We’ve looked at searching Exchange Server message tracking logs by time/date range, and by sender or recipient email address.
Now it is time to look at how to use the email message subject as the search criteria.
Enabling/Disabling Message Tracking Log Subject Logging
The first thing to be aware of is that the message subject is an optional item for message tracking logs. Although the default setting is for subject logging to be enabled, you should verify that it is still configured that way if you wish to be doing log searches using the subject line as the criteria.
You can check all of your Transport servers at once using the Get-TransportServer cmdlet in PowerShell:
[PS] C:\>Get-TransportServer | select name,*subject* | ft -auto Name MessageTrackingLogSubjectLoggingEnabled ---- --------------------------------------- HO-EX2010-MB1 True HO-EX2010-MB2 True BR-EX2010-MB True HO-EX2010-EDGE True HO-EX2007-MB1 True
If any of the servers are disabled (ie “False”) you can re-enable them using Set-TransportServer.
[PS] C:\>Set-TransportServer ho-ex2010-mb1 -MessageTrackingLogSubjectLoggingEnabled $true
Searching Message Tracking Logs by Message Subject
One of the nice things about using the -MessageSubject parameter for the Get-MessageTrackingLog cmdlet is that it already returns partial match results, so there is no need to pipe to Where-Object for wildcard searches or partial matches.
[PS] C:\>Get-MessageTrackingLog -MessageSubject "payroll"
EventId Source Sender Recipients MessageSubject
------- ------ ------ ---------- --------------
RECEIVE SMTP Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September
DELIVER STORE... Alan.Reid@exchangeserverpro.net {Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER STORE... Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September
SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} Payroll report for September
However, if we want to search on multiple criteria with and/or conditions we still need to use Where-Object.
[PS] C:\>Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.MessageSubject -match "payroll" -or $_.MessageSubject -match "meeting"}
EventId Source Sender Recipients MessageSubject
------- ------ ------ ---------- --------------
RECEIVE SMTP Alan.Reid@exchangeserverpro.net {Alan.Reid@exchangeserverpro.net} A meeting #1
HARED... ROUTING Alan.Reid@exchangeserverpro.net {Alan.Reid@exchangeserverpro.net} A meeting #1
SEND SMTP Alan.Reid@exchangeserverpro.net {Alan.Reid@exchangeserverpro.net} A meeting #1
RECEIVE STORE... Mahera.Bawa@exchangeserverpro.net {homeetingroom1@exchangeserver... A meeting about paper
TRANSFER ROUTING Mahera.Bawa@exchangeserverpro.net {homeetingroom1@exchangeserver... A meeting about paper
DELIVER STORE... Mahera.Bawa@exchangeserverpro.net {homeetingroom1@exchangeserver... A meeting about paper
RECEIVE STORE... homeetingroom1@exchangeserverp... {Mahera.Bawa@exchangeserverpro... Accepted: A meeting about paper
DELIVER STORE... homeetingroom1@exchangeserverp... {Mahera.Bawa@exchangeserverpro... Accepted: A meeting about paper
RECEIVE SMTP Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September
DELIVER STORE... Alan.Reid@exchangeserverpro.net {Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER STORE... Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September
SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} Meeting minutes
SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} A meeting #1
SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} A meeting #2
SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} Payroll report for September
As you can see searching message tracking logs based on message subject is quite simple.
Get-MessageTrackingLog -MessageSubject “Hi” | Select timestamp,EventID,recipients,messagesubject >> “C:\SubjectOutputF.txt”
how to get message trace where sender send an email to multiple users & put his/her id in Bcc. I would like to search email with specific subject & time duration
How Can I track If email has been opened or read or unmarked via powershell ?
Here you go: https://www.practical365.com/exchange-server/tracking-read-email-messages-exchange-server/
excellent posts, and questions.
Hey Paul,
do you know how i can make a Search-Mailbox -searchquery with as subject that has special characters? ” or ‘ does not work there for excaping.
Thanks for a feedback!
Mirko
Hi Paul,
I have enable the message tracking and use power shell to view all sort of information but what I am looking for is to see what time a recipient read the message. All I can see is that the message is read but not the date and time at of read. Can you please assist how can I achieve this if it is possible?
There were a couple different contacts over the past few weeks, it seemed to happen when they had attachments.
I have one email that I know the exact time and event ID that was blocked, I had the sender sent my company account (the one that is having issues) and I had them cc my personal email as well. That particular sender has only sent me 2 emails so it was easy to locate. The email to my company account didn’t come through but still appeared on in the MessageTrackingLog, so I’m confident I can find the others, just not exactly sure how easy it will be to identify the others that were not delivered, because I can’t say for sure who the senders were or the times they sent.
Not that it matters, but I though exchange toolbox would provide an interface for this type of troubleshooting. I guess not though hey?
Thanks for the quick replies.
The Toolbox has a tracking log explorer but it is pretty weak compared to what you can determine in PowerShell.
I came across an option for Get MessageTrackingLog called ‘Out-GridView’ that I quite like. It allows for quick filtering of the log in a separate window from EMS.
Get-MessageTrackingLog -ResultSize Unlimited -Start “May 7 2015” | Out-GridView
I found some info here:
http://www.c7solutions.com/2012/11/missing-message-tracking-log-explorer-html
It would be nice if I could view the email in question from it. I’m quite new to message tracking so still not sure about the significance of each event. I haven’t yet worked out how to open the email based on the output from these logs.
Also from this I noticed that the HARED… events are actually HARedirectFail events. I now see that ‘HA’ indicated High Availability. In reading up on this I’d require a second mail server in a DAG set-up for this to function properly. I’m not entirely sure of the what that means for emails that hadn’t been delivered properly over the long duration, but I have my doubts about recovering emails from prior weeks.
What does ‘hared…’ event id indicate?
I have located an email that never was never delivered to my mailbox, I’m certain is was blocked by a spam filter. I’m trying to figure out why though and I came across this post and noticed you have some entries with event id of ‘hared…’ as well.
HAREDIRECT event means a shadow copy of the message was created.
Thanks, I’ll read up on that.
I hope I’m not being to presumptuous in thinking I should be able to locate all emails that had shadow copies made via Haredirect but weren’t delivered.
Do you think that will be possible?
I recently had a slew of emails that weren’t delivered, I’m trying to locate them all. I believe our spam thresholds were set to stringently.
Probably. But messages don’t vanish into thin air. If they’ve been blocked or dropped in the transport pipeline somewhere then you should be able to find evidence of that. When you know the exact message ID you can search your logs for all log events for that message ID, sort them by timestamp, and look at the full details of the events to know more.
Did this “slew of emails” involve a single recipient or multiple recipients?
Hi Paul,
I’m struggling to find an easy way to do a message tracking search for O365/Exchange Online based on a message Subject. Do you know if that capability exists?
Thanks
Brian
when they are multiple recipients on a message I only get partial recipients with “…” at the end. I would like to see all the recipients. Is it possible to display all the recipients that received a message?
Preventing truncated output in PowerShell:
https://www.practical365.com/how-to-prevent-truncation-of-long-output-in-exchange-management-shell/
Or you can export to CSV using the technique in this article:
https://www.practical365.com/exchange-2010-message-tracking-log-search-powershell/
Paul-
Thank you for the information. Both methods worked perfectly. I appreciate your response.
Hi Paul,
I have a powershell script exporting a log for all sent mails for the previous day. Its filtering out all read receipts, auto replies and undeliverable mails.
Users are using square brackets as delimiters for personal account numbers in the subject line. For expample: Case 14 [16893657] john doe.
How can one only log the mail being sent with the square brackets in the subject line? I have tried
where-object {$_.messagesubject -like “*[*]*”}
And it doesn’t work.
Thanks
Is there software that would enable a company to read the content of an email on message tracking?
Thank you for your help.
Message tracking logs don’t store message contents.
If you want to be able to search and read contents of email messages you can use Exchange’s built in eDiscovery and auditing features, or a third party eDiscovery/compliance product such as Enterprise Vault.
Is there some way to track messages with attachments. We need to see in the logs if an attachment was included or blocked, what size it was, what it was called etc. Basically I cannot find a good way to troubleshoot and/or monitor attachment delivery.
We don’t want to go down the archiving/journaling route.
Thank you.
Pingback: Searching Exchange Server 2010 Message Tracking Logs with PowerShell