Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-28
This topic explains how to use the Exchange Management Console or the Exchange Management Shell to search the message tracking logs.
A message tracking log is a detailed log of all message activity as messages are transferred to and from an Microsoft Exchange Server 2007 computer that has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role installed. Exchange servers that have the Client Access server role or Unified Messaging server role don't have message tracking logs. You use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.
In the release to manufacturing (RTM) version of Exchange 2007 and in Exchange 2007 Service Pack 1 (SP1), you can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell and the Message Tracking tool in the Exchange Management Console to search for entries in the message tracking logs by using specific search criteria.
In Exchange 2007 SP1, you can use the new Exchange
Management Shell script named
GetMessageTrackingLogE2EwithTime.ps1
to search for
specific entries in all message tracking logs on all Hub Transport
servers and Mailbox servers in the Exchange organization. This is
useful when you want to track the complete end-to-end path of a
message as it travels through the Exchange organization.
Before You Begin
To perform the following procedures in Exchange 2007 RTM, the account you use must be delegated the following:
- Exchange Server Administrator role and local Administrators
group for the target server
To perform the following procedures in Exchange 2007 SP1, the account you use must be delegated the following:
- Exchange View-Only Administrator role
To perform the following procedures on a computer that has the Edge Transport server role installed in Exchange 2007 RTM or Exchange 2007 SP1, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
When you perform a message tracking log search by using the Get-MessageTrackingLog cmdlet or the Message Tracking tool on a Hub Transport server or a Mailbox server, you can't access the message tracking logs on an Edge Transport server. If you want to search the message tracking logs on an Edge Transport server, you must run the Get-MessageTrackingLog cmdlet or the Message Tracking tool directly from the Edge Transport server.
A search of the message tracking logs depends on the Microsoft Exchange Transport Log Search service. If you disable or stop this service, you will cause no visible problems on the Exchange 2007 server other than loss of log search capabilities.
You can't copy the message tracking logs from an Exchange server and then use the Get-MessageTrackingLog cmdlet or the Message Tracking tool to search the copied logs on a different Exchange server. Also, if you save an existing message tracking log, the change in the date-time stamp of the message tracking log file breaks the query logic that is used to search the message tracking logs.
Criteria for Message Tracking Log Searches
Although more than 20 data fields are available for every message tracking log entry, not every field can be used as a search filter. The search filters that are available in the Exchange Management Shell are also available in the Exchange Management Console, because the Exchange Management Console uses the Get-MessageTrackingLog cmdlet to search the message tracking logs. However, the Exchange Management Shell gives you more control over the search results.
Common Search Filters Used by the Exchange Management Console and the Exchange Management Shell
The search filters described in the following list are available and operate in the same manner, whether you use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell or in the Message Tracking tool:
Note: |
---|
Use of a search filter that contains a partial value or multiple values is not supported unless otherwise noted. |
- Recipients This search filter uses the
recipient-address field. You must enter the complete e-mail address
of the recipient. Multiple recipient values can be specified by
using commas as a delimiter. Multiple individual recipients that
are included in a single message are logged by using a single
message tracking log entry. Unexpanded distribution group
recipients are logged by using the distribution group's SMTP e-mail
address.
- Sender This search filter uses the
sender field. You must enter the complete e-mail address of the
sender. The sender field contains the sender's e-mail address as
specified in the
Sender:
header field, or in theFrom:
header field ifSender:
is not present.
- Server This search filter specifies the
Exchange 2007 server that contains the message tracking logs
to be searched. You can describe the server by using any of the
following values:
- Name
- Fully qualified domain name (FQDN)
- Distinguished name (DN)
- Legacy Exchange DN
- GUID
- Name
- EventID This search filter uses the
event-id field. In the Message Tracking tool, you select the value
of EventID from a drop-down list. In the
Get-MessageTrackingLog cmdlet, you enter the value of
EventID as text. However, the value must exactly match one of the
possible EventID values. EventID is the event classification that
is assigned to each message tracking log entry. The available
values are BADMAIL, DEFER, DELIVER, DSN, EXPAND, FAIL,
POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and
TRANSFER.
- MessageID This search filter uses the
message-id field. MessageID is the value of the
Message-ID:
header field. If theMessage-ID:
header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.
- InternalMessageID This search filter
uses the internal-message-id field. InternalMessageID is a message
identifier integer that is assigned by the Exchange 2007
server that is currently processing the message.
- Subject The parameter in the
Get-MessageTrackingLog cmdlet is named
MessageSubject. This search filter uses the message-subject
field. Partial values are supported. This is the message's subject
as specified in the
Subject:
header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet on Hub Transport servers and Edge Transport servers, and by the Set-MailboxServer cmdlet on Mailbox servers. By default, message subject logging is enabled. You can disable message subject logging by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to$False
.
- Reference This search filter uses the
reference field. This field contains additional information for
specific event types. For a DSN event, the reference field contains
the
MessageID:
of the message that caused the DSN. For a SEND event, the reference field contains theMessageID:
of any DSN messages. For a TRANSFER event, the reference field contains theMessageID:
of the message that is being forked.
- Start This search filter uses the
date-time field to look for message tracking entries that begin
with the specified End date and time. You can use this filter by
itself to retrieve all message tracking log entries after the
specified date-time or as a lower limit with the End
parameter.
- End This search filter uses the
date-time field to look for message tracking entries up to but not
including the specified End date and time. You can use this filter
by itself to retrieve all message tracking log entries before the
specified date-time or as an upper limit with the Start
parameter.
Note: |
---|
The date-time field in the message tracking log stores information in Coordinated Universal Time (UTC). However, you should enter your date-time search criteria in the regional date-time format of the computer that you are using to perform the search. The message tracking log search tools automatically convert your regional date-time query into UTC. The search results are automatically converted from UTC back into your regional data-time format for display. The date-time field records the date-time of a particular message tracking event. The message origination date-time is the date-time that the message first enters the Exchange organization. The message origination date-time is stored in the message-info field for all SEND and DELIVER events. |
Search Filters that are Different in the Exchange Management Console and the Exchange Management Shell
In the Exchange Management Shell, the
Get-MessageTrackingLog cmdlet offers more control over the
number of search results to display by using the ResultSize
parameter. By default, a search displays up to
1,000 results. However, you can change the maximum value
to a specific number. Alternatively, you can display all results by
using the value of Unlimited
. The Message
Tracking tool in the Exchange Management Console doesn't have a way
to customize the maximum number of search results that are
displayed.
Searching the Message Tracking Logs by Using the Exchange Management Shell
The following table lists the search filters that are available by using the Get-MessageTrackingLog cmdlet in the Exchange Management Shell.
Search filters that are available by using the Get-MessageTrackingLog cmdlet
Search filter | Corresponding field in the message tracking log |
---|---|
End |
date-time |
EventId |
event-id |
InternalMessageId |
internal-message-id |
MessageId |
message-id |
MessageSubject |
message-subject |
Recipients |
recipient-address |
Reference |
reference |
ResultSize |
None. This parameter limits the number of results that are displayed by the search. |
Sender |
sender-address |
Start |
date-time |
All the parameters that are available with the Get-MessageTrackingLog cmdlet are optional. If you enter the Get-MessageTrackingLog cmdlet without any parameters, you will see a display of the last 1,000 message tracking log entries.
To use the Exchange Management Shell to search the message tracking logs
-
Run the following command:
Copy Code Get-MessageTrackingLog <SearchFilters>
For example, to search the message tracking log for all entries from 7/28/2006 8:00 AM to 7/28/2006 5:00 PM for all FAIL events sent by pat@contoso.com, run the following command:
Copy Code Get-MessageTrackingLog -ResultSize Unlimited -Start "7/28/2006 8:00AM" -End "7/28/2006 5:00PM" -EventId "Fail" -Sender "pat@contoso.com"
Controlling the Output of a Message Tracking Log Search Performed in the Exchange Management Shell
When you perform a message tracking log search by using the Get-MessageTrackingLog cmdlet, not all the fields are displayed for each message tracking event. The following table lists the fields that are displayed by default by the Get-MessageTrackingLog cmdlet.
Fields that are displayed by default by the Get-MessageTrackingLog cmdlet
Search field | Corresponding field in the message tracking log |
---|---|
EventId |
event-id |
Source |
message-source |
Sender |
sender-address |
Recipients |
recipient-address |
MessageSubject |
message-subject |
You can control the output of the Get-MessageTrackingLog cmdlet by using command output options in the Exchange Management Shell as described in the following list:
- You can control the output format of the message tracking log
search. You can display the results in a list or in a table.
Important: Although the table format seems like a good choice for an output format, it may not be the best choice. If the field displayed in the table has values that are long, the values are truncated to fit in the columns of the table. Truncation also occurs if you try to display too many fields at the same time. The complete field values are always present if you use the list format. To view more columns, you can also increase the width of the Exchange Management Shell window from the default value of 80 characters. You adjust the size of the Exchange Management Shell window in the properties of the Exchange Management Shell window. - You can display or hide specific fields that are returned from
a message tracking log search. Wildcard characters are supported
(*).
- You can send the results of the search to a file.
The field names displayed by the results from the Get-MessageTrackingLog cmdlet are the same field names that you can use to filter the search results. These field names are slightly different from the actual field names that are stored in the message tracking log. The following table juxtaposes the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet.
