Message tracking is always used to analyze mail problems in order to find errors. This may be because a user reports that they have not received a mail or because all users are unable to send or receive mails.
However, in order to find the cause of a problem (or to prove to the user that they have received the mail), you need to know what the individual entries in the message tracking mean. This article therefore deals with the most important features in message tracking.
Foreword
I mainly use the Exchange Management Shell to search the message tracking logs. With a little practice, you can get there faster with the shell than with the graphical interface that exists in Exchange 2010. Another reason is that message tracking with the GUI no longer exists in Exchange 2013 in this form (workaround below). The shell is therefore the tool of choice. The message flow has also changed with Exchange 2013, as the transport role has been integrated into the mailbox role. can be found here.
Basics
Mails are identified by the MessageID. To trace the path of an e-mail, the MessageID should be used instead of the subject, sender or recipient. The MessageID is unique for each mail; the recipient, subject and sender can be the same, as the following example shows:
In dem Screenshot sieht man eine Nachricht mit dem Betreff „Testmail 1“, die 10 Mal im Log auftaucht, augenscheinlich handelt es sich hier um eine einzige Mail, tatsächlich sind es aber 3 unabhängig von einander gesendete Mails, welches an der unterschiedlichen MessageID zu erkennen ist
Here is the view from Outlook
It is therefore important not to rely solely on the subject, sender or recipient; if you want to track an e-mail specifically, you should use the MessageID, here is the example of the e-mail at 21:24:
Only the entries shown above belong to the mail from 21:24.
Search Message Tracking Log
Um per Shell das Message Tracking Log zu durchsuchen wird das CMDlet „Get-MessageTrackingLog“ verwendet. Der Befehl an sich bietet schon einen guten Parametersatz um die Ausgabe entsprechend einzuschränken. Hier you can find the documentation with all possible parameters.
Mit welchen Parametern „Get-MessageTrackingLog“ aufgerufen wird, hängt natürlich davon ab, was man sehen oder erreichen möchte. Hier also ein paar einfache Beispiele:
All emails from the last 24 hours:
$start = (get-date).AddDays(-1) $end = get-date Get-MessageTrackingLog -Start $start -End $end
All mails to administrator@frankysweb.de
Get-MessageTrackingLog -Recipients administrator@frankysweb.de
All emails to administrator@frankysweb.de within the last 10 minutes
$start = (get-date).AddMinutes(-10) $end = get-date Get-MessageTrackingLog -Start $start -End $end -recipients administrator@frankysweb.de
Mails binnen der letzten Woche mit dem Betreff „Test“
$start = (get-date).AddDays(-7)
$end = get-date
Get-MessageTrackingLog -Start $start -End $end | Where-Object {$_.MessageSubject -match "test"}
Mails von testmail@frankysweb.de an administrator@frankysweb.de binnen der letzten 12 Stunden mit dem Betreff „Test“
$start = (get-date).AddHours(-12)
$end = get-date
Get-MessageTrackingLog -Start $start -End $end -sender testmail@frankysweb.de -recipients administrator@frankysweb.de| Where-Object {$_.MessageSubject -match "test"}
If the tracking logs of several servers are to be searched, an additional CMDLet must be placed in front.
For Exchange 2010:
Get-TransportServer | Get-MessageTrackingLog
For Exchange 2013:
Get-TransportService | Get-MessageTrackingLog
Interpret message tracking log
In addition to the MessageID column, there are of course other important columns that help to trace the path of a mail. The most useful columns and an explanation of what they mean:
- TimeStamp: Contains the time of the entry, each entry has its own time, so problems with high throughput times can also be analyzed
- Source: The Exchange component that was responsible for the event is displayed here
- EventID: The event type is displayed here, for example SEND / RECEIVE
- RecipientContains the recipient(s) of the e-mail
- TransmitterContains the sender of the e-mail
- MessageSubjectContains the subject of the e-mail
All message tracking entries are described in the Technet. The corresponding Article can be found here. Here is an example:
In the first line we see that a mail was received via SMTP (Source = SMTP) (EventID = Receive). We can also see who the recipient and sender of the mail is. The second line shows that the mail was delivered to the mailbox (Source = STOREDRIVER) (EventID = Deliver). The MessageID indicates that it is the same mail and not two mails with the same subject etc.
The example above shows the Exchange 2010 console, which no longer exists in this form for Exchange 2013. However, I have created a Powershell script which also provides a GUI for Exchange 2013:
https://www.frankysweb.de/exchange-2013-gui-fr-die-nachrichtenverfolgung/
Next example:
As already mentioned above, it is quite difficult to assign the mail without the MessageID field, as there are obviously several mails that only have the same sender, recipient and subject. This can often be seen when the first mail has not arrived and it is therefore tried several times.
In this example, however, the EventIDs are quite interesting: HARECEIVE, HADISCARD and HAREDIRECT indicate that this is an environment with multiple mailbox servers (Exchange 2013). So here is Shadow Redundancy in the game.
It is highly recommended that you take a close look at message tracking, as problems can usually be identified quickly.