Introduction to Exchange Server 2010 Message Tracking

Message tracking is a Exchange Server 2010 feature that records log files of email traffic as messages travel between mailboxes and servers within the organization.

Message tracking is a feature of Hub Transport, Edge Transport, and Mailbox servers as these are the Exchange 2010 server roles that are involved in transmitting email messages around the network.

I spend hours each week searching message logs for all kinds of interesting information. This may be situations such as tracking the routing or delivery of a single email message, troubleshooting a server load issue, or analysing overall email traffic patterns.

Enabling or Disabling Message Tracking for Exchange Server 2010

Message tracking is an optional setting that is enabled by default. You can see the current status of message tracking on a server by opening the Properties of that server in the Exchange Management Console and looking at the Log Settings tab.

Enabling/disabling message tracking logs

Enabling/disabling message tracking logs

You can also query this setting with the Exchange Management Shell. One of the advantages of the shell is you can check all your servers at once.

For example, to check the message tracking log setting for all Edge and Hub Transport servers use Get-TransportServer:

[PS] C:\>Get-TransportServer | Select Name,MessageTrackingLogEnabled | ft -auto

Name           MessageTrackingLogEnabled
----           -------------------------
BR-EX2010-MB                        True
HO-EX2010-MB1                       True
HO-EX2010-MB2                       True
HO-EX2010-EDGE                      True
HO-EX2007-MB1                       True

To check the same setting on Mailbox servers, use Get-MailboxServer instead:

[PS] C:\>Get-MailboxServer | Select Name,MessageTrackingLogEnabled | ft -auto

Name          MessageTrackingLogEnabled
----          -------------------------
BR-EX2010-MB                       True
HO-EX2010-MB1                      True
HO-EX2010-MB2                      True
HO-EX2007-MB1                      True

You’ll notice the same servers have appeared in the above output twice. Those are multi-role servers, with both the Hub Transport and Mailbox server roles installed. In those cases you can use either Get-TransportServer or Get-MailboxServer to query the same setting (it is one setting that can be queried with two cmdlets, not two separate settings).

If you find any servers with message tracking logs disabled you can enable it with Set-TransportServer or Set-MailboxServer.

[PS] C:\>Set-TransportServer BR-EX2010-MB -MessageTrackingLogEnabled $true

Configuring Message Tracking for Exchange Server 2010

In addition to enabling/disabling message tracking logs you can also configure some other settings as appropriate for your environment. These can be seen in the output below:

[PS] C:\>Get-MailboxServer ho-ex2010-mb1 | fl messagetracking*

MessageTrackingLogEnabled               : True
MessageTrackingLogMaxAge                : 30.00:00:00
MessageTrackingLogMaxDirectorySize      : 1000 MB (1,048,576,000 bytes)
MessageTrackingLogMaxFileSize           : 10 MB (10,485,760 bytes)
MessageTrackingLogPath                  : C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTra
                                          cking
MessageTrackingLogSubjectLoggingEnabled : True

The default settings are:

Max Age – 30 days. You can turn this up or down as required. I find sometimes by the time an issue is reported or found that 30 days is not quite enough to be able to search back in time. However this is entirely up to you, and if your logs are being backed up you can always consider restoring older logs from backup if required.

Max Directory Size – this is an additional setting for limiting the total size of message tracking logs on your server. The default limit is 1Gb but in high volume environments you may find that this limit means logs are purged before they reach the full 30 day max age, because the max directory size overrides the max age setting. On most of my servers I’ve increased this to 4Gb and in some cases as much as 10Gb. Consider your server’s disk capacity as well as the impact that more log files has on the amount of time some tracking log searches will take.

Max File Size – the default is 10mb and I’ve never seen a need to change this.

Log Path – the default is the same drive as the Exchange 2010 install directory, but you can move this to any path you wish. On some of our highest volume servers (eg messaging hub sites, and Edge Transport servers) this path has been changed to a non-OS drive with a lot more free disk space.

Subject Logging – this is enabled by default and the only reason I’ve ever needed to disable it was when there were some privacy/security concerns for that particular environment.

You can change any of these settings with Set-TransportServer or Set-MailboxServer. For example to increase the max directory size for all of the servers:

[PS] C:\>Get-TransportServer | Set-TransportServer -MessageTrackingLogMaxDirectorySize 2GB

Searching Message Tracking Logs in Exchange Server 2010

Exchange 2010 provides multiple tools for searching message tracking logs. The first two are available in the Toolbox section of the Exchange Management Console.

Exchange Management Console Toolbox message tracking tools

Exchange Management Console Toolbox message tracking tools

Message Tracking Web Interface

The web interface for message tracking is part of the Exchange Control Panel and provides very basic search functionality to search for messages either sent by or received by a mailbox, based on the sender, recipients, and subject line.

Searching for delivery reports in Exchange Control Panel

Searching for delivery reports in Exchange Control Panel

One of the advantages of this web interface is that it is available for regular users to perform delivery report searches for their own emails, or delegate the task to power users or auditors, without needing to install the Exchange 2010 management tools on their workstation.

Delivery report search results for regular mailbox users

Delivery report search results for regular mailbox users

Message Tracking Log Explorer

Message tracking log searches can also be performed in the Tracking Log Explorer, a GUI search tool that is part of the Exchange Management Console. This tool gives administrators some more control over the searches they perform such as searching for specific events (eg FAIL events), searching for a particular message ID, and controlling the date ranges for search results.

Message Tracking Log Explorer

Message Tracking Log Explorer

The message Tracking Log Explorer provides a fairly user-friendly interface for administrators to perform searches, but has a few limitations as well. Wildcard searches are not possible, nor are searches across multiple servers simultaneously. And although reports files are automatically saved by the tool, they can only be exported in XML format which is not as user-friendly as CSV would be.

