
Common Search Filters Used with the Get-MessageTrackingLog Cmdlet
The search filters described in the following list are available for use with the Get-MessageTrackingLog cmdlet in the Exchange Management Shell:
 Note: |
|---|
| Use of a search filter that contains a partial value or multiple values is not supported unless otherwise noted. |
- Recipients This search filter uses the
recipient-address field. You must enter the complete e-mail address
of the recipient. Multiple recipient values can be specified by
using commas as a delimiter. Multiple individual recipients that
are included in a single message are logged by using a single
message tracking log entry. Unexpanded distribution group
recipients are logged by using the distribution group's SMTP e-mail
address.
- Sender This search filter uses the
sender field. You must enter the complete e-mail address of the
sender. The sender field contains the sender's e-mail address as
specified in the
Sender:header field, or in theFrom:header field ifSender:is not present.
- Server This search filter specifies the
Exchange server that contains the message tracking logs to be
searched. You can describe the server by using any of the following
values:
- Name
- Fully qualified domain name (FQDN)
- Distinguished name (DN)
- Legacy Exchange DN
- GUID
- Name
- EventID This search filter uses the
event-id field. In the Message Tracking tool, you select the value
of EventID from a drop-down list. In the
Get-MessageTrackingLog cmdlet, you enter the value of
EventID as text. However, the value must exactly match one of the
possible EventID values. EventID is the event classification that
is assigned to each message tracking log entry. The available
values are as follows:
- BADMAIL
- DEFER
- DELIVER
- DSN
- EXPAND
- FAIL
- POISONMESSAGE
- RECEIVE
- REDIRECT
- RESOLVE
- SEND
- SUBMIT
- TRANSFER
- BADMAIL
- MessageID This search filter uses the
message-id field. MessageID is the value of the
Message-ID:header field. If theMessage-ID:header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.
- InternalMessageID This search filter
uses the internal-message-id field. InternalMessageID is a message
identifier integer that is assigned by the Exchange server that is
currently processing the message.
- Subject The parameter in the
Get-MessageTrackingLog cmdlet is named
MessageSubject. This search filter uses the message-subject
field. Partial values are supported. This is the message's subject
as specified in the
Subject:header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet on Hub Transport servers and Edge Transport servers, and by the Set-MailboxServer cmdlet on Mailbox servers. By default, message subject logging is enabled. You can disable message subject logging by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to$False.
- Reference This search filter uses the
reference field. This field contains additional information for
specific event types. For a DSN event, the reference field contains
the
MessageID:of the message that caused the DSN. For a SEND event, the reference field contains theMessageID:of any DSN messages. For a TRANSFER event, the reference field contains theMessageID:of the message that is being forked.
- Start This search filter uses the
date-time field to look for message tracking entries that begin
with the specified End date and time. You can use this filter by
itself to retrieve all message tracking log entries after the
specified date-time or as a lower limit with the End
parameter.
- End This search filter uses the
date-time field to look for message tracking entries up to but not
including the specified End date and time. You can use this filter
by itself to retrieve all message tracking log entries before the
specified date-time or as an upper limit with the Start
parameter.
| Note: |
|---|
| The date-time field in the message tracking log stores information in Coordinated Universal Time (UTC). However, you should enter your date-time search criteria in the regional date-time format of the computer that you are using to perform the search. The message tracking log search tools automatically convert your regional date-time query into UTC. The search results are automatically converted from UTC back into your regional data-time format for display. The date-time field records the date-time of a particular message tracking event. The message origination date-time is the date-time that the message first enters the Exchange organization. The message origination date-time is stored in the message-info field for all SEND and DELIVER events. |
Search Filters that are Different in the Exchange Management Console and the Exchange Management Shell
In the Exchange Management Shell, the
Get-MessageTrackingLog cmdlet offers more control over the
number of search results to display by using the ResultSize
parameter. By default, a search displays up to 1,000 results.
However, you can change the maximum value to a specific number.
Alternatively, you can display all results by using the value of
Unlimited. The Message Tracking tool in the Exchange
Management Console does not have a way to customize the maximum
number of search results that are displayed.
Searching the Message Tracking Logs by Using the Exchange Management Shell
The following table lists the search filters that are available by using the Get-MessageTrackingLog cmdlet in the Exchange Management Shell.
Search filters that are available by using the Get-MessageTrackingLog cmdlet
| Search filter | Corresponding field in the message tracking log |
|---|---|
|
End |
date-time |
|
EventId |
event-id |
|
InternalMessageId |
internal-message-id |
|
MessageId |
message-id |
|
MessageSubject |
message-subject |
|
Recipients |
recipient-address |
|
Reference |
reference |
|
ResultSize |
None. This parameter limits the number of results that are displayed by the search. |
|
Sender |
sender-address |
|
Start |
date-time |
All the parameters that are available with the Get-MessageTrackingLog cmdlet are optional. If you enter the Get-MessageTrackingLog cmdlet without any parameters, you will see a display of the last 1,000 message tracking log entries.
