Udostępnij za pośrednictwem


How to track Message in Exchange 2003/2007/2010

Message tracking versions

· Exchange 2003

o Structure is different, still csv but fields are not compatible to Exchange 2007 or Exchange 2010

o Message tracking will stop at last Exchange 2003 Server.

· Exchange 2007

o Message tracking from 2003/2010 will stop. Exchange 2007 tracking will only track on 2007 servers. The tracking fields are different.

· Exchange 2010

o Message tracking from 2003/2007 will stop. Exchange 2010 tracking will only be track on 2010 servers…the tracking fields are different.

 

Exchange Tracking logs fields / events

Exchange 2003 *See Appendix I

· https://support.microsoft.com/kb/246965

· https://support.microsoft.com/kb/821905

Exchange 2007 *See Appendix II

· https://technet.microsoft.com/en-us/library/cc539064.aspx  

· https://technet.microsoft.com/en-us/library/cc539063.aspx

Exchange 2010 *See Appendix III

· This is really a reference to Exchange 2007 since the Exchange 2010 is NOT updated note there are some differences.

· https://technet.microsoft.com/en-us/library/bb124926(EXCHG.80).aspx  

How to Track a Message via PowerShell effectively

Get-MessageTrackingLogs

So the best way to track a message is via its Message ID. You can retrieve this from the NDR or you can Search by the Sender / Recipient but note this will get all messages that recipient received or sender sent.

Now here is an issue with Exchange 2010 / Outlook 2010, the message in the Sent Item does not have a Message ID as that is assigned once its hits the Hub. L

So find the Message ID you need the Sender and Recipient Addresses and Subject and or Time will be Nice if they are sending a lot of messages between them…

 

1. Try with Sender/Recipient/Subject and Time (Give yourself a pretty good range). Now what the GUI does for you is filter on the Receive Event, but you can do it this way as well. Be careful of or event orders…you should sort by TimeStamp as this to the powershel. “|sort –Property TimeStamp” before any “|Fl”

Get-MessageTrackingLog –Sender “Sender@domain.com” –Recipients “Recipient@domain.com” -MessageSubject “Subject of Message” -Start "3/28/2011 8:00AM"
-End "3/28/2011 5:00PM"

NOW be careful! In this example this is a Single Message caught. That will not always be the case.

2. Next, you Add the | FL Sender, Recipients, MessageSubject, MessageId

Get-MessageTrackingLog –Sender “Sender@domain.com” –Recipients “Recipient@domain.com” -MessageSubject “Subject of Message” -Start "3/28/2011 8:00AM"
-End "3/28/2011 5:00PM" | FL Sender, Recipients, MessageSubject, MessageId

Now look at the MessageID and then we will track the message via MessageID. This is the BEST way to track a message.

3. Now, add the –MessageID “MessageID” and change the |FL * (this gets all fields)

Get-MessageTrackingLog –Sender “Sender@domain.com” –Recipients “Recipient@domain.com” -MessageSubject “Subject of Message” -Start "3/28/2011 8:00AM"
-End "3/28/2011 5:00PM" –MessageID “MessageID” | FL *

Hint: PSComputerName is the top of each entry.

 

4. Ok, now that we got this what does it mean?

a. Since ClientHostName and ServerHostName that is telling me the message was sent from this server to itself. (this was down with a Powershell SMTP Send Script). So typically the ClientHostName will be the Remote Server Submitting the message.

b. Since Source is SMTP, and the Event is Receive. That means the ClientHostName Submitted the message via SMTP to the ServerHostName.

c. EventData I can also tell this was the First hop in the Org.

d. Ok, I receive it what next…

e. Notice the ClientHostName and the ServerHost name are not changed. Client is not the CAS server and the Server is the Mailbox Role Server

f. Since the Source is StoreDriver and Event is Delivery, the message was submitted to the store.

First PowerShell Output….

 

[PS] C:\>Get-MessageTrackingLog -Sender User19-DB01@TailSpinToys.com -Recipients User1-DB01@TailSpinToys.com -MessageSubject "Origins of Legislation" -Start "4/19/2011 4:43:30 PM" -End "4/19/2011 4:50:30 PM" -MessageID "1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com" |fl *

PSComputerName          : lab-e2k10csht01.tailspintoys.com

RunspaceId : a241bdf5-c2c6-4c99-8e5a-b395faa5e67a

Timestamp : 4/19/2011 4:45:30 PM

ClientIp : fe80::89dc:2ad8:e3b:c03%13

ClientHostname : LAB-E2k10CSHT01

ServerIp : fe80::89dc:2ad8:e3b:c03%13

ServerHostname : LAB-E2k10CSHT01

SourceContext : 08CDCCED60881B31;2011-04-19T21:45:30.419Z;0

ConnectorId : LAB-E2K10CSHT01\Default LAB-E2K10CSHT01

Source : SMTP

EventId : RECEIVE

InternalMessageId : 270

MessageId : <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>

Recipients : {User1-DB01@TailSpinToys.com}

RecipientStatus : {}

TotalBytes : 4146

RecipientCount : 1

RelatedRecipientAddress :

Reference :

MessageSubject : Origins of Legislation

Sender : User19-DB01@TailSpinToys.com

ReturnPath : User19-DB01@TailSpinToys.com

MessageInfo : 0aI: NTS:

MessageLatency :

MessageLatencyType : None

EventData : {[FirstForestHop, LAB-E2K10CSHT01.TailSpinToys.com]}

PSComputerName          : lab-e2k10csht01.tailspintoys.com

RunspaceId : a241bdf5-c2c6-4c99-8e5a-b395faa5e67a

Timestamp : 4/19/2011 4:45:30 PM

ClientIp :

ClientHostname : LAB-E2k10CSHT01

ServerIp :

ServerHostname : LAB-E2K10MBX02

SourceContext : 08CDCCED60881B32;2011-04-19T21:45:30.575Z;0

ConnectorId :

Source : STOREDRIVER

EventId : DELIVER

InternalMessageId : 270

MessageId : <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>

Recipients : {User1-DB01@TailSpinToys.com}

RecipientStatus : {}

TotalBytes : 4318

RecipientCount : 1

RelatedRecipientAddress :

Reference :

MessageSubject : Origins of Legislation

Sender : User19-DB01@TailSpinToys.com

ReturnPath : User19-DB01@TailSpinToys.com

MessageInfo : 2011-04-19T21:45:30.450Z;SRV=LAB-E2K10CSHT01.TailSpinToys.com:TOTAL=0

MessageLatency : 00:00:00.2970000

MessageLatencyType : EndToEnd

EventData : {[MailboxDatabaseName, e2k10db01]}

Same Example Pulled from Excel to Compare Fields

#Fields:

date-time 2011-04-19T21:45:30.560Z

client-ip fe80::89dc:2ad8:e3b:c03%13

client-hostname LAB-E2k10CSHT01

server-ip fe80::89dc:2ad8:e3b:c03%13

server-hostname LAB-E2k10CSHT01

source-context 08CDCCED60881B31;2011-04-19T21:45:30.419Z;0

connector-id LAB-E2K10CSHT01\Default LAB-E2K10CSHT01

source SMTP

event-id RECEIVE

internal-message-id 270

message-id <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>

recipient-address User1-DB01@TailSpinToys.com

recipient-status

total-bytes 4146

recipient-count 1

related-recipient

-address

reference

message-subject Origins of Legislation

sender-address User19-DB01@TailSpinToys.com

return-path User19-DB01@TailSpinToys.com

message-info 0aI: NTS:

directionality Originating

tenant-id

original-client-ip fe80::89dc:2ad8:e3b:c03%13

original-server-ip fe80::89dc:2ad8:e3b:c03%13

custom-data S:FirstForestHop=LAB-E2K10CSHT01.TailSpinToys.com

#Fields:

