Message tracking is a Exchange Server 2010 feature that records log files of email traffic as messages travel between mailboxes and servers within the organization.
Message tracking is a feature of Hub Transport, Edge Transport, and Mailbox servers as these are the Exchange 2010 server roles that are involved in transmitting email messages around the network.
I spend hours each week searching message logs for all kinds of interesting information. This may be situations such as tracking the routing or delivery of a single email message, troubleshooting a server load issue, or analysing overall email traffic patterns.
Enabling or Disabling Message Tracking for Exchange Server 2010
Message tracking is an optional setting that is enabled by default. You can see the current status of message tracking on a server by opening the Properties of that server in the Exchange Management Console and looking at the Log Settings tab.
You can also query this setting with the Exchange Management Shell. One of the advantages of the shell is you can check all your servers at once.
For example, to check the message tracking log setting for all Edge and Hub Transport servers use Get-TransportServer:
[PS] C:\>Get-TransportServer | Select Name,MessageTrackingLogEnabled | ft -auto Name MessageTrackingLogEnabled ---- ------------------------- BR-EX2010-MB True HO-EX2010-MB1 True HO-EX2010-MB2 True HO-EX2010-EDGE True HO-EX2007-MB1 True
To check the same setting on Mailbox servers, use Get-MailboxServer instead:
[PS] C:\>Get-MailboxServer | Select Name,MessageTrackingLogEnabled | ft -auto Name MessageTrackingLogEnabled ---- ------------------------- BR-EX2010-MB True HO-EX2010-MB1 True HO-EX2010-MB2 True HO-EX2007-MB1 True
You’ll notice the same servers have appeared in the above output twice. Those are multi-role servers, with both the Hub Transport and Mailbox server roles installed. In those cases you can use either Get-TransportServer or Get-MailboxServer to query the same setting (it is one setting that can be queried with two cmdlets, not two separate settings).
If you find any servers with message tracking logs disabled you can enable it with Set-TransportServer or Set-MailboxServer.
[PS] C:\>Set-TransportServer BR-EX2010-MB -MessageTrackingLogEnabled $true
Configuring Message Tracking for Exchange Server 2010
In addition to enabling/disabling message tracking logs you can also configure some other settings as appropriate for your environment. These can be seen in the output below:
[PS] C:\>Get-MailboxServer ho-ex2010-mb1 | fl messagetracking* MessageTrackingLogEnabled : True MessageTrackingLogMaxAge : 30.00:00:00 MessageTrackingLogMaxDirectorySize : 1000 MB (1,048,576,000 bytes) MessageTrackingLogMaxFileSize : 10 MB (10,485,760 bytes) MessageTrackingLogPath : C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsMessageTra cking MessageTrackingLogSubjectLoggingEnabled : True
The default settings are:
Max Age – 30 days. You can turn this up or down as required. I find sometimes by the time an issue is reported or found that 30 days is not quite enough to be able to search back in time. However this is entirely up to you, and if your logs are being backed up you can always consider restoring older logs from backup if required.
Max Directory Size – this is an additional setting for limiting the total size of message tracking logs on your server. The default limit is 1Gb but in high volume environments you may find that this limit means logs are purged before they reach the full 30 day max age, because the max directory size overrides the max age setting. On most of my servers I’ve increased this to 4Gb and in some cases as much as 10Gb. Consider your server’s disk capacity as well as the impact that more log files has on the amount of time some tracking log searches will take.
Max File Size – the default is 10mb and I’ve never seen a need to change this.
Log Path – the default is the same drive as the Exchange 2010 install directory, but you can move this to any path you wish. On some of our highest volume servers (eg messaging hub sites, and Edge Transport servers) this path has been changed to a non-OS drive with a lot more free disk space.
Subject Logging – this is enabled by default and the only reason I’ve ever needed to disable it was when there were some privacy/security concerns for that particular environment.
You can change any of these settings with Set-TransportServer or Set-MailboxServer. For example to increase the max directory size for all of the servers:
[PS] C:\>Get-TransportServer | Set-TransportServer -MessageTrackingLogMaxDirectorySize 2GB
Searching Message Tracking Logs in Exchange Server 2010
Exchange 2010 provides multiple tools for searching message tracking logs. The first two are available in the Toolbox section of the Exchange Management Console.
Message Tracking Web Interface
The web interface for message tracking is part of the Exchange Control Panel and provides very basic search functionality to search for messages either sent by or received by a mailbox, based on the sender, recipients, and subject line.
One of the advantages of this web interface is that it is available for regular users to perform delivery report searches for their own emails, or delegate the task to power users or auditors, without needing to install the Exchange 2010 management tools on their workstation.
Message Tracking Log Explorer
Message tracking log searches can also be performed in the Tracking Log Explorer, a GUI search tool that is part of the Exchange Management Console. This tool gives administrators some more control over the searches they perform such as searching for specific events (eg FAIL events), searching for a particular message ID, and controlling the date ranges for search results.
The message Tracking Log Explorer provides a fairly user-friendly interface for administrators to perform searches, but has a few limitations as well. Wildcard searches are not possible, nor are searches across multiple servers simultaneously. And although reports files are automatically saved by the tool, they can only be exported in XML format which is not as user-friendly as CSV would be.
So while the Tracking Log Explorer is decent tool for single server environments, in any larger environment you will find PowerShell a much better way to perform message tracking log searches.
The Exchange Management Shell includes the Get-MessageTrackingLog cmdlet that can be used for message tracking log searches. This is one of the most useful and powerful ways to search your tracking logs, but it may appear to be a steep learning curve for some administrators.
If you take a look at the Tracking Log Explorer mentioned above you’ll notice that as you construct a query it generates the equivalent PowerShell command below that, which means the Tracking Log Explorer is a good way to get started with the PowerShell syntax for Get-MessageTrackingLog.
Using PowerShell to search message tracking logs is a big topic so I’ve written a separate article about it including many sample queries that you can build off to suit your own situations.
Message tracking is a feature of Exchange Server 2010 that is enabled by default, and can be configured in many ways to suit your environment. It is useful for troubleshooting and reporting tasks, and Exchange 2010 comes with several tools to make tracking log searches possible.
Pingback: get messagetrackinglog exchange 2010 – infopvp
Thanks Paul Cunningham! You save my day
I am trying to track an email that was sent to an external email which was received by them but claimed to have received much later than we are showing on our Exchange 2010.
Can you help us figure out what has happened and how we can prove when they received out emails? We will gladly pay you for your services.
Please let me know ASAP. Its very important. You can contact me by phone or email. We are in Washington, DC area.
I have the same issue with my client. It is showing sent on Exchange Server but the Office 365 message trace does not show any result that the message sent from the server has reached the Office 365 server. Is this a known issue on message Trace for Exchange Server 10?
I’m getting this error any time I am trying to search using your script: “Couldn’t retrieve all results. This may be because the server is too busy. Please try again later.”
Do you happen to know what could be causing this to happen all the time?
I know someone suggested to reset the CatalogData and rebuild the indexes but I would prefer not to have to do that across 80+ databases.
Message tracking uses its own logs, not the content indexes for databases. I’ve never seen that error, but I assume it means your server is overloaded.
Do you know of any reason why my message tracking logs only show internal messages and not external?
External messages stopped showing up at the end of december 2016, as far as I know there have been no changes made to the system. Last change to logs was 4-5 weeks prior when I moved the tracking logs to a different drive with powershell.
I have unsuccesfully tried everything I can think of to get them showing again but with no luck.
This is exchange 2013.
Move them back, test again. Then you’ll know whether it was your change that broke it.
When the logs are running out of control, I always keep an eye on them, the I purge them.
The Exchange Maintenance process requires enabling “Circular Logging” and a “Dismount/Mount” of the DB. Give it a few minutes and you will gain your space back.
Organization Configuration-Inbox- Right click: Mail Database-Maintenance tab-Click “Enable Circular Logging”.
I have exchange server platform and i have 4 Databases but i have problem with 1 Data base that the logs was increase rappildy per second.
Can you help me how to do troubleshooting?
Thanks for the post. Loved it.
I have a small doubt. I have lost the .idx index files for message tracking ans are showing 0 KB.
I am unable to search logs thorugh EMC 2010>Toolbox>Mesage Tracking GUI using SENDER (FROM ADDRESS) attribute but while using the RECEPIENT ADDRESS atribute it gives me result. Any clues?
**Note: I can very well get the details by serching message tracking logs manually from notepad and shell but my requirement is to use GUI mode.
Paul, is there a way to check for messages incoming from just a specific receive connector? We have several appliance devices that can be configured to send alerts. We have receive connectors for each of them. Can I check just a single connector (by its I/P address) to see if “any” messages were received without having to specify a -Sender or -Recipient.
You can look for hits against specific connectors using protocol logging.
You can analyze those logs with Log Parser. Here’s an example for send connectors, but it should be simple enough to adjust to your receive connector scenario too.
Hello, than you for this guide! We’ve had this enabled for years now – and I swear at one point in time it used to show me the originating client IP so that i could confirm what IP address the e-mails were grabbed from/sent from. I seem to no longer have this ability. the deepest I can get is the mailbox server that picked up the email from the outbox. I read a blurb somewhere about how MAPI connections will not produce a client IP address in the tracking logs…?
Yes, that is correct.
Pingback: Troubleshooting Email Delivery with Message Tracking
I’m experiencing some unexpected behavior in the Message Tracking via ECP.
I have posted this here:
Maybe you have any idea what could be messing this up.
Thank you in Advance.
When trying to Reporting, from within Message Tracking, next to Mailbox to Search, I choose Browse and get this error message: You don’t have sufficient permissions. To get permissions, contact your administrator.
Thanks for any insight.
That error seems pretty straightforward to me… you don’t have sufficient permissions.
You could try doing tracking log searches in PowerShell instead to see if it’s just an ECP bug I suppose.
I’m sorry; to be more clear-what permissions do I need to be able to track other’s messages. I am a domain admin. Thanks.
AD permissions are not the same as Exchange permissions. You can be in AD groups like Domain Admins and have no Exchange admin rights at all.
For message tracking you need to be a member of Recipient Management, Records Management, or Organization Management. Alternatively you can create a custom RBAC role that can only do message tracking.
How could I delegate non-admins to have access on message tracking?
Thanks in advance!
Good question. I had to go and check the answer in my ebook, “Mastering Message Tracking” because I could not remember off the top of my head.
The answer is, message tracking by default can be performed by members of the Organization Management, Recipient Management, and Records Management role groups.
Records Management gives them access to some other things that may not be acceptable for some orgs though, so in those cases a custom role group that just permits Message Tracking can be created.
Paul, Jeff, I never got an answer regarding my normal users not being able to show their own message-delivery-reports in OWA. I guess it has to do with permissions, as I can do it if I log in with an Exchange-Org-Admin Account.
Any Ideas? Thanks a lot, Rosario
How can I track external incoming emails to my mailbox?
With message tracking. Have you read the article above? It describes message tracking, gives examples, and links to other articles with more detailed examples as well.
I have a big problem with users doing delivery report in owa and the same if I do it out of the EMC as Exchange Admin. I get always the error: Couldn’t retrieve all results. This may be because the server is too busy. Please try again later.
So no user is actually able to view/search the own delivery reports.
But Message-Tracking works fine in powershell as explained in this article and it works also if instead of Message Tracking in the web-gui I choose the traditional Message-Tracking-Log-Explorer.
I wonder if this is because I set MessageTrackingLogMaxAge to 360 days. Could it be this generates too much data, causing a timeout to produce the mentined error?
I have been searching the internet without finding any hints. One of them, though, states to delete the contents of the CatalogData of every DB and then rebuild the indexes using the v14scriptsResetSerachIndex.ps1 -force -all
Before doing so on all of our 24 DBs I wanted to ask some advice here.
Thanks a lot, Rosario
Scratch that last comment… Tracking log explorer is what I’ve been looking for. As another person said, why rename it!? Thanks again for your years of help.
Thanks for all your help over the years.
Tracking email passed through distribution groups from SMTP contacts. Can we do it using native tools in EMC or pwshell? Message tracking does not allow as the mailbox, ‘sent to’ or ‘sent from’ have to be users, not contacts. If the tool worked (“Select a user” freezes on me and doesn’t allow me to ever select a user), I’d not be able to choose an outside recipient or sender to search for messages from. This is useless except to tell me if our users received the mail, not whether it was ever relayed or whether we received ndr’s from their servers or not. I’ve searched a while for answers to this, but have seen a lot of unrelated material.
I am trying to track an email from a mailbox in our single server environment, Exchange 2010, and the email was never received, but emails are being received from other domains to this same recipient. I’m trying to get the status if the message was delivered successfully or not of course from our end. My issue is when I go to the “Message Tracking” from the Toolbox in EMC, that takes me to a web interface login. I login with the mailbox user credentials that is having the email issue, but get a “Sorry! Access denied” error message. So, I can’t access the report that way. Any suggestions?
Also, I used “Tracking Log Explorer” and it ran just fine & gave me a report, but I’m not sure how to read it exactly or what I am looking for if the message being sent is failing on my end. Can you help a brother out? Thank you for any suggestions or help.
As an administrator you can login to the Exchange Control Panel and run delivery reports for other users.
Or, the user themselves can login to the ECP and run their own delivery reports.
Or, as an administrator, you can use PowerShell to run message tracking log searches.
The third option is the best one in my opinion, and well worth learning as it is one the most powerful and effective email delivery troubleshooting techniques an Exchange admin can have.
I should of course mention that my ebook “Mastering Message Tracking” teaches you how to do all of this.
One of the generic a/c user has sent a mail to one of our internal user. Now the user want to know who has sent the mail from the generic a/c as the generic a/c has access to so many people can we track the IP address of the machine who has sent mail from generic a/c to user in exchange console.
Thanks in advance.
Mailbox audit logging is the solution for this.
However, it needs to be turned on *before* the incident occurs.
How to get the email sent counts statistics for a generic mailbox since we cannot filter with Storeddriver source to get accurate report
Message tracking logs include the message ID, so you could just count the unique message IDs.
Pingback: Exchange Server FAQ: Does Message Tracking Include Bcc Recipients? - MSEXCHANGEHELP
Pingback: Exchange Server FAQ: Does Message Tracking Include Bcc Recipients?
I would like to be able to run the Powershell command:
Get-TransportServer | get-messageTrackingLog -Start “01/01/2014 00:00:00” -End “01/01/2014 23:59:59”
against all of my Hub and Edge Transport servers. It works fine for the hub servers but all the edge servers get this error:
Failed to connect to the Microsoft Exchange Transport Log Search service on computer “serverX.example.com”. Verify that the Microsoft Exchange Transport Log Search service is started on
the target computer.
+ CategoryInfo : ResourceUnavailable: (:) [Get-MessageTrackingLog], LocalizedException
+ FullyQualifiedErrorId : 197D7D84,Microsoft.Exchange.Management.TransportLogSearchTasks.GetMessageTrackingLog
I can successfully get the logs locally from the edge transports, I just cannot retrieve them remotely. This is not a firewall problem as I’ve temporarily stopped the Windows firewall and complete opened the Cisco ASA ACLs during testing. Is there a special RBAC or Powershell execution policy needed to access edge transport server logs remotely? I’ve been able to remotely access the edge servers with standard Powershell commands like “Get-Service -ComputerName edgeX” but the Exchange Transport logs just don’t work for me.
Any help or thoughts would be appreciated.
Pingback: What Happened To My Email? Exchange Message Tracking | Adam Fowler - I.T. From Australia
Could you please tell whether configuring/enabling message tracking on the Hub&Access Servers is enough or whether it would be better to enable it also on the Mailbox Servers?
Thanks a lot, Rosario
Enabling it on Mailbox servers is also a good idea.
OK, but it is tedious work to look on 5 CAS&HUB Servers and another 6 Mailbox Servers when you want to know whether, e.g. one of your users received mails during a given time period. Or is there a means to lead all message tracking logs to ONE Server?
Use Powershell to run the searches and you can search multiple servers with a single command.
eg Get-TransportServer | Get-messageTrackingLog
Get-ExchangeServer | get-messageTrackingLog
Other examples here:
And at the bottom of that articles links to many more articles with other examples of search criteria.
Pingback: Tofa IT » Searching Message Tracking Logs by Time and Date Range
Pingback: Searching Exchange Server Message Tracking Logs by Time and Date Range
Pingback: Troubleshooting Email Delivery with Exchange Server Protocol Logging
Pingback: Calculate Hourly Email Traffic using Message Tracking and Log Parser
Pingback: Calculate Daily Email Traffic using Message Tracking and Log Parser
Pingback: PowerShell: Reporting Exchange 2010 Message Tracking Event IDs