Comparing the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet
Field name that is used in the message tracking log | Field name that is used to filter the Get-MessageTrackingLog results |
---|---|
date-time |
Timestamp |
client-ip |
ClientIp |
client-hostname |
ClientHostname |
server-ip |
ServerIp |
server-hostname |
ServerHostname |
source-context |
SourceContext |
connector-id |
ConnectorId |
source |
Source |
event-id |
EventId |
internal-message-id |
InternalMessageId |
message-id |
MessageId |
recipient-address |
Recipients |
recipient-status |
RecipientStatus |
total-bytes |
TotalBytes |
recipient-count |
RecipientCount |
related-recipient-address |
RelatedRecipientAddress |
reference |
Reference |
message-subject |
MessageSubject |
sender-address |
Sender |
return-path |
ReturnPath |
message-info |
MessageInfo |
To use the Exchange Management Shell to control the output of a search of the message tracking logs
-
Use the following command:
Copy Code Get-MessageTrackingLog <SearchFilters> | <Format-Table | Format-List> <FieldNames> <OutputFileOptions>
For example, to search the message tracking logs for the first 1,000 Send events, display the results that are shown in list format, display the values of any field names that begin with "Send" or "Receive," and write the results to a new file that is named "C:\send search.txt", run the following command:
Copy Code Get-MessageTrackingLog -EventId "Send" | Format-List Send*,Receive* > "C:\send search.txt"
Searching the Message Tracking Logs for a Message on Multiple Servers by Using the Exchange Management Shell
A message property that remains constant as it travels
throughout the Exchange organization is the value of
the MessageID:
header field. This value is named
InternetMessageId
in queue viewing utilities, and
MessageId
in the message tracking log utilities. After
you have determined the value of MessageID:
, you can
search for that message in the message tracking logs on every Hub
Transport server or Mailbox server in the Exchange
organization.
To use the Exchange Management Shell to search message tracking log entries for a specific message across all Hub Transport servers and Mailbox servers
-
Use the following command:
Copy Code Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "<messageid>" | Select-Object <commaseparatedfieldnames> | Sort-Object -Property <field>
For example, to search the message tracking logs on all Hub Transport servers and Mailbox servers for any entries related to a message that has a
MessageID:
ofba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com
, to display the fieldsdate-time
,server-hostname
,client-hostname
,source
,event-id
, andrecipient-address for each entry
, and to sort the results by thedate-time
field, run the following command:Copy Code Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com" | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp
For detailed syntax and parameter information, see Get-MessageTrackingLog.
For more information about command output options in the Exchange Management Shell, see Working with Command Output.
Searching the Message Tracking Logs for a Message on Multiple Servers by Using an Exchange Management Shell Script in Exchange 2007 SP1
As noted earlier in this topic,
Exchange 2007 SP1 includes an Exchange Management Shell
script named GetMessageTrackingLogE2EwithTime.ps1
.
This script uses the Get-MessageTrackingLog cmdlet to search
the message tracking logs of all Hub Transport servers and all
Mailbox servers in the Exchange organization for the specified
message criteria. You can also use the script to search the message
tracking logs of a specific list of Hub Transport servers and
Mailbox servers.
The script uses the parameters that are described in the following table.
Parameters that are used by the GetMessageTrackingLogE2EwithTime.ps1 script
Parameter | Required or optional | Description |
---|---|---|
MessageId |
This parameter is required when a value for the MessageSubject parameter isn't specified. |
This parameter searches for message tracking log entries with
the specified |
MessageSubject |
This parameter is required when a value for the MessageId parameter isn't specified. |
This parameter searches for message tracking log entries that
contain the specified text string in the |
End |
Optional |
This parameter searches for message tracking log entries up to, but not including, the specified End date and time by using the regional format of the computer on which the cmdlet is run. The date that you specify is converted automatically into the UTC format that is used internally by Exchange 2007 to store entries in the message tracking logs. |
Sender |
Optional |
This parameter searches for message tracking log entries with the specified sender's SMTP e-mail address. If you specify a value for the Sender parameter, and the message sender is an internal sender that can be resolved, the message tracking log search will begin on the sender's home Mailbox server. |
Servers |
Optional |
This parameter specifies a comma-separated list of the names of Hub Transport servers or Mailbox servers. This parameter limits the search of the message tracking logs to the specified servers. |
Start |
Optional |
This parameter searches for message tracking log entries starting with the specified Start date and time by using the regional format of the computer on which the cmdlet is run. The date that you specify is converted automatically into the UTC format that is used internally Exchange 2007 to store entries in the message tracking logs. |
You must identify the specific message for which you
are searching by using the MessageId or
MessageSubject parameter. If you don't specify a value for
the Sender parameter or the Server parameter, the
message tracking log search begins on the Hub Transport server or
Mailbox server on which the
GetMessageTrackingLogE2EwithTime.ps1
script is
run.
