Message Tracking from the command line in Exchange 2010 and Exchange 2007

by Bharat Suneja

Graphic: Message Tracking from the Exchange shellI’ve forever envied folks (including some colleagues— you know who you are… ) on the Linux/Unix side of things who were able to parse text log files generated by MTAs like Postfix/SendMail/EXIM in a fraction of the time it takes one to fire up Message Tracking Center on Exchange and search for a message. I tried for a while to put together some scripts that could do something as cool as those guys, but it was nowhere as close.

Thankfully, Exchange Server 2010/2007 and the Exchange Management Shell (Exchange shell) bring an end to that Linux/Unix-MTA envy (yes, I’m indeed talking about the Exchange Management Shell (EMS)…. I’ll just call it Exchange shell, and you can probably tell how much I love Microsoft naming conventions… Powershell=cool name for new Windows shell, Exchange Management Shell=not even close! ).

Message tracking using the shell is easy. (Yes, it is a shell, and…. Yes, you’ll need to remember a syntax. No, you may not always remember it. No, you don’t need to remember every single option… Yes, there’s help! Get over it. Or use the GUI – more about that in a little bit.)

The magic cmdlet: Get-MessageTrackingLog

If you want to track messages using the shell, the magic cmdlet to remember is Get-MessageTrackingLog. It’s capable of doing wonderful things very quickly.

Avoid typing too much: Using aliases for commands

Yes, that’s a long command to type in every time. Luckily, the shell has tab completion which allows you to type a partial command and have the shell complete the rest. In case of multiple matches, you can continue to hit tab and cycle through all the matches till you find the one you want.

Windows Powershell, and therefore the Exchange shell, allow you to create your own preferred aliases for commands. I use the alias track for Get-MessageTrackingLog. To create an alias:

New-Alias track Get-MessageTrackingLog

Now you can simply use track blah.

What can you do with it? A lot.

Message Tracking log fields

First, let’s take a look at a typical record in the tracking log. A single message generates multiple records in the log, one for each message tracking event. Familiarity with the fields and the kind of information they contain will help you filter and find what you’re looking for. If you frequently use message tracking for troubleshooting or otherwise, this familiarity can be rewarding.

Timestamp : 9/30/2008 12:03:46 PM
ClientIp : 192.168.2.10
ClientHostname : myserver
ServerIp : 100.1.2.3
ServerHostname : mail2.somedomain.com
SourceContext : 08CAEC7BADA2C89C
ConnectorId : Default
Source : SMTP
EventId : SEND
InternalMessageId : 566
MessageId : <8ae81f81e2d0bc45b53db7d1661e75b801a4e86bc6d2@myserver.mydomain.com>
Recipients : {[email protected]}
RecipientStatus : {250 2.1.5 [email protected] }
TotalBytes : 21097
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : RE: Your request for more information
Sender : [email protected]
ReturnPath : [email protected]
MessageInfo : 9/30/2008 12:03:38 PM

Filtering Message Tracking Logs

You can filter Message Tracking logs by the following properties:

Property Description
Start
End
By default, Message Tracking logs are kept for a maximum of 30 days. If you’re trying to find a message that may have been sent or received in the last day or two, or a specific period, it’s inefficient to search 30 days worth of logs. It’s a good idea to narrow down the search by specifying a start time, and preferably the end time as well.
Event ID This is by far one of the more important parameters of Message Tracking logs that we need to understand. Whereas Exchange Server 2003/2000’s Message Tracking log was an easy-to-use application that shielded the user from this complexity, it also provided much less flexibility. Message Tracking logs have a lot of details about a message as it originates from an internal user or external sender, and makes its way through the different stages of message routing and transfer, and finally gets delivered (or not). You can now track messages based on these events.
Sender Sender’s SMTP address
Recipients SMTP address(es) of one or more recipients
MessageSubject The subject field in the message header
MessageID This is the MessageID in the header. It is constant for the lifetime of a message, and can be used to track messages across different mail systems.
InternalMessageID An integer field assigned by the Exchange 2007 server that is currently processing the message. The same message will have a different InternalMessageID on different Exchange servers.

Message tracking events

Here’s a list of some of these EventIDs:

EventID Description
DEFER Message delivery delayed
DELIVER Message delivered to a mailbox
DSN A delivery status notification was generated.
Messages quarantined by the Content Filter are also delivered as DSNs. the recipients field has the SMTP address of the quarantine mailbox.
EXPAND Distribution Group expanded. The RelatedRecipientAddress field has the SMTP address of the Distribution Group.
FAIL Delivery failed. The RecipientStatus field has more information about the failure, including the SMTP response code. You should also look at the Source and Recipients fields when inspecting messages with this event.
POISONMESSAGE Message added to or removed from the poison queue
RECEIVE Message received. The Source field is STOREDRIVER for messages submitted by Store Driver (from
a Mailbox server), or SMTP for messages
a) received from another Hub/Edge
b) received from an external (non-Exchange) host using SMTP
c) submitted by SMTP clients such as POP/IMAP users.
REDIRECT Message redirected to alternate recipient
RESOLVE Generally seen when a message is received on a proxy address and resolved to the default email address. The RelatedRecipientAddress field has the proxy address the message was sent to. The recipients field has the default address it was resolved (and delivered) to.
SEND Message sent by SMTP. The ServerIP and ServerHostName parameters have the IP address and hostname of the SMTP server.
SUBMIT The Microsoft Exchange Mail Submission service on a Mailbox server successfully notified a Hub Transport server that a message is awaiting submission (to the Hub). These are the events you’ll see on a Mailbox server.
The SourceContext property provides the MDB Guid, Mailbox Guid, Event sequence number, Message class, Creation timestamp, and Client type. Client type can be User (Outlook MAPI), RPCHTTP (Outlook Anwhere), OWA, EWS, EAS, Assistants, Transport.
TRANSFER Message forked because of content conversion, recipient limits, or transport agents

Finding messages

Here are some examples that show how to use different parameters such as sender, recipients, start and end times to find messages. These examples demonstrate the power of the Exchange shell and how it can help you be very productive when managing Exchange 2010/2007 using this great new too.

1 Find messages by sender:

Get-MessageTrackingLog -sender “[email protected]

2 Find messages by recipient:

Get-MessageTrackingLog -recipients[email protected]

3Messages received or messages delivered to the mailbox: You can further separate or constrain these by message received:

Get-MessageTrackingLog -sender “[email protected]-eventID RECEIVE

and messages delivered to the mailbox

Get-MessageTrackingLog -sender “[email protected]-eventID DELIVER

4 Start and End date/time: To further constrain these by Start and End times:

Get-MessageTrackingLog -sender [email protected] -eventID DELIVER -Start “10/01/2006 9:00AM” -End “10/03/2006 5:00PM”

Formatting output
To show only selected fields, you can pipe the output to the Select-Object command, and specify the fields required. Here we want the timestamp, recipients, and subject fields:

Get-MessageTrackingLog -sender “[email protected]” -eventID DELIVER -Start “10/01/2006 9:00AM” -End “10/03/2006 5:00PM” | Select timestamp,recipients,messagesubject

To get all fields from a message in a list format, you can pipe the output into a fl (format list).

By default, the Get-MessageTrackingLog command returns up to 1000 results. This can be hard to work with in a command screen that keeps scrolling endlessly. In addition to the above parameters used to filter the logs, you can also restrict the number of results returned using the ResultSize parameter.

Get-MessageTrackingLog -sender “[email protected]” -eventID DELIVER -Start “10/01/2006 9:00AM” -End “10/03/2006 5:00PM” -ResultSize 25

Very cool!

Combine the above with the out-html | out-ie scripts/commandlets that I blogged about earlier (read previous post “More about the out-html | out-ie functionality“), and you have a nifty little message tracking report displayed in a browser. One step further, there’s an out-email script that can be used to directly email the tracking results to a sender/recipient.

Having said that, yes, there’s a Message Tracking GUI as well under Tools | Message Tracking in the Exchange console. I know it’s a pre-release version, but all I can say is it’s not something you’ll fall in love with. (Although not a pre-release version any more, the remainder of the previous statement is still true). I would even go as far as to say I liked the old one better. It needed some tweaks but it worked for a lot of folks.

Message tracking using the Exchange shell is much faster than using the Message Tracking tool in the Exchange console, and chances are it will help you get rid of the Sendmail/Postfix-envy.

{ 8 comments… read them below or add one }

Anonymous January 27, 2010 at 10:34 am

hello,

how can i track all emails sent from my domain to a specific domain, not to a specific recipient.

Thanks

Reply

janis October 15, 2010 at 8:57 am

how do I track message with parameters from subject field or body part?

Reply

Jamie Chapman March 7, 2011 at 2:35 pm

How do I crete a report that shows me how many external emails have been sent in and sent out per day and monthly.

Also how can i do that internal

Reply

Jamie Chapman March 7, 2011 at 2:37 pm

Whats the best way to deal with Iphones and Ipads on the Exchange 2007.

Reply

Woter October 23, 2012 at 1:04 am

FYI (on my UK server) I have to put the date in US format mm/dd/yyyy, not the correct dd/mm/yyyy. For Example 23rd October 2012 entered as 22/10/2012 results in:

Cannot process argument transformation on parameter ‘Start’. Cannot convert value “22/10/2012 9:00AM” to type “System.D
ateTime”. Error: “String was not recognized as a valid DateTime.”
+ CategoryInfo : InvalidData: (:) [Get-MessageTrackingLog], ParameterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MessageTrackingLog

as there are only 12 months in the year, not 22!!!

It might be something that we missed and there is actually a setting so the date can be entered correctly.

Reply

denialparl September 1, 2014 at 3:53 am

Great info shared !
By the way, due to not much technical expertise, I use Lepide exchange reporter (http://www.lepide.com/exchange-reporter/) that works fantastic in my environment. It tracks all sent/received emails by users and provide the reports at granular level in real time.

Reply

Amit Nigam July 20, 2016 at 6:10 am

Hello ,

I need some help from your end. Can you please let me know if email sent from system application to google group email address, all email received by user but only one of user not received.

We have checked the email records
exchange message tracking event id deliver source STOREDRIVER

I am not understand what it means.

Please help me out.

Reply

Bharat Suneja July 22, 2016 at 12:54 pm

Not sure how Google groups work.

Reply

Cancel reply

Leave a Comment

{ 6 trackbacks }

Previous post:

Next post: