Auditing Transport Rules 2

Question

Hello!

I've already asked the question on auditing tansport rules but I still don' understand the following:

Suppose there's a rule that appends the signature when the mail is being sent from IT department:

..and my goal is to find WHICH MESSAGES THIS RULE HAS BEEN APPLIED TO.

The method described in the previous post -

(Get-TransportService | Get-MessageTrackingLog -MessageSubject "TestEmail" -Start "04/01/2022 09:00:00" -End "04/08/2022 18:00:00" -Source Agent).EventData.value | where{$_ -like "RuleID" -and $_ -like "Action="}

...answers another question: HAS ANY RULE BEEN APPLIED TO THIS PARICLAR MESSAGE?

Here's my test: I send two messages for which the rule must be fired:

The rule does really fire up and I want to find those messages in the logs:

[PS] C:\Windows\system32>(Get-TransportService | Get-MessageTrackingLog -Start "01/27/2024 09:00:00" -End "01/28/2025 21:00:00" -Source Agent).EventData.value | where{$_ -like "f94242a7-ebe6-46f4-9612-ec4745b26353**and $_ -like "Action="}

There're two issues here:

1. each message has 3 or 2 lines in the command's otput so it's not clear how many mssages were procssed by the rule
2. there're no message ID or subject to identify th message

Is there a way to solve these problems?

Regards,

Michael

Answer 1

Hi @Hram Admin ,

Welcome to the Microsoft Q&A platform!

Based on your description, you are trying to track which specific messages have a specific transport rule applied to them. To solve the problem you are facing, you can modify the PowerShell command to include more detailed information about each message, such as the message ID and subject. Here is an updated approach:

1. You can use Select-Object to specify the properties you want to see in the output.
2. Make sure you filter the messages correctly based on the rule ID and action.

Here is an example of how to do this:

$startDate = "01/27/2024 09:00:00"
$endDate = "01/28/2025 21:00:00"
$ruleID = "f94242a7-ebe6-46f4-9612-ec4745b26353"
Get-TransportService | Get-MessageTrackingLog -Start $startDate -End $endDate -Source Agent |
Where-Object { $_.EventData -like "*$ruleID*" -and $_.EventData -like "*Action=*" } |
Select-Object MessageId, MessageSubject, EventData

This command will:

1. Retrieve the message tracking log for the specified date range.
2. Filter the log to include only those where the specified rule ID and action exist.
3. Select and display the message ID, subject, and event data for each matching message.

Notes:

I noticed that your picture leaked privacy, and I have covered it for you. I hope you will pay attention to privacy protection when posting cases on the forum in the future to avoid unnecessary losses. Thanks for your understanding!

---

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Answer 2

Hi Jake Zhang,

I must apologize - seems the problem in the log itself: all messages do really get logged as the ones for which the rule has been applied - I don't know why for now - but the most interesting fact is this: out of all messages only two of them - the last two - have the rule with the id =f94242a7-ebe6-46f4-9612-ec4745b26353 logged twice, with the Action =ApplyHtmlDisclaimer, so the main question is why do some messages has only one occurence of the RuleID =f94242a7-ebe6-46f4-9612-ec4745b26353 in the log while some of them get logged twice in the same log but it's not the question I originally posted so...

Thank you so much for your help!

Regards,
Michael Firsov