Exchange 2010 Message Tracking
Exchange includes a great tool for checking on email messages called Exchange Message Tracking. Exchange 2010 message tracking enables administrators to consult Exchange 2010 message tracking logs to determine whether or not an email message was delivered, whether the message was between internal users, sent from an external user to an internal user, or sent from an internal user to an external address. Exchange 2010 message tracking is done using a browser-based tool which can be accessed through the Exchange Management Console or Exchange Control Panel through Outlook Web Access, and gives the Exchange admin a simple and quick-to-use interface for checking on email messages, whether they were sent from an internal user or to them from an external sender.
What is message tracking?
Exchange 2010 message tracking automatically generates text log files, and can be used for troubleshooting, reporting, mail flow analysis, and forensics. It is enabled by default on Edge Transport, Hub Transport, and Mailbox servers. These servers store Exchange 2010 message tracking logs by default in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking using a naming convention MSGTRKMyyyymmdd-nnnn.log.
Logs are rotated out as limits are reached. From http://technet.microsoft.com/en-us/library/bb124375.aspx, the Exchange 2010 message tracking logs contain detailed information about messages including:
- #Software: The name of the software that created the message tracking log file. Typically, the value is Microsoft Exchange Server.
- #Version: The version number of the software that created the message tracking log file. Currently, the value is 14.0.0.0.
- #Log-Type: The value of this field is Message Tracking Log.
- #Date: The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute,ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
- #Fields: The comma-delimited field names that are used in the message tracking log files. The following fields are listed:
- #Software: The name of the software that created the message tracking log file. Typically, the value is Microsoft Exchange Server.
- #Version: The version number of the software that created the message tracking log file. Currently, the value is 14.0.0.0.
- #Log-Type: The value of this field is Message Tracking Log.
- #Date: The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute,ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
- #Fields: The comma-delimited field names that are used in the message tracking log files. The following fields are listed:
Event name |
Description |
| BADMAIL | A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned. |
| DELIVER | A message was delivered to a mailbox. |
| DEFER | Message delivery was delayed. |
| DSN | A delivery status notification (DSN) was generated. |
| DUPLICATEDELIVER | A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of two distribution groups. Duplicate messages are detected and removed by the information store. |
| EXPAND | A distribution group was expanded. |
| FAIL | Message delivery failed. |
| POISONMESSAGE | A message is put in the poison message queue or removed from the poison message queue. |
| RECEIVE | A message was received and committed to the database. The RECEIVE event can be SMTP receive (Source: SMTP) or mail submitted by STOREDRIVER (Source: STOREDRIVER). |
SMTP RECEIVE can be from any source that submits a message by using SMTP. For example, it can be a Hub Transport server role, an Edge Transport server role, a third-party message transfer agent (MTA), or a POP/IMAP client.
STOREDRIVER RECEIVE is logged by the EdgeTransport.exe process, and is the event that corresponds to a STOREDRIVER SUBMIT event. STOREDRIVER SUBMIT is logged by the Mail Submission process. These events can be on the same server if both server roles are installed locally, or they can be on different servers.
Note:
EdgeTransport.exe and MSExchangeTransport.exe are the executable files that are used by the Microsoft Exchange Transport service. This service runs on every Hub Transport server or Edge Transport server.REDIRECTA message was redirected to an alternative recipient after an Active Directory directory service lookup.RESOLVEA message’s recipients were resolved to a different e-mail address after an Active Directory lookup.SENDA message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.SUBMITA SUBMIT event is logged by the Mail Submission service on an Exchange 2007 computer that is running the Mailbox server role. The SUBMIT event is logged when the service has successfully notified a Hub Transport server that a message is awaiting submission in the mailbox store.
The SourceContext property provides the Messaging Database (MDB) GUID, Mailbox GUID, Event sequence number, Message class, Creation time stamp of the client submission to store, and Client type. The Client type can be User (Outlook direct MAPI), RPCHTTP (Outlook Anywhere), Outlook Web Access, Exchange Web Services (EWS), Exchange ActiveSync, Assistants, or Transport. The message tracking logs that are generated by the Mailbox server role contain only SUBMIT events.TRANSFERRecipients were moved to a forked message because of content conversion, message recipient limits, or agents.
General descriptions of the fields that are used to classify each message tracking event are explained below.
Field name |
Description |
| date-time | The UTC date-time of the message tracking event, which is represented in the ISO 8601 format. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day,hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC. |
| client-ip | The TCP/IP address of the messaging server or messaging client that submitted the message. |
| client-hostname | The name of the messaging server or messaging client that submitted the message. |
| server-ip | The TCP/IP address of the source or destination Exchange server. |
| server-hostname | The name of the destination server. |
| source-context | Extra information associated with the source field. |
| connector-id | The name of source or destination Send connector or Receive connector. |
| source | The Exchange transport component responsible for the message tracking event. The possible values for this field are as follows: |
- ADMIN for Replay directory submission
- AGENT
- DSN
- GATEWAY for Foreign connector submission
- PICKUP
- ROUTING
- SMTP
- STOREDRIVER for MAPI submission
event-idThe message event type. These events are described fully in Table 1 earlier in this topic. The possible values are BADMAIL, DEFER, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.internal-message-idA message identifier that is assigned by Exchange 2010 server that is currently processing the message.
A specific message’s value of internal-message-id is different in the message tracking log of every Exchange 2010 server that is involved in the delivery of the message.message-idThe value of the Message-Id: field found in the message’s header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.recipient-addressThe e-mail addresses of the message’s recipients. Multiple e-mail addresses are separated by the semicolon character (;).recipient-statusThis field is populated for a SEND event or a FAIL event.total-bytesThe size of the message that includes attachments, in bytes.recipient-countThe number of recipients in the message.related-recipient-addressThis field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.referenceThis field contains additional information for specific types of events:
DSN The Reference field contains the Internet-Message-Id of the message that caused the DSN.
SEND The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages.
TRANSFER The Reference field contains the Internal-Message-Id of the message that is being forked.
For all other types of events, the Reference field is blank.message-subjectThe message’s subject found in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet for Hub Transport servers and Edge Transport servers, or in the Set-MailboxServer cmdlet for Mailbox servers. By default, message subject tracking is enabled. Message subject logging can be disabled by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $false.sender-addressThe e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.return-pathThe return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.message-infoThis field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour,mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
What can you do with it?
Whether you are troubleshooting a problem with message delivery, trying to run down a possible policy violation, or reconstructing events, Exchange 2010 Message Tracking enables you to search on:
- Messages sent to a specific address,
- Messages received from a specific address, or
- Words in the subject line.
The results will enable you to determine the final disposition of messages that are destined for internal mailboxes, as well as whether or not your Exchange infrastructure passes a message on to an external system. You can view the results, generate a report, and email the results to an email address.
How do you configure it?
Logging is enabled on all Edge Transport, Hub Transport, and Mailbox servers, but you can disable that if you wish using the Files are limited to 10MB by default, and the directory size is limited to 250 MB. You can use the Exchange Management Shell to change these limits but the defaults should be good enough for most instances. See the online help for either the Set-TransportServer or Set-MailboxServer and the –MessageTrackingLogMaxFileSize and –MessageTrackingLogMaxDirectorySize if you want to change these values.
How do you use it?
The fastest way to launch Message Tracking is from the Exchange Management Console Toolbox.
You can also get to it from Outlook Web Access by choosing Options, Manage My Organization, Mail Control, Delivery Reports. However you want to get there, you need to be an Exchange admin rights to check on messages for all users. The browser interface requires you to select either the sender or the receiver before you can enter search criteria. When external users are part of your search, as either the sender or the recipient, you still click the “Select users…” button. Then you can choose contacts from the GAL, or enter free-form email addresses in that dialog box. Note, you can search based either on the sender or the recipient; not both.
Enter your criteria and the wizard will check and display the search results in the pane below. Select a message, and then click the details button to learn the status of the message. Messages delivered to internal mailboxes will provide much more information than those sent to external addresses, and can include the date and time the message was delivered, as well as the FQDN of the external system that delivered the message to your Exchange system. Outbound messages are not as data rich; showing only the date and time the message was transferred to an external system. Final delivery, hostname, and other details are lacking.
You can send the results of a message tracking query in an email by clicking the button. Since you are probably checking on the status of a message for some user, sending them the results is a great way to provide them with the information they requested.
So the next time a user wants to know what happened to a message, HR wants to track an issue, or you suspect a routing problem, use Exchange 2010 Message Tracking to find the answers.