date-time 2011-04-19T21:45:30.747Z

client-ip

client-hostname LAB-E2k10CSHT01

server-ip

server-hostname LAB-E2K10MBX02

source-context 08CDCCED60881B32;2011-04-19T21:45:30.575Z;0

connector-id

source STOREDRIVER

event-id DELIVER

internal-message-id 270

message-id <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>

recipient-address User1-DB01@TailSpinToys.com

recipient-status

total-bytes 4318

recipient-count 1

related-recipient

-address

reference

message-subject Origins of Legislation

sender-address User19-DB01@TailSpinToys.com

return-path User19-DB01@TailSpinToys.com

message-info 2011-04-19T21:45:30.450Z;SRV=LAB-E2K10CSHT01.TailSpinToys.com:TOTAL=0

directionality Originating

tenant-id

original-client-ip

original-server-ip

custom-data S:MailboxDatabaseName=e2k10db01

Compare table: Green only from Logs, Blue only from PwShell

PWShell

Logs

Actual Data

Timestamp

date-time

2011-04-19T21:45:30.560Z

ClientIp

client-ip

fe80::89dc:2ad8:e3b:c03%13

ClientHostname

client-hostname

LAB-E2k10CSHT01

ServerIp

server-ip

fe80::89dc:2ad8:e3b:c03%13

ServerHostname

server-hostname

LAB-E2k10CSHT01

SourceContext

source-context

08CDCCED60881B31;2011-04-19T21:45:30.419Z;0

ConnectorId

connector-id

LAB-E2K10CSHT01\Default LAB-E2K10CSHT01

Source

source

SMTP

EventId

event-id

RECEIVE

InternalMessageId

internal-message-id

270

MessageId

message-id

<1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>

Recipients

recipient-address

User1-DB01@TailSpinToys.com

RecipientStatus

recipient-status

{}

TotalBytes

total-bytes

4146

RecipientCount

recipient-count

1

RelatedRecipientAddress

related-recipient-address

Reference

reference

MessageSubject

message-subject

Origins of Legislation

Sender

sender-address

User19-DB01@TailSpinToys.com

ReturnPath

return-path

User19-DB01@TailSpinToys.com

MessageInfo

message-info

0aI: NTS:

 

directionality

Originating

 

tenant-id

 

original-client-ip

fe80::89dc:2ad8:e3b:c03%13

 

original-server-ip

fe80::89dc:2ad8:e3b:c03%13

 

custom-data

MessageLatency

MessageLatencyType

None

EventData

{[FirstForestHop, LAB-E2K10CSHT01.TailSpinToys.com]}

Advanced PowerShell Examples

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "<messageid>" | Select-Object <commaseparatedfieldnames> | Sort-Object -Property <field>

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -MessageId "ba18339e-8151-4ff3-aeea-87ccf5fc9796@contoso.com" | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

What does this do? It searches every Exchange Server (Hub and Mailbox) for the Message ID listed, selects specific attributes and then Sorts them…

In this case, it dumps out the Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients in a nice easy to read format…

[PS] C:\Windows\system32>Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true}

 | Get-MessageTrackingLog -MessageId "1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com" | Select-Ob

ject Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

Timestamp : 4/19/2011 4:45:30 PM

ServerHostname : LAB-E2k10CSHT01

ClientHostname : LAB-E2k10CSHT01

Source : SMTP

EventId : RECEIVE

Recipients : {User1-DB01@TailSpinToys.com}

Timestamp : 4/19/2011 4:45:30 PM

ServerHostname : LAB-E2K10MBX02

ClientHostname : LAB-E2k10CSHT01

Source : STOREDRIVER

EventId : DELIVER

Recipients : {User1-DB01@TailSpinToys.com}

[PS] C:\Windows\system32>

Using ConvertTo-MessageLatency.ps1 with Get-MessageTrackingLog!

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-MessageTrackingLog -MessageId "1cd4eba2-d158-4ea1-81a7-4

dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com" | .\ConvertTo-MessageLatency.ps1

InternalMessageId : 270

MessageId : <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>

MessageLatency : 00:00:00.2970000

MessageLatencyType : EndToEnd

ComponentServerFqdn : LAB-E2K10CSHT01.TailSpinToys.com

ComponentCode : TOTAL

ComponentName : Total Server Latency

ComponentLatency : 00:00:00

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>

Appendix I

Exchange 2003

Fields:

Field number

Field name

Description

1

Date

Date of the event.

2

Time

Greenwich mean time of the event.

3

Client-IP

IP of connecting client.

4

Client-hostname

Hostname of connecting client.

5

Partner-name

Name of the messaging service that the message is handed off to. In Exchange 2000, the service can be: SMTP, X400, MAPI, IMAP4, POP3, STORE. This is essentially the same as Exchange Server 5.5, but in Exchange 2000, there are more possibilities for this field.

6

Server-hostname

Hostname of the server that is making the log entry.

7

Server-IP

IP of the server that is making the log entry.

8

Recipient-address

Message recipient (SMTP or X.400 address).

9

Event-ID

Integer corresponding to the Event ID of the action logged, for example: sent, received, delete, retrieve.

10

MSGID

Message ID.

11

Priority

The priority is represented by -1 if low, 0 if normal, 1 if high

12

Recipient-Report-Status

A number representing the result of an attempt to deliver a report to the recipient: 0 if delivered, 1 if not delivered. This is used only for reports (non-delivery reports [NDRs], delivery receipts [DRs]). On other events, it is blank.

13

Total-bytes

Message size (in bytes).

14

Number-recipients

Total number of recipients.

15

Origination-time

Delivery time (in seconds) representing the time it takes to deliver the message. Determined from the difference between the timestamp and time encoded in Message ID. Only valid for messages within the Exchange organization (all versions); there is no requirement to decode other product message IDs such as Sendmail, and so on.

16

Encryption

For the primary body part: 0 if no encryption, 1 if signed only, 2 if encrypted. This is per message, not per recipient.

17

Service-version

Version of the service making the log entry.

18

Linked-MSGID

If there is a MSG ID from another service, it is given here to link the message across services.

19

Message-subject

The subject of the message, truncated to 256 bytes.

20

Sender-address

Primary address of the originating mailbox, if known. This could be SMTP, X.400, or Distinguished Name (DN), depending on transport

 

Event-ID in Field 9:

Event Number

Event Type

Description

0

Message transfer in

The message was received from a server, a connector, or a gateway.

1

Probe transfer in

An X.400 probe was received from a gateway, a link, or a message transfer agent (MTA).

2

Report transfer in

A delivery receipt or a non-delivery report (NDR) was received from a server, a connector, or a gateway.

4

Message submission

The message was sent by the client.

5

Probe submission

An X.400 probe was received from a user.

6

Probe transfer out

An X.400 probe was sent to a gateway, a link, or an MTA.

7

Message transfer out

The message was sent to a server, a connector, or a gateway.

8

Report transfer out

A delivery receipt or an NDR was sent to a server, a connector, or a gateway.

9

Message delivered

The message was delivered to a mailbox or a public folder.

10

Report delivered

A delivery receipt or an NDR was delivered to a mailbox.

18

StartAssocByMTSUser

23

ReleaseAssocByMTSUse

28

Message redirected

The message was sent to mailboxes other than the mailboxes of the recipients.

29

Message rerouted

The message was routed to an alternative path.

31

Downgrading

An X.400 message was downgraded to 1984 format before relay.

33

Report absorption

The number of delivery receipts or of NDRs exceeded a threshold and the reports were deleted.

34

Report generation

A delivery receipt or an NDR was created.

43

Unroutable report discarded

A delivery receipt or an NDR could not be routed and was deleted from the queue.

50

Gateway deleted message

The administrator deleted an X.400 message that was queued for a gateway.

51

Gateway deleted probe

The administrator deleted an X.400 probe that was queued for a gateway.

52

Gateway deleted report

The administrator deleted an X.400 report that was queued for a gateway.

1000

Local delivery

The sender and the recipient are on the same server.