The following table lists the fields that are displayed
in the results of the
GetMessageTrackingLogE2EwithTime.ps1
script.
Fields that are displayed in the results of the GetMessageTrackingLogE2EwithTime.ps1 script
Displayed field | Corresponding field in the message tracking log |
---|---|
TimeStamp |
date-time |
EventId |
event-id |
Source |
message-source |
Sender |
sender-address |
RecipientCount |
recipient-count |
InternalMessageID |
internal-message-id |
Reference |
reference |
SourceContext |
source-context |
The results of the script are displayed in table format with fields as columns. The whole value of each field is displayed in each column. If the fields are too wide, the display truncates the remaining columns. As explained earlier in this topic, to view more columns, you can increase the width of the Exchange Management Shell window from the default value of 80 characters. You adjust the size of the Exchange Management Shell window in the properties of the Exchange Management Shell window.
To use the Exchange Management Shell to search message tracking log entries for a specific message across all Hub Transport servers and Mailbox servers by using the GetMessageTrackingLogE2EwithTime.ps1 script
-
Use the following command:
Copy Code GetMessageTrackingLogE2EwithTime.ps1 <-MessageId "message id" | -MessageSubject "message subject"> -<Other Optional Parameters>
For example, to search the message tracking logs on all Hub Transport servers and Mailbox servers for any entries that are related to a message that contains the text string "financial report" from the sender "chris@contoso.com", run the following command:
Copy Code GetMessageTrackingLogE2EwithTime.ps1 -MessageSubject "financial report" -Sender "chris@contoso.com"
For more information about Exchange Management Shell scripts, see Scripting with the Exchange Management Shell.
Searching the Message Tracking Logs by Using the Exchange Management Console
To use the Exchange Management Console to search the message tracking log
-
Open the Exchange Management Console.
-
In the console tree, click Toolbox. In the result pane, click Message Tracking. In the action pane, click Open tool.
-
In the Message Tracking Parameters dialog box, set the search criteria for your message tracking log search by selecting the check box next to the search criteria name and entering a value for the search criteria. To remove search criteria, clear the check box next to the search criteria name. By default, the following search criteria are selected and values are provided:
- EventID with a value of RECEIVE
- Start with a value of the date-time that the Message
Tracking tool was opened
- End with a value of the date-time that the Message
Tracking tool was opened
If you select the Recipient check box and enter a partial value in the Recipient field, you can populate the rest of the recipient's e-mail address by clicking Resolve Recipient. This feature only works on Hub Transport servers or Mailbox servers to resolve the names of mailbox users or mail-enabled contacts that exist in the Exchange 2007 organization.
If you select the Sender check box and enter a partial value in the Sender field, you can populate the rest of the sender's e-mail address by clicking Resolve Sender. This feature only works on Hub Transport servers or Mailbox servers to resolve the names of mailbox users or mail-enabled contacts that exist in the Exchange 2007 organization.
You can also populate the Server field with the name of the Mailbox server on which the sender's mailbox resides by clicking Server from Sender. If you want to use that server name as search criteria, remember to select the Server check box.
Note: As you enter your search criteria, the equivalent Get-MessageTrackingLog command is populated in the Exchange Management Shell command field. - EventID with a value of RECEIVE
-
To execute your search, click Next.
If the search produces no results in the Message Tracking Results dialog box, click Go Back and change your search criteria in the Message Tracking Parameters dialog box. If a syntax error exists in any of your search criteria, an error message will be displayed.
If the search produces results, the results are displayed in a tabular layout in the Message Tracking Results dialog box. Every field is displayed for every message tracking log entry on every row. To sort the results by field, click the column heading of any column.
To start a new search, select an individual cell or a whole row in the results table and then click Next. This action returns you to the Message Tracking Parameters dialog box.
Note: |
---|
When you return to the Message Tracking Parameters dialog box, the message tracking log search criteria in the Message Tracking Parameters dialog box are populated with the values from the message tracking entry that you selected previously. Although all the existing search criteria are populated, only the following search criteria are active by default: Server, MessageID, Start, and End. The value of Start is 10 minutes before the timestamp of the selected message tracking log entry. The value of End is 10 minutes after the timestamp of the selected message tracking log entry |
If you want to perform another message tracking log search, accept or modify the selected criteria and then click Next.
To reset all the search criteria to the default values as if you just opened the Message Tracking tool, in the console tree, click Restart current task.
To return to the Message Tracking tool, in the console tree, click Restart current task.
To close the Message Tracking tool, click Close.
For More Information
For more information, see the following topics: