We've looked at searching Exchange Server message tracking logs by time/date range, and by sender or recipient email address.
Now it is time to look at how to use the email message subject as the search criteria.
Enabling/Disabling Message Tracking Log Subject Logging
The first thing to be aware of is that the message subject is an optional item for message tracking logs. Although the default setting is for subject logging to be enabled, you should verify that it is still configured that way if you wish to be doing log searches using the subject line as the criteria.
You can check all of your Transport servers at once using the Get-TransportServer cmdlet in PowerShell:
|
1 2 3 4 5 6 7 8 9 |
[PS] C:\>Get-TransportServer | select name,*subject* | ft -auto Name MessageTrackingLogSubjectLoggingEnabled ---- --------------------------------------- HO-EX2010-MB1 True HO-EX2010-MB2 True BR-EX2010-MB True HO-EX2010-EDGE True HO-EX2007-MB1 True |
If any of the servers are disabled (ie “False”) you can re-enable them using Set-TransportServer.
|
1 |
[PS] C:\>Set-TransportServer ho-ex2010-mb1 -MessageTrackingLogSubjectLoggingEnabled $true |
Searching Message Tracking Logs by Message Subject
One of the nice things about using the -MessageSubject parameter for the Get-MessageTrackingLog cmdlet is that it already returns partial match results, so there is no need to pipe to Where-Object for wildcard searches or partial matches.
|
1 2 3 4 5 6 7 8 |
[PS] C:\>Get-MessageTrackingLog -MessageSubject "payroll" EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- RECEIVE SMTP Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September DELIVER STORE... Alan.Reid@exchangeserverpro.net {Alex.Heyne@exchangeserverpro.... Payroll report for September DELIVER STORE... Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} Payroll report for September |
However, if we want to search on multiple criteria with and/or conditions we still need to use Where-Object.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[PS] C:\>Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.MessageSubject -match "payroll" -or $_.MessageSubject -match "meeting"} EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- RECEIVE SMTP Alan.Reid@exchangeserverpro.net {Alan.Reid@exchangeserverpro.net} A meeting #1 HARED... ROUTING Alan.Reid@exchangeserverpro.net {Alan.Reid@exchangeserverpro.net} A meeting #1 SEND SMTP Alan.Reid@exchangeserverpro.net {Alan.Reid@exchangeserverpro.net} A meeting #1 RECEIVE STORE... Mahera.Bawa@exchangeserverpro.net {homeetingroom1@exchangeserver... A meeting about paper TRANSFER ROUTING Mahera.Bawa@exchangeserverpro.net {homeetingroom1@exchangeserver... A meeting about paper DELIVER STORE... Mahera.Bawa@exchangeserverpro.net {homeetingroom1@exchangeserver... A meeting about paper RECEIVE STORE... homeetingroom1@exchangeserverp... {Mahera.Bawa@exchangeserverpro... Accepted: A meeting about paper DELIVER STORE... homeetingroom1@exchangeserverp... {Mahera.Bawa@exchangeserverpro... Accepted: A meeting about paper RECEIVE SMTP Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September DELIVER STORE... Alan.Reid@exchangeserverpro.net {Alex.Heyne@exchangeserverpro.... Payroll report for September DELIVER STORE... Alan.Reid@exchangeserverpro.net {David.Gower@exchangeserverpro... Payroll report for September SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} Meeting minutes SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} A meeting #1 SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} A meeting #2 SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} Payroll report for September |
As you can see searching message tracking logs based on message subject is quite simple.
Is there software that would enable a company to read the content of an email on message tracking?
Thank you for your help.
Message tracking logs don’t store message contents.
If you want to be able to search and read contents of email messages you can use Exchange’s built in eDiscovery and auditing features, or a third party eDiscovery/compliance product such as Enterprise Vault.
when they are multiple recipients on a message I only get partial recipients with “…” at the end. I would like to see all the recipients. Is it possible to display all the recipients that received a message?
Preventing truncated output in PowerShell:
https://practical365.com/how-to-prevent-truncation-of-long-output-in-exchange-management-shell/
Or you can export to CSV using the technique in this article:
https://practical365.com/exchange-2010-message-tracking-log-search-powershell/
Paul-
Thank you for the information. Both methods worked perfectly. I appreciate your response.
What does ‘hared…’ event id indicate?
I have located an email that never was never delivered to my mailbox, I’m certain is was blocked by a spam filter. I’m trying to figure out why though and I came across this post and noticed you have some entries with event id of ‘hared…’ as well.
HAREDIRECT event means a shadow copy of the message was created.
Thanks, I’ll read up on that.
I hope I’m not being to presumptuous in thinking I should be able to locate all emails that had shadow copies made via Haredirect but weren’t delivered.
Do you think that will be possible?
I recently had a slew of emails that weren’t delivered, I’m trying to locate them all. I believe our spam thresholds were set to stringently.
Probably. But messages don’t vanish into thin air. If they’ve been blocked or dropped in the transport pipeline somewhere then you should be able to find evidence of that. When you know the exact message ID you can search your logs for all log events for that message ID, sort them by timestamp, and look at the full details of the events to know more.
Did this “slew of emails” involve a single recipient or multiple recipients?
There were a couple different contacts over the past few weeks, it seemed to happen when they had attachments.
I have one email that I know the exact time and event ID that was blocked, I had the sender sent my company account (the one that is having issues) and I had them cc my personal email as well. That particular sender has only sent me 2 emails so it was easy to locate. The email to my company account didn’t come through but still appeared on in the MessageTrackingLog, so I’m confident I can find the others, just not exactly sure how easy it will be to identify the others that were not delivered, because I can’t say for sure who the senders were or the times they sent.
Not that it matters, but I though exchange toolbox would provide an interface for this type of troubleshooting. I guess not though hey?
Thanks for the quick replies.
The Toolbox has a tracking log explorer but it is pretty weak compared to what you can determine in PowerShell.
I came across an option for Get MessageTrackingLog called ‘Out-GridView’ that I quite like. It allows for quick filtering of the log in a separate window from EMS.
Get-MessageTrackingLog -ResultSize Unlimited -Start “May 7 2015” | Out-GridView
I found some info here:
http://www.c7solutions.com/2012/11/missing-message-tracking-log-explorer-html
It would be nice if I could view the email in question from it. I’m quite new to message tracking so still not sure about the significance of each event. I haven’t yet worked out how to open the email based on the output from these logs.
Also from this I noticed that the HARED… events are actually HARedirectFail events. I now see that ‘HA’ indicated High Availability. In reading up on this I’d require a second mail server in a DAG set-up for this to function properly. I’m not entirely sure of the what that means for emails that hadn’t been delivered properly over the long duration, but I have my doubts about recovering emails from prior weeks.
Hi Paul,
I have enable the message tracking and use power shell to view all sort of information but what I am looking for is to see what time a recipient read the message. All I can see is that the message is read but not the date and time at of read. Can you please assist how can I achieve this if it is possible?
Hey Paul,
do you know how i can make a Search-Mailbox -searchquery with as subject that has special characters? ” or ‘ does not work there for excaping.
Thanks for a feedback!
Mirko
excellent posts, and questions.
How Can I track If email has been opened or read or unmarked via powershell ?
Here you go: https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/