1001

Backbone transfer in

Mail was received from another MAPI system across a connector or across a gateway.

1002

Backbone transfer out

Mail was sent to another MAPI system across a connector or across a gateway.

1003

Gateway transfer out

The message was sent through a gateway.

1004

Gateway transfer in

The message was received from a gateway.

1005

Gateway report transfer in

A delivery receipt or an NDR was received from a gateway.

1006

Gateway report transfer out

A delivery receipt or an NDR was sent through a gateway.

1007

Gateway report generation

A gateway generated an NDR for a message.

1010

SMTP queued outbound

Outgoing mail was queued for delivery by the Internet Mail Service.

1011

SMTP transferred outbound

Outgoing mail was transferred to an Internet recipient.

1012

SMTP received inbound

Incoming mail was received from by the Internet Mail Service.

1013

SMTP transferred

Incoming mail that was received by the Internet Mail Service was transferred to the information store.

1014

SMTP message rerouted

An Internet message is being rerouted or forwarded to the correct location.

1015

SMTP report transferred In

A delivery receipt or an NDR was received by the Internet Mail Service

1016

SMTP report transferred out

A delivery receipt or an NDR was sent to the Internet Mail Service.

1017

SMTP report generated

A delivery receipt or an NDR was created.

1018

SMTP report absorbed

The receipt or the NDR could not be delivered and was absorbed. (You cannot send an NDR for an NDR.)

1019

SMTP submit message to AQ

A new message is submitted to Advanced Queuing.

1020

SMTP begin outbound transfer

A message is about to be sent over the wire by SMTP.

1021

SMTP bad mail

The message was transferred to the Badmail folder.

1022

SMTP AQ failure

A fatal Advanced Queuing error occurred. Information about the failure was written to the Event Manager.

1023

SMTP local delivery

A message was successfully delivered by a store drive (logged by Advanced Queue).

1024

SMTP submit message to cat

Advanced Queuing submitted a message to the categorizer.

1025

SMTP begin submit message

A new message was submitted to Advanced Queuing.

1026

SMTP AQ failed message

Advanced Queuing could not process the message. The message caused an NDR to be sent, or the message was put in the Badmail folder.

1027

SMTP submit message to SD

A message was submitted to the store driver by the MTA.

1028

SMTP SD local delivery

The store driver successfully delivered a message (logged by store driver).

1029

SMTP SD gateway delivery

The store driver transferred the message to the MTA.

1030

SMTP NDR all

All recipients were sent an NDR.

1031

SMTP end outbound transfer

The outgoing message was successfully transferred.

1032

SMTP message scheduled to retry categorization

1033

SMTP message categorized and queued for routing

1034

SMTP message routed and queued for remote delivery

1035

SMTP message scheduled to retry routing

1036

SMTP message queued for local delivery

1037

SMTP message scheduled to retry local delivery

1038

SMTP message routed and queued for gateway delivery

1039

SMTP message deleted by Intelligent Message Filtering

1040

SMTP message rejected by Intelligent Message Filtering

1041

SMTP message archived by Intelligent Message Filtering

1042

Message redirected to the alternate recipient

 

 

Appendix II

Fields that are marked with an asterisk (*) are never blank.

Field name

Description

date-time*

The date and time of the message tracking event. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

client-ip

The TCP/IP address of the messaging server or messaging client that submitted the message.

client-hostname

The name of the messaging server or messaging client that submitted the message.

server-ip

The TCP/IP address of the source or destination server running Microsoft Exchange Server.

server-hostname

The name of the destination server.

source-context

Extra information associated with the source field.

connector-id

The name of source or destination Send connector or Receive connector.

source*

The Exchange transport component responsible for the message tracking event. The possible values for this field are as follows:

· ADMIN (for Replay directory submission)

· AGENT

· DSN

· GATEWAY (for Foreign connector submission)

· PICKUP

· ROUTING

· SMTP

· STOREDRIVER

event-id*

The message event type. These events are described fully in the table earlier in this topic. The possible values are BADMAIL, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.

internal-message-id*

A message identifier that is assigned by the Exchange Server 2007 server that is currently processing the message. A specific message's value of internal-message-id is different in the message tracking log of every Exchange Server 2007 server that is involved in the delivery of the message.

message-id

The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.

recipient-address*

A message was submitted by a server running Exchange Server 2007 computer that has the Mailbox server role installed to an Exchange 2007 computer that has the Hub Transport server role or Edge Transport server role installed.

recipient-status

The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;).

total-bytes*

The number of recipients in the message.

recipient-count*

The number of recipients in the message.

related-recipient-address

This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.

reference

This field contains additional information for specific types of events:

· DSN - The Reference field contains the Internet-Message-Id of the message that caused the DSN.

· SEND - The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages.

· TRANSFER - The Reference field contains the Internal-Message-Id of the message that is being forked.

For all other types of events, the Reference field is blank.

message-subject

The message's subject found in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet for Hub Transport servers and Edge Transport servers, or in the Set-MailboxServer cmdlet for Mailbox servers. By default, message subject tracking is enabled. Message subject logging can be disabled by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $false.

sender-address

The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.

return-path*

The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.

message-info

This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

 

Table: Event Types Used to Classify Each Message Event

These are the Event-ID field above

Event name

Description

BADMAIL

A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned.

DELIVER

A message was delivered to a mailbox.

DSN

A delivery status notification (DSN) was generated.

EXPAND

A distribution group was expanded.

FAIL

A message delivery failed.

POISONMESSAGE

A message is put in the poison message queue or removed from the poison message queue.

SUSPEND

Indicates that replication has been halted for the passive copy. This state prevents the database from advancing, and logs from being copied. Possible values are True and False.

RECEIVE

A message was received and committed to the database.

REDIRECT

A message was redirected to an alternative recipient after an Active Directory directory service lookup.

RESOLVE

A message's recipients were resolved to a different e-mail address after an Active Directory lookup.

SEND

A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.

SUBMIT

A message was submitted by an Exchange Server 2007 computer that has the Mailbox server role installed to an Exchange Server 2007 computer that has the Hub Transport server role or Edge Transport server role installed.

TRANSFER

Recipients were moved to a forked message because of content conversion, message recipient limits, or agents.

 

Comparing the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet

Field name that is used in the message tracking log

Field name that is used to filter the Get-MessageTrackingLog results

date-time

Timestamp

client-ip

ClientIp

client-hostname

ClientHostname

server-ip

ServerIp

server-hostname

ServerHostname

source-context

SourceContext

connector-id

ConnectorId

source

Source

event-id

EventId

internal-message-id

InternalMessageId

message-id

MessageId

recipient-address

Recipients

recipient-status

RecipientStatus

total-bytes

TotalBytes

recipient-count

RecipientCount

related-recipient-address

RelatedRecipientAddress

reference

Reference

message-subject

MessageSubject

sender-address

Sender

return-path

ReturnPath

message-info

MessageInfo

 

Appendix III

Fields that are marked with an asterisk (*) are never blank.

Field name

Description

date-time*

The date and time of the message tracking event. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

client-ip

The TCP/IP address of the messaging server or messaging client that submitted the message.

client-hostname

The name of the messaging server or messaging client that submitted the message.

server-ip

The TCP/IP address of the source or destination server running Microsoft Exchange Server.

server-hostname

The name of the destination server.

source-context

Extra information associated with the source field.

connector-id

The name of source or destination Send connector or Receive connector.

source*

The Exchange transport component responsible for the message tracking event. The possible values for this field are as follows:

· ADMIN (for Replay directory submission)

· AGENT

· DSN

· GATEWAY (for Foreign connector submission)

· PICKUP

· ROUTING

· SMTP

· STOREDRIVER

event-id*

The message event type. These events are described fully in the table earlier in this topic. The possible values are BADMAIL, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.

internal-message-id*

A message identifier that is assigned by the Exchange Server 2007 server that is currently processing the message. A specific message's value of internal-message-id is different in the message tracking log of every Exchange Server 2007 server that is involved in the delivery of the message.

message-id

The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.

recipient-address*

A message was submitted by a server running Exchange Server 2007 computer that has the Mailbox server role installed to an Exchange 2007 computer that has the Hub Transport server role or Edge Transport server role installed.

recipient-status

The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;).

total-bytes*

The number of recipients in the message.

recipient-count*

The number of recipients in the message.

related-recipient-address

This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.

reference

This field contains additional information for specific types of events:

· DSN - The Reference field contains the Internet-Message-Id of the message that caused the DSN.

· SEND - The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages.

· TRANSFER - The Reference field contains the Internal-Message-Id of the message that is being forked.

For all other types of events, the Reference field is blank.

message-subject

The message's subject found in the Subject: header field. The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportServer cmdlet for Hub Transport servers and Edge Transport servers, or in the Set-MailboxServer cmdlet for Mailbox servers. By default, message subject tracking is enabled. Message subject logging can be disabled by setting the value of the MessageTrackingLogSubjectLoggingEnabled parameter to $false.

sender-address

The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.

return-path*

The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.

message-info

This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

directionality

tenant-id

original-client-ip

original-server-ip

custom-data

 

Comparing the field names that are used in the message tracking log and the field names that are used by the Get-MessageTrackingLog cmdlet

Field name that is used in the message tracking log

Field name that is used to filter the Get-MessageTrackingLog results

date-time

Timestamp

client-ip

ClientIp

client-hostname

ClientHostname

server-ip

ServerIp

server-hostname

ServerHostname

source-context

SourceContext

connector-id

ConnectorId

source

Source

event-id

EventId

internal-message-id

InternalMessageId

message-id

MessageId

recipient-address

Recipients

recipient-status

RecipientStatus

total-bytes

TotalBytes

recipient-count

RecipientCount

related-recipient-address

RelatedRecipientAddress

reference

Reference

message-subject

MessageSubject

sender-address

Sender

return-path

ReturnPath

message-info

MessageInfo

directionality

tenant-id

original-client-ip

original-server-ip

custom-data

MessageLatency

MessageLatencyType

EventData

 

Search filters that are available by using the Get-MessageTrackingLog cmdlet

Search filter

Corresponding field in the message tracking log

End

date-time

EventId

event-id

InternalMessageId

internal-message-id

MessageId

message-id

MessageSubject

message-subject

Recipients

recipient-address

Reference

reference

ResultSize

None. This parameter limits the number of results that are displayed by the search.

Sender

sender-address

Start

date-time

Comments

  • Anonymous
    January 01, 2003
    Thx for detailed info,

    I have written a nice script that can be used for tracking multiple users logs based on dates & this can be modified to get other fields as input.

    http://msexchange.me/2014/08/04/message-tracking-multiple-users/

    Regards
    Sukhija Vikas
    http://msexchange.me
  • Anonymous
    January 01, 2003
    And I would like to know how we can find the real sender of an eMail if the sender is using a shared mailbox and sending out eMails AS this shared mailbox's delegate. In the message tracking logs you can only see the shared mailbox's eMail-Adress as sender but not the eMail-Address of the real user who sent it.
  • Anonymous
    April 24, 2014
    Thanks a lot for these informations that I've found very usefull! (y)
    I would like to know if there is an equivalence between Exchange 2003 logs and exchange 2007 logs. For example :
    if we have in 2003 logs event-i=3 or 53 what is its corresponding event in 2007 logs ? is it SEND or a combination of ROUTING,SEND for example?
    Help me please! :)
  • Anonymous
    August 11, 2015
    The comment has been removed
  • Anonymous
    October 16, 2015
    @Fed up Admin 100% agree. Talk about opening the fire hose. Not efficient, off to an EX forum not run by M$.
  • Anonymous
    January 05, 2016
    @Fed up and Cranky....maybe IT is not suited for you. I understand. I was a simple one click admin once too.