Home » Exchange Server » Searching Message Tracking Logs by Email Subject

Searching Message Tracking Logs by Email Subject

  by Paul Cunningham

We’ve looked at searching Exchange Server message tracking logs by time/date range, and by sender or recipient email address.

Now it is time to look at how to use the email message subject as the search criteria.

Enabling/Disabling Message Tracking Log Subject Logging

The first thing to be aware of is that the message subject is an optional item for message tracking logs. Although the default setting is for subject logging to be enabled, you should verify that it is still configured that way if you wish to be doing log searches using the subject line as the criteria.

You can check all of your Transport servers at once using the Get-TransportServer cmdlet in PowerShell:

If any of the servers are disabled (ie “False”) you can re-enable them using Set-TransportServer.

Searching Message Tracking Logs by Message Subject

One of the nice things about using the -MessageSubject parameter for the Get-MessageTrackingLog cmdlet is that it already returns partial match results, so there is no need to pipe to Where-Object for wildcard searches or partial matches.

However, if we want to search on multiple criteria with and/or conditions we still need to use Where-Object.

As you can see searching message tracking logs based on message subject is quite simple.

Paul Cunningham
Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server
Tags: , , , ,

14 comments

  1. Julie Stenabaugh says:

    Is there software that would enable a company to read the content of an email on message tracking?
    Thank you for your help.

    • Paul Cunningham says:

      Message tracking logs don’t store message contents.

      If you want to be able to search and read contents of email messages you can use Exchange’s built in eDiscovery and auditing features, or a third party eDiscovery/compliance product such as Enterprise Vault.

  2. Marco says:

    when they are multiple recipients on a message I only get partial recipients with “…” at the end. I would like to see all the recipients. Is it possible to display all the recipients that received a message?

  3. Brendon says:

    What does ‘hared…’ event id indicate?

    I have located an email that never was never delivered to my mailbox, I’m certain is was blocked by a spam filter. I’m trying to figure out why though and I came across this post and noticed you have some entries with event id of ‘hared…’ as well.

      • Brendon says:

        Thanks, I’ll read up on that.

        I hope I’m not being to presumptuous in thinking I should be able to locate all emails that had shadow copies made via Haredirect but weren’t delivered.

        Do you think that will be possible?

        I recently had a slew of emails that weren’t delivered, I’m trying to locate them all. I believe our spam thresholds were set to stringently.

        • Paul Cunningham says:

          Probably. But messages don’t vanish into thin air. If they’ve been blocked or dropped in the transport pipeline somewhere then you should be able to find evidence of that. When you know the exact message ID you can search your logs for all log events for that message ID, sort them by timestamp, and look at the full details of the events to know more.

          Did this “slew of emails” involve a single recipient or multiple recipients?

  4. Brendon says:

    There were a couple different contacts over the past few weeks, it seemed to happen when they had attachments.

    I have one email that I know the exact time and event ID that was blocked, I had the sender sent my company account (the one that is having issues) and I had them cc my personal email as well. That particular sender has only sent me 2 emails so it was easy to locate. The email to my company account didn’t come through but still appeared on in the MessageTrackingLog, so I’m confident I can find the others, just not exactly sure how easy it will be to identify the others that were not delivered, because I can’t say for sure who the senders were or the times they sent.

    Not that it matters, but I though exchange toolbox would provide an interface for this type of troubleshooting. I guess not though hey?

    Thanks for the quick replies.

      • Brendon says:

        I came across an option for Get MessageTrackingLog called ‘Out-GridView’ that I quite like. It allows for quick filtering of the log in a separate window from EMS.

        Get-MessageTrackingLog -ResultSize Unlimited -Start “May 7 2015” | Out-GridView

        I found some info here:
        http://www.c7solutions.com/2012/11/missing-message-tracking-log-explorer-html

        It would be nice if I could view the email in question from it. I’m quite new to message tracking so still not sure about the significance of each event. I haven’t yet worked out how to open the email based on the output from these logs.

        Also from this I noticed that the HARED… events are actually HARedirectFail events. I now see that ‘HA’ indicated High Availability. In reading up on this I’d require a second mail server in a DAG set-up for this to function properly. I’m not entirely sure of the what that means for emails that hadn’t been delivered properly over the long duration, but I have my doubts about recovering emails from prior weeks.

  5. Fahad says:

    Hi Paul,

    I have enable the message tracking and use power shell to view all sort of information but what I am looking for is to see what time a recipient read the message. All I can see is that the message is read but not the date and time at of read. Can you please assist how can I achieve this if it is possible?

Leave a Reply

Your email address will not be published. Required fields are marked *