So while the Tracking Log Explorer is decent tool for single server environments, in any larger environment you will find PowerShell a much better way to perform message tracking log searches.

PowerShell

The Exchange Management Shell includes the Get-MessageTrackingLog cmdlet that can be used for message tracking log searches. This is one of the most useful and powerful ways to search your tracking logs, but it may appear to be a steep learning curve for some administrators.

If you take a look at the Tracking Log Explorer mentioned above you’ll notice that as you construct a query it generates the equivalent PowerShell command below that, which means the Tracking Log Explorer is a good way to get started with the PowerShell syntax for Get-MessageTrackingLog.

Using PowerShell to search message tracking logs is a big topic so I’ve written a separate article about it including many sample queries that you can build off to suit your own situations.

Summary

Message tracking is a feature of Exchange Server 2010 that is enabled by default, and can be configured in many ways to suit your environment. It is useful for troubleshooting and reporting tasks, and Exchange 2010 comes with several tools to make tracking log searches possible.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Rosario says:

    Could you please tell whether configuring/enabling message tracking on the Hub&Access Servers is enough or whether it would be better to enable it also on the Mailbox Servers?

    Thanks a lot, Rosario

  2. Mike Wood says:

    Hello,
    I would like to be able to run the Powershell command:

    Get-TransportServer | get-messageTrackingLog -Start “01/01/2014 00:00:00″ -End “01/01/2014 23:59:59″

    against all of my Hub and Edge Transport servers. It works fine for the hub servers but all the edge servers get this error:
    Failed to connect to the Microsoft Exchange Transport Log Search service on computer “serverX.example.com”. Verify that the Microsoft Exchange Transport Log Search service is started on
    the target computer.
    + CategoryInfo : ResourceUnavailable: (:) [Get-MessageTrackingLog], LocalizedException
    + FullyQualifiedErrorId : 197D7D84,Microsoft.Exchange.Management.TransportLogSearchTasks.GetMessageTrackingLog

    I can successfully get the logs locally from the edge transports, I just cannot retrieve them remotely. This is not a firewall problem as I’ve temporarily stopped the Windows firewall and complete opened the Cisco ASA ACLs during testing. Is there a special RBAC or Powershell execution policy needed to access edge transport server logs remotely? I’ve been able to remotely access the edge servers with standard Powershell commands like “Get-Service -ComputerName edgeX” but the Exchange Transport logs just don’t work for me.

    Any help or thoughts would be appreciated.

  3. Hi Paul,

    One of the generic a/c user has sent a mail to one of our internal user. Now the user want to know who has sent the mail from the generic a/c as the generic a/c has access to so many people can we track the IP address of the machine who has sent mail from generic a/c to user in exchange console.

    Thanks in advance.

  4. Lance Hill says:

    Hi Paul,
    I am trying to track an email from a mailbox in our single server environment, Exchange 2010, and the email was never received, but emails are being received from other domains to this same recipient. I’m trying to get the status if the message was delivered successfully or not of course from our end. My issue is when I go to the “Message Tracking” from the Toolbox in EMC, that takes me to a web interface login. I login with the mailbox user credentials that is having the email issue, but get a “Sorry! Access denied” error message. So, I can’t access the report that way. Any suggestions?
    Also, I used “Tracking Log Explorer” and it ran just fine & gave me a report, but I’m not sure how to read it exactly or what I am looking for if the message being sent is failing on my end. Can you help a brother out? Thank you for any suggestions or help.

    • As an administrator you can login to the Exchange Control Panel and run delivery reports for other users.

      Or, the user themselves can login to the ECP and run their own delivery reports.

      Or, as an administrator, you can use PowerShell to run message tracking log searches.

      The third option is the best one in my opinion, and well worth learning as it is one the most powerful and effective email delivery troubleshooting techniques an Exchange admin can have.

      I should of course mention that my ebook “Mastering Message Tracking” teaches you how to do all of this.

      http://exchangeserverpro.com/ebooks/mastering-message-tracking/

  5. Andrew Francis says:

    Hi Paul,

    Thanks for all your help over the years.

    Tracking email passed through distribution groups from SMTP contacts. Can we do it using native tools in EMC or pwshell? Message tracking does not allow as the mailbox, ‘sent to’ or ‘sent from’ have to be users, not contacts. If the tool worked (“Select a user” freezes on me and doesn’t allow me to ever select a user), I’d not be able to choose an outside recipient or sender to search for messages from. This is useless except to tell me if our users received the mail, not whether it was ever relayed or whether we received ndr’s from their servers or not. I’ve searched a while for answers to this, but have seen a lot of unrelated material.

    Thanks again!

  6. Andrew Francis says:

    Scratch that last comment… Tracking log explorer is what I’ve been looking for. As another person said, why rename it!? Thanks again for your years of help.

  7. Rosario says:

    Dear all,

    I have a big problem with users doing delivery report in owa and the same if I do it out of the EMC as Exchange Admin. I get always the error: Couldn’t retrieve all results. This may be because the server is too busy. Please try again later.

    So no user is actually able to view/search the own delivery reports.

    But Message-Tracking works fine in powershell as explained in this article and it works also if instead of Message Tracking in the web-gui I choose the traditional Message-Tracking-Log-Explorer.

    I wonder if this is because I set MessageTrackingLogMaxAge to 360 days. Could it be this generates too much data, causing a timeout to produce the mentined error?

    I have been searching the internet without finding any hints. One of them, though, states to delete the contents of the CatalogData of every DB and then rebuild the indexes using the \v14\scripts\ResetSerachIndex.ps1 -force -all

    Before doing so on all of our 24 DBs I wanted to ask some advice here.

    Thanks a lot, Rosario

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.