Maintaining a consistent message tracking configuration across all of your Exchange servers is important. Without it you’ll potentially miss out on important information during message tracking log searches.
Although message tracking is enabled by default on Exchange servers the default configuration that is applied is often not suitable. For example, the default log retention of 30 days is often too short for investigations, and the default maximum folder size of 1Gb is often too small for organizations with high volumes of email traffic.
I’ve published a PowerShell script, Get-MessageTrackingConfig.ps1, that will generate a CSV file showing the current message tracking configuration of your Exchange servers. The script currently supports Exchange Server 2013, with support for Exchange Server 2010 coming in the future.
A few important points to note about the CSV file that the script generates. On an Exchange 2013 server there are four types of message tracking logs generated:
- MSGTRK – tracking logs generated by the Transport service
- MSGTRKMA – tracking logs generated by moderated transport actions (ie, approvals and rejectsion)
- MSGTRKMD – tracking logs generated by the Mailbox Transport Delivery service
- MSGTRKMS – tracking logs generated by the Mailbox Transport Submission service
For more about those services you may like to read about Exchange 2013 mail flow.
Each of the logs files has the message tracking log retention max directory size settings applied individually. This means that if the max directory size is 1Gb (1000Mb), up to 3000Mb of log files will be stored in the directory. Why 3000 and not 4000? Microsoft says:
On Exchange 2013 Mailbox servers, the maximum size of the message tracking log directory is three times the specified value. Although the message tracking log files that are generated by the four different services have four different name prefixes, the amount and frequency of data written to the MSGTRKMA log files is negligible compared to the three other log file prefixes.
As such, the script assumes a 3x multiplier in the results that it outputs. In the example screenshot above the server MELEX1 has 38MB of Transport logs, 28Mb of Delivery logs, and 18Mb of Submission logs for a total of 84Mb of logs. This is well under the configured maximum directory size of 1000Mb, and the server can comfortably store the 30 days of logs if is configured to retain.
How to use this script in your Exchange Server 2013 environment:
- Run the script from a computer or server that has the Exchange Management Shell installed
- Review the CSV file to:
- Confirm that your message tracking log configuration is consistent across your servers
- Confirm that the max directory size is high enough to store the number of days of logs you want to retain
- Consider whether the server has sufficient storage to hold the estimated maximum amount of data that might be retained
This script is available for download from the TechNet Script Gallery and Github. Comments are welcome below. If you find a bug please consider raising it as an issue on Github.
I try to run the script, but there is no csv exported, please help.
We use Exchange 2016.
Hello,
Does the script work under Exchange 2016 server?
Regards
Hi Paul
Any News regarding the compatibility to EX2010?
Thank you for your reply.
Hi Paul,
Please help me get what is maximum limit of Log directory size and log file size in Exchange 2013
The Real Person!
The Real Person!
Max directory size is 9223372036854775807 bytes but you can also set it to “Unlimited”.
Max log file size is 4294967296 bytes but again you can also set it to “Unlimited”.
Hi,
As always a great script and good explanation. However, I have a problem.
The script tells me my MaxAge (Days) is set at 90 and my configured max size set to 4096. This is what I want; we need to keep 90 days for compliance reasons. The script also tells me my oldest log file is 42 days (which is about right).
My problem is that the MSGTRKMD files are being removed after 30 days. Why would this be? Theres only 240Mb of them.
Please. We have the same issue
Hi Paul
Can you help with powershell to track message eventID = Defer in office 365?
I wanted to track all message where the eventid is defer from the cloud.
Thank you for your help.
Hello,
this is the result:
You cannot call a method on a null-valued expression.
At D:Get-MessageTrackingConfig.ps1:190 char:92
+ … (MB)” -Value $($E15TransportRole.MessageTrackingLogMaxDirectorySize.Value.ToMb() …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At D:Get-MessageTrackingConfig.ps1:191 char:91
+ … (MB)” -Value $($E15TransportRole.MessageTrackingLogMaxDirectorySize.Value.ToMb() …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Same error as above
The Real Person!
The Real Person!
That error will occur if the script is run from a remote PowerShell session. Try running it from Exchange Management Shell instead.
Nice script indeed. May I know when we can expect it will work for Exchange 2010? cheers