Exchange: How to read the message tracking

Message tracking is always used to analyze mail problems in order to find errors. This may be because a user reports that they have not received a mail or because all users are unable to send or receive mails.

However, in order to find the cause of a problem (or to prove to the user that they have received the mail), you need to know what the individual entries in the message tracking mean. This article therefore deals with the most important features in message tracking.

Foreword

I mainly use the Exchange Management Shell to search the message tracking logs. With a little practice, you can get there faster with the shell than with the graphical interface that exists in Exchange 2010. Another reason is that message tracking with the GUI no longer exists in Exchange 2013 in this form (workaround below). The shell is therefore the tool of choice. The message flow has also changed with Exchange 2013, as the transport role has been integrated into the mailbox role. can be found here.

Basics

Mails are identified by the MessageID. To trace the path of an e-mail, the MessageID should be used instead of the subject, sender or recipient. The MessageID is unique for each mail; the recipient, subject and sender can be the same, as the following example shows:

In the screenshot you can see a message with the subject "Testmail 1", which appears 10 times in the log, apparently this is a single mail, but in fact there are 3 mails sent independently of each other, which can be recognized by the different MessageID

Here is the view from Outlook

It is therefore important not to rely solely on the subject, sender or recipient; if you want to track an e-mail specifically, you should use the MessageID, here is the example of the e-mail at 21:24:

Only the entries shown above belong to the mail from 21:24.

Search Message Tracking Log

The CMDlet "Get-MessageTrackingLog" is used to search the message tracking log via the shell. The command itself already offers a good set of parameters to limit the output accordingly. Here you can find the documentation with all possible parameters.

The parameters used to call "Get-MessageTrackingLog" naturally depend on what you want to see or achieve. So here are a few simple examples:

All emails from the last 24 hours:

$start = (get-date).AddDays(-1)
$end = get-date
Get-MessageTrackingLog -Start $start -End $end

All mails to administrator@frankysweb.de

Get-MessageTrackingLog -Recipients administrator@frankysweb.de

All emails to administrator@frankysweb.de within the last 10 minutes

$start = (get-date).AddMinutes(-10)
$end = get-date
Get-MessageTrackingLog -Start $start -End $end -recipients administrator@frankysweb.de

Mails within the last week with the subject "Test"

$start = (get-date).AddDays(-7)
$end = get-date
Get-MessageTrackingLog -Start $start -End $end | Where-Object {$_.MessageSubject -match "test"}

Mails from testmail@frankysweb.de to administrator@frankysweb.de within the last 12 hours with the subject "Test"

$start = (get-date).AddHours(-12)
$end = get-date
Get-MessageTrackingLog -Start $start -End $end -sender testmail@frankysweb.de -recipients administrator@frankysweb.de| Where-Object {$_.MessageSubject -match "test"}

If the tracking logs of several servers are to be searched, an additional CMDLet must be placed in front.

For Exchange 2010:

Get-TransportServer | Get-MessageTrackingLog

For Exchange 2013:

Get-TransportService | Get-MessageTrackingLog

Interpret message tracking log

In addition to the MessageID column, there are of course other important columns that help to trace the path of a mail. The most useful columns and an explanation of what they mean:

• TimeStamp: Contains the time of the entry, each entry has its own time, so problems with high throughput times can also be analyzed
• Source: The Exchange component that was responsible for the event is displayed here
• EventID: The event type is displayed here, for example SEND / RECEIVE
• RecipientContains the recipient(s) of the e-mail
• TransmitterContains the sender of the e-mail
• MessageSubjectContains the subject of the e-mail

All message tracking entries are described in the Technet. The corresponding Article can be found here. Here is an example:

In the first line we see that a mail was received via SMTP (Source = SMTP) (EventID = Receive). We can also see who the recipient and sender of the mail is. The second line shows that the mail was delivered to the mailbox (Source = STOREDRIVER) (EventID = Deliver). The MessageID indicates that it is the same mail and not two mails with the same subject etc.

The example above shows the Exchange 2010 console, which no longer exists in this form for Exchange 2013. However, I have created a Powershell script which also provides a GUI for Exchange 2013:

https://www.frankysweb.de/exchange-2013-gui-fr-die-nachrichtenverfolgung/

Next example:

As already mentioned above, it is quite difficult to assign the mail without the MessageID field, as there are obviously several mails that only have the same sender, recipient and subject. This can often be seen when the first mail has not arrived and it is therefore tried several times.

In this example, however, the EventIDs are quite interesting: HARECEIVE, HADISCARD and HAREDIRECT indicate that this is an environment with multiple mailbox servers (Exchange 2013). So here is Shadow Redundancy in the game.

It is highly recommended that you take a close look at message tracking, as problems can usually be identified quickly.