To use the Exchange Management Shell to search the message tracking logs-
Run the following command:
Copy CodeGet-MessageTrackingLog <SearchFilters>
For example, to search the message tracking log for all entries from 3/28/2011 8:00 AM to 3/28/2011 5:00 PM for all FAIL events sent by pat@contoso.com, run the following command:
Copy CodeGet-MessageTrackingLog -ResultSize Unlimited -Start "3/28/2011 8:00AM" -End "3/28/2011 5:00PM" -EventId "Fail" -Sender "pat@contoso.com"
Controlling the Output of a Message Tracking Log Search Performed in the Exchange Management Shell
When you perform a message tracking log search by using the Get-MessageTrackingLog cmdlet, not all the fields are displayed for each message tracking event. The following table lists the fields that are displayed by default by the Get-MessageTrackingLog cmdlet.
Fields that are displayed by default by the Get-MessageTrackingLog cmdlet
| Search field | Corresponding field in the message tracking log |
|---|---|
|
EventId |
event-id |
|
Source |
message-source |
|
Sender |
sender-address |
|
Recipients |
recipient-address |
|
MessageSubject |
message-subject |
You can control the output of the Get-MessageTrackingLog cmdlet by using command output options in the Exchange Management Shell according to the following guidelines:
- You can control the output format of the message tracking log
search. You can display the results in a list or in a table.
Important:Although the table format seems like a good choice for an output format, it may not be the best choice. If the field displayed in the table has values that are long, the values are truncated to fit in the columns of the table. Truncation also occurs if you try to display too many fields at the same time. The complete field values are always present if you use the list format. To view more columns, you can also increase the width of the Exchange Management Shell window from the default value of 80 characters. You adjust the size of the Exchange Management Shell window in the properties of the Exchange Management Shell window. - You can display or hide specific fields that are returned from
a message tracking log search. Wildcard characters (*) are
supported.
- You can send the results of the search to a file.
The field names displayed by the results from the Get-MessageTrackingLog cmdlet are the same field names that you can use to filter the search results. These field names differ slightly from the actual field names that are stored in the message tracking log. The following table juxtaposes the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet.
Comparing the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet
| Field name that is used in the message tracking log | Field name that is used to filter the Get-MessageTrackingLog results |
|---|---|
|
date-time |
Timestamp |
|
client-ip |
ClientIp |
|
client-hostname |
ClientHostname |
|
server-ip |
ServerIp |
|
server-hostname |
ServerHostname |
|
source-context |
SourceContext |
|
connector-id |
ConnectorId |
|
source |
Source |
|
event-id |
EventId |
|
internal-message-id |
InternalMessageId |
|
message-id |
MessageId |
|
recipient-address |
Recipients |
|
recipient-status |
RecipientStatus |
|
total-bytes |
TotalBytes |
|
recipient-count |
RecipientCount |
|
related-recipient-address |
RelatedRecipientAddress |
|
reference |
Reference |
|
message-subject |
MessageSubject |
|
sender-address |
Sender |
|
return-path |
ReturnPath |
|
message-info |
MessageInfo |
-
Use the following command:
Copy CodeGet-MessageTrackingLog <SearchFilters> | <Format-Table | Format-List> <FieldNames> <OutputFileOptions>
For example, to search the message tracking logs for the first 1,000 Send events, display the results that are shown in list format, display the values of any field names that begin with "Send" or "Receive," and write the results to a new file that is named "C:\send search.txt", run the following command:
Copy CodeGet-MessageTrackingLog -EventId "Send" | Format-List Send*,Receive* > "C:\send search.txt"
Searching the Message Tracking Logs for a Message on Multiple Servers by Using the Exchange Management Shell
A message property that remains constant as it travels
throughout the Exchange organization is the value of the
MessageID: header field. This value is named
InternetMessageId in queue viewing utilities, and
MessageId in the message tracking log utilities. After
you have determined the value of MessageID:, you can
search for that message in the message tracking logs on every Hub
Transport server or Mailbox server in the Exchange
organization.
-
Use the following command:
Copy CodeGet-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "<messageid>" | Select-Object <commaseparatedfieldnames> | Sort-Object -Property <field>For example, to search the message tracking logs on all Hub Transport servers and Mailbox servers for any entries related to a message that has a
MessageID:ofba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com, to display the fieldsdate-time,server-hostname,client-hostname,source,event-id, andrecipient-address for each entry, and to sort the results by thedate-timefield, run the following command:Copy CodeGet-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com" | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp
For detailed syntax and parameter information, see Get-MessageTrackingLog.
For more information about command output options in the Exchange Management Shell, see Exchange Management Shell.
Searching the Message Tracking Logs by Using the Exchange Management Console
-
Start the Exchange Management Console.
-
In the console tree, click Toolbox. In the result pane, click Message Tracking. In the action pane, click Open tool.
-
Log on to Outlook Web App when you are prompted.
-
In the Select what to manage list, click My Organization, and then click Reporting in the navigation pane.
-
Set the search criteria for your message tracking log search by configuring the values for the following available options:
- Mailbox to search Click Browse, and then select
the appropriate mailbox.
- Search for messages sent to Click this option if you
want to search for sent messages, and then click Select
users to select one or more users.
- Search for messages received from Alternatively, click
this option to search for received messages, and then click Select
a user to select the particular recipient.
- Search for these words in the subject line Enter the
search criteria text if you want to search for messages that
contain a particular subject.
- Mailbox to search Click Browse, and then select
the appropriate mailbox.
-
Click Search, and then review the results in the Search Results pane.
For More Information
For more information, see the following topics: