Home » Exchange Server » Introduction to Exchange Server 2010 Message Tracking

Introduction to Exchange Server 2010 Message Tracking

Message tracking is a Exchange Server 2010 feature that records log files of email traffic as messages travel between mailboxes and servers within the organization.

Message tracking is a feature of Hub Transport, Edge Transport, and Mailbox servers as these are the Exchange 2010 server roles that are involved in transmitting email messages around the network.

I spend hours each week searching message logs for all kinds of interesting information. This may be situations such as tracking the routing or delivery of a single email message, troubleshooting a server load issue, or analysing overall email traffic patterns.

Enabling or Disabling Message Tracking for Exchange Server 2010

Message tracking is an optional setting that is enabled by default. You can see the current status of message tracking on a server by opening the Properties of that server in the Exchange Management Console and looking at the Log Settings tab.

Enabling/disabling message tracking logs
Enabling/disabling message tracking logs

You can also query this setting with the Exchange Management Shell. One of the advantages of the shell is you can check all your servers at once.

For example, to check the message tracking log setting for all Edge and Hub Transport servers use Get-TransportServer:

To check the same setting on Mailbox servers, use Get-MailboxServer instead:

You'll notice the same servers have appeared in the above output twice. Those are multi-role servers, with both the Hub Transport and Mailbox server roles installed. In those cases you can use either Get-TransportServer or Get-MailboxServer to query the same setting (it is one setting that can be queried with two cmdlets, not two separate settings).

If you find any servers with message tracking logs disabled you can enable it with Set-TransportServer or Set-MailboxServer.

Configuring Message Tracking for Exchange Server 2010

In addition to enabling/disabling message tracking logs you can also configure some other settings as appropriate for your environment. These can be seen in the output below:

The default settings are:

Max Age – 30 days. You can turn this up or down as required. I find sometimes by the time an issue is reported or found that 30 days is not quite enough to be able to search back in time. However this is entirely up to you, and if your logs are being backed up you can always consider restoring older logs from backup if required.

Max Directory Size – this is an additional setting for limiting the total size of message tracking logs on your server. The default limit is 1Gb but in high volume environments you may find that this limit means logs are purged before they reach the full 30 day max age, because the max directory size overrides the max age setting. On most of my servers I've increased this to 4Gb and in some cases as much as 10Gb. Consider your server's disk capacity as well as the impact that more log files has on the amount of time some tracking log searches will take.

Max File Size – the default is 10mb and I've never seen a need to change this.

Log Path – the default is the same drive as the Exchange 2010 install directory, but you can move this to any path you wish. On some of our highest volume servers (eg messaging hub sites, and Edge Transport servers) this path has been changed to a non-OS drive with a lot more free disk space.

Subject Logging – this is enabled by default and the only reason I've ever needed to disable it was when there were some privacy/security concerns for that particular environment.

You can change any of these settings with Set-TransportServer or Set-MailboxServer. For example to increase the max directory size for all of the servers:

Searching Message Tracking Logs in Exchange Server 2010

Exchange 2010 provides multiple tools for searching message tracking logs. The first two are available in the Toolbox section of the Exchange Management Console.

Exchange Management Console Toolbox message tracking tools
Exchange Management Console Toolbox message tracking tools

Message Tracking Web Interface

The web interface for message tracking is part of the Exchange Control Panel and provides very basic search functionality to search for messages either sent by or received by a mailbox, based on the sender, recipients, and subject line.

Searching for delivery reports in Exchange Control Panel
Searching for delivery reports in Exchange Control Panel

One of the advantages of this web interface is that it is available for regular users to perform delivery report searches for their own emails, or delegate the task to power users or auditors, without needing to install the Exchange 2010 management tools on their workstation.

Delivery report search results for regular mailbox users
Delivery report search results for regular mailbox users

Message Tracking Log Explorer

Message tracking log searches can also be performed in the Tracking Log Explorer, a GUI search tool that is part of the Exchange Management Console. This tool gives administrators some more control over the searches they perform such as searching for specific events (eg FAIL events), searching for a particular message ID, and controlling the date ranges for search results.

Message Tracking Log Explorer
Message Tracking Log Explorer

The message Tracking Log Explorer provides a fairly user-friendly interface for administrators to perform searches, but has a few limitations as well. Wildcard searches are not possible, nor are searches across multiple servers simultaneously. And although reports files are automatically saved by the tool, they can only be exported in XML format which is not as user-friendly as CSV would be.

So while the Tracking Log Explorer is decent tool for single server environments, in any larger environment you will find PowerShell a much better way to perform message tracking log searches.


The Exchange Management Shell includes the Get-MessageTrackingLog cmdlet that can be used for message tracking log searches. This is one of the most useful and powerful ways to search your tracking logs, but it may appear to be a steep learning curve for some administrators.

If you take a look at the Tracking Log Explorer mentioned above you'll notice that as you construct a query it generates the equivalent PowerShell command below that, which means the Tracking Log Explorer is a good way to get started with the PowerShell syntax for Get-MessageTrackingLog.

Using PowerShell to search message tracking logs is a big topic so I've written a separate article about it including many sample queries that you can build off to suit your own situations.


Message tracking is a feature of Exchange Server 2010 that is enabled by default, and can be configured in many ways to suit your environment. It is useful for troubleshooting and reporting tasks, and Exchange 2010 comes with several tools to make tracking log searches possible.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Rosario says:

    Could you please tell whether configuring/enabling message tracking on the Hub&Access Servers is enough or whether it would be better to enable it also on the Mailbox Servers?

    Thanks a lot, Rosario

  2. Mike Wood says:

    I would like to be able to run the Powershell command:

    Get-TransportServer | get-messageTrackingLog -Start “01/01/2014 00:00:00” -End “01/01/2014 23:59:59”

    against all of my Hub and Edge Transport servers. It works fine for the hub servers but all the edge servers get this error:
    Failed to connect to the Microsoft Exchange Transport Log Search service on computer “serverX.example.com”. Verify that the Microsoft Exchange Transport Log Search service is started on
    the target computer.
    + CategoryInfo : ResourceUnavailable: (:) [Get-MessageTrackingLog], LocalizedException
    + FullyQualifiedErrorId : 197D7D84,Microsoft.Exchange.Management.TransportLogSearchTasks.GetMessageTrackingLog

    I can successfully get the logs locally from the edge transports, I just cannot retrieve them remotely. This is not a firewall problem as I’ve temporarily stopped the Windows firewall and complete opened the Cisco ASA ACLs during testing. Is there a special RBAC or Powershell execution policy needed to access edge transport server logs remotely? I’ve been able to remotely access the edge servers with standard Powershell commands like “Get-Service -ComputerName edgeX” but the Exchange Transport logs just don’t work for me.

    Any help or thoughts would be appreciated.

  3. Siddu says:

    Hi Paul,

    One of the generic a/c user has sent a mail to one of our internal user. Now the user want to know who has sent the mail from the generic a/c as the generic a/c has access to so many people can we track the IP address of the machine who has sent mail from generic a/c to user in exchange console.

    Thanks in advance.

  4. Lance Hill says:

    Hi Paul,
    I am trying to track an email from a mailbox in our single server environment, Exchange 2010, and the email was never received, but emails are being received from other domains to this same recipient. I’m trying to get the status if the message was delivered successfully or not of course from our end. My issue is when I go to the “Message Tracking” from the Toolbox in EMC, that takes me to a web interface login. I login with the mailbox user credentials that is having the email issue, but get a “Sorry! Access denied” error message. So, I can’t access the report that way. Any suggestions?
    Also, I used “Tracking Log Explorer” and it ran just fine & gave me a report, but I’m not sure how to read it exactly or what I am looking for if the message being sent is failing on my end. Can you help a brother out? Thank you for any suggestions or help.

    • As an administrator you can login to the Exchange Control Panel and run delivery reports for other users.

      Or, the user themselves can login to the ECP and run their own delivery reports.

      Or, as an administrator, you can use PowerShell to run message tracking log searches.

      The third option is the best one in my opinion, and well worth learning as it is one the most powerful and effective email delivery troubleshooting techniques an Exchange admin can have.

      I should of course mention that my ebook “Mastering Message Tracking” teaches you how to do all of this.


  5. Andrew Francis says:

    Hi Paul,

    Thanks for all your help over the years.

    Tracking email passed through distribution groups from SMTP contacts. Can we do it using native tools in EMC or pwshell? Message tracking does not allow as the mailbox, ‘sent to’ or ‘sent from’ have to be users, not contacts. If the tool worked (“Select a user” freezes on me and doesn’t allow me to ever select a user), I’d not be able to choose an outside recipient or sender to search for messages from. This is useless except to tell me if our users received the mail, not whether it was ever relayed or whether we received ndr’s from their servers or not. I’ve searched a while for answers to this, but have seen a lot of unrelated material.

    Thanks again!

  6. Andrew Francis says:

    Scratch that last comment… Tracking log explorer is what I’ve been looking for. As another person said, why rename it!? Thanks again for your years of help.

  7. Rosario says:

    Dear all,

    I have a big problem with users doing delivery report in owa and the same if I do it out of the EMC as Exchange Admin. I get always the error: Couldn’t retrieve all results. This may be because the server is too busy. Please try again later.

    So no user is actually able to view/search the own delivery reports.

    But Message-Tracking works fine in powershell as explained in this article and it works also if instead of Message Tracking in the web-gui I choose the traditional Message-Tracking-Log-Explorer.

    I wonder if this is because I set MessageTrackingLogMaxAge to 360 days. Could it be this generates too much data, causing a timeout to produce the mentined error?

    I have been searching the internet without finding any hints. One of them, though, states to delete the contents of the CatalogData of every DB and then rebuild the indexes using the v14scriptsResetSerachIndex.ps1 -force -all

    Before doing so on all of our 24 DBs I wanted to ask some advice here.

    Thanks a lot, Rosario

    • Good question. I had to go and check the answer in my ebook, “Mastering Message Tracking” because I could not remember off the top of my head.


      The answer is, message tracking by default can be performed by members of the Organization Management, Recipient Management, and Records Management role groups.

      Records Management gives them access to some other things that may not be acceptable for some orgs though, so in those cases a custom role group that just permits Message Tracking can be created.

      • Rosario Carcò says:

        Paul, Jeff, I never got an answer regarding my normal users not being able to show their own message-delivery-reports in OWA. I guess it has to do with permissions, as I can do it if I log in with an Exchange-Org-Admin Account.

        Any Ideas? Thanks a lot, Rosario

  8. Miles Deep says:

    When trying to Reporting, from within Message Tracking, next to Mailbox to Search, I choose Browse and get this error message: You don’t have sufficient permissions. To get permissions, contact your administrator.

    Thanks for any insight.

    • That error seems pretty straightforward to me… you don’t have sufficient permissions.

      You could try doing tracking log searches in PowerShell instead to see if it’s just an ECP bug I suppose.

      • Miles Deep says:

        I’m sorry; to be more clear-what permissions do I need to be able to track other’s messages. I am a domain admin. Thanks.

        • AD permissions are not the same as Exchange permissions. You can be in AD groups like Domain Admins and have no Exchange admin rights at all.

          For message tracking you need to be a member of Recipient Management, Records Management, or Organization Management. Alternatively you can create a custom RBAC role that can only do message tracking.

  9. Jackie Behrbom says:

    Hello, than you for this guide! We’ve had this enabled for years now – and I swear at one point in time it used to show me the originating client IP so that i could confirm what IP address the e-mails were grabbed from/sent from. I seem to no longer have this ability. the deepest I can get is the mailbox server that picked up the email from the outbox. I read a blurb somewhere about how MAPI connections will not produce a client IP address in the tracking logs…?

  10. Jeff Smith says:

    Paul, is there a way to check for messages incoming from just a specific receive connector? We have several appliance devices that can be configured to send alerts. We have receive connectors for each of them. Can I check just a single connector (by its I/P address) to see if “any” messages were received without having to specify a -Sender or -Recipient.


  11. Ashish Sharma says:

    Thanks for the post. Loved it.

    I have a small doubt. I have lost the .idx index files for message tracking ans are showing 0 KB.

    I am unable to search logs thorugh EMC 2010>Toolbox>Mesage Tracking GUI using SENDER (FROM ADDRESS) attribute but while using the RECEPIENT ADDRESS atribute it gives me result. Any clues?

    **Note: I can very well get the details by serching message tracking logs manually from notepad and shell but my requirement is to use GUI mode.

  12. julio.baptista says:

    HI Paul,
    I have exchange server platform and i have 4 Databases but i have problem with 1 Data base that the logs was increase rappildy per second.
    Can you help me how to do troubleshooting?

    Best Regards!!

    Julio Baptista

  13. Will Roque says:

    When the logs are running out of control, I always keep an eye on them, the I purge them.
    The Exchange Maintenance process requires enabling “Circular Logging” and a “Dismount/Mount” of the DB. Give it a few minutes and you will gain your space back.

    Organization Configuration-Inbox- Right click: Mail Database-Maintenance tab-Click “Enable Circular Logging”.

  14. Paul Cheeseman says:

    HI Paul

    Do you know of any reason why my message tracking logs only show internal messages and not external?

    External messages stopped showing up at the end of december 2016, as far as I know there have been no changes made to the system. Last change to logs was 4-5 weeks prior when I moved the tracking logs to a different drive with powershell.

    I have unsuccesfully tried everything I can think of to get them showing again but with no luck.

    This is exchange 2013.


Leave a Reply

Your email address will not be published. Required fields are marked *