Exchange 2007 Message Tracking
Exchange 2007 Message Tracking
There are a number of logs available from the content agent logs for antispam, Protocol logs, Send/Receive logs but this article will focus on one of my favorites Message Tracking.
When working in mixed Exchange 2003 and Exchange 2007 you have to manage each logs separately as the tools provided will not allow us to parse logs from different versions of the products.
Another item I found out in early beta was the GUI provided in Exchange 2007 only searches the logs on the server we are running the query from, we must user EMS to query all our servers.
You can see the message tracking is ENABLED by defaultThe only 2 options we have from the EMC is :
1. Enable message tracking
2. specify the log path
If we look at the properties of the mailbox server we cannot manipulate any of the setting from
EMS
We can use the get-transportserver and get-mailboxserver cmdlets to show message tracking information.
get-mailboxserver
get-transportserver
We can see from the output from our cmdlets that we have much more information in EMS then in EMC.
This is a default configuration:
MessageTrackingLogSubjectLoggingEnabled : True
MessageTrackingLogEnabled : True
MessageTrackingLogMaxAge : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 250MB
MessageTrackingLogMaxFileSize : 10MB
MessageTrackingLogPath : C:\Program Files\Microsoft\Exchange S erver\TransportRoles\Logs\MessageTracking
MessageTrackingLogSubjectLoggingEnabled : True
I cannot provide an answer as to what the settings above should be as these should be part of your company policy how long the logs must be retained.
At a minimum I recommend the log path be moved from the OS partition however if you limited a limited number of drives and your OS is a Raid 1 mirror the logs can perfrom find on the OS disk.
We can manipulate our settings with the Set-TransporServer and Set-Mailboxserver cmdlets
I am going to use the Get-TransportServer cmdlet and pipe it to the Set-transportserver cmdlets to set the Log path, Max Age and directory size
Get-TransportServer | Set-TransportServer -MessageTrackingLogMaxAge 60 -MessageTrackingLogMaxDirectorySize 500mb -MessageTrackingLogPath d:\MessageTrac kingLogs
We can use the Get-Transportserver to view our changes
Lets take a look at our log, we can see the location has been moved to our specified location
Lets look at the log in its native format
Permissions:
Exchange 2007 RTM, the account you use must be delegated the following:
- Exchange Server Administrator role and local Administrators group for the target server
Exchange 2007 SP1, the account you use must be delegated the following:
- Exchange View-Only Administrator role
Edge Transport server role you must log on by using an account that is a member of the local Administrators group on that computer.
EMC
Click “toolbox” -> Under Mail flot tools –> Select Message tracking
when the this is first selected the tool will connect to Microsoft and see if there are any new updates.
next we are presented with the welcome screen
On the Message Tracking Parameters we have the ability to select from the following filters
Recipients, Sender, Server, Event ID (Receive, Send, Fail, DSN, Deliver, BadMail, Resolve, Expand), Message ID, Internal Message ID, Subject m reference, Start, and End
Once we have made our selections the window as the bottom shows up the EMS commands that will be run to retrive the logs
I sent a message from brian.tirch@vm.local to generate some log data, for my filters I selected Sender,Start, and End
We can see the 2 entries are returned 1. Receive and 1 for Deliver
We can see in the data returned that there are a number of fields listed that are not search able from EMC like client IP and Server IP
From this log we can see that the message was received from vmmbx1 to vmcashub and then delivered from vmcashub to vmmbx1
**Notice the only logs we have data are from the server which we ran the message tracking tool from**
http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx
| Event name | Description |
|---|---|
| BADMAIL | A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned. |
| DELIVER | A message was delivered to a mailbox. |
| DEFER | Message delivery was delayed. |
| DSN | A delivery status notification (DSN) was generated. |
| EXPAND | A distribution group was expanded. |
| FAIL | Message delivery failed. |
| POISONMESSAGE | A message is put in the poison message queue or removed from the poison message queue. |
| RECEIVE | A message was received and committed to the database. |
| REDIRECT | A message was redirected to an alternative recipient after an Active Directory directory service lookup. |
| RESOLVE | A message’s recipients were resolved to a different e-mail address after an Active Directory lookup. |
| SEND | A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server. |
| SUBMIT | A message was submitted by an Exchange 2007 computer that has the Mailbox server role installed to an Exchange 2007 computer that has the Hub Transport server role or Edge Transport server role installed. The message tracking logs that are generated by the Mailbox server role contain only SUBMIT events. |
| TRANSFER | Recipients were moved to a forked message because of content conversion, message recipient limits, or agents. |
EMS:
Lets use EMS to search the message tracking logs and please reference the “How to Search Message Tracking Log” article below to see the differences between the available fields.
If we run the Get-Help command we can see the available switches.
C:\>get-help Get-MessageTrackingLog
Name
Get-MessageTrackingLog
SYNOPSIS
Use the Get-MessageTrackingLog cmdlet to search message information that i
stored in the message tracking log.
SyNTAX
Get-MessageTrackingLog [-DomainController ] [-End ] [-Even
Id ] [-InternalMessageId ] [-MessageId ] [-Message
ubject ] [-Recipients ] [-Reference ] [-ResultSi
e ] [-Sender ] [-Server ] [-Start ] []
let perform the same search as above and see if we get any different data:
Get-Messagetrackinglog -Sender “brian.tirch@vm.local” -Start “5/10/2008 7:42:00PM” -End “5/12/2008 7:52:00 PM”
you can see the first return is truncated
so we can pipe to the FL command to get more details
After viewing this the data both results are the same…..
Now we can add some parameters to our command so that we can pull logs from all servers.
Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog
by piping the Get-ExchangeServer cmdlet to the Where command we can pull logs from all hubs servers and mailbox server to limit our filter to pull from selected servers.
Lets run the same command for Get-Messagetrackinglog but add the leading Where statement.
We can see now that we have an additional entry for Submit
the Submit entry shows the log from our mailbox server submitting a message to a hub server for delivery.
We can see that the message tracking logs can be vary useful in determining any issues or validating messages delivery.
How to Search Message Tracking Logs
http://technet.microsoft.com/en-us/library/bb124926.aspx
http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/aa997984(EXCHG.80).aspx
May 14th, 2008 at 11:56 am
I’m not sure what it is about your blog, but every entry is timely and applicable to our EX07 needs. Nicely done, once again!
May 14th, 2008 at 4:05 pm
Thank You, I try to add real world scenarios that I have come accross or questions that have been ask on forums.
May 22nd, 2008 at 10:59 am
To the owner of this blog, how far youve come?
September 4th, 2009 at 12:32 pm
Wow! Thank you! I always wanted to write in my site something like that. Can I take part of your post to my blog?