Exchange 2007 Message Tracking (Part 2)
If you missed the first part in this article series please read Exchange 2007 Message Tracking (Part 1).
In part one of this two-part article, we looked at the default configuration of message tracking within Exchange 2007 and covered how to alter these settings using PowerShell cmdlets. You may remember these key changes to Exchange 2007 message tracking over their Exchange 2003 counterparts:
- Message tracking is enabled by default.
- Message tracking subject logging is enabled by default.
- Message tracking logs are retained for 30 days by default.
There are other changes, but I’ll leave it for you to go over part one again if you can’t remember them. Here in part two of this article, let’s take a look at the contents of a message tracking log file and then go on to cover how you actually search them.
What’s In a Log?
You can see from Figure 1 below that the message tracking log directory is shown, together with two log files contained within it. Actually, what I should say is that a custom message tracking log directory is shown, since I used the cmdlets from part one of this article to change the message tracking log path to D:\Tracking Logs. The first thing that you’ll notice is the names of the log files. They are named in the following formats:
This format comprises the following information:
- MSGTRK prefix for log files found on Hub Transport or Edge Transport servers.
- MSGTRKM prefix for log files found on Mailbox servers.
- yyyy is a four digit representation of the year the log file was created.
- mm is a two digit representation of the month the log file was created.
- dd is a two digit representation of the day the log file was created.
- n is an incremental number that starts at 1 each day.
You can see from Figure 1 that I have log files beginning with both MSGTRK and MSGTRKM on the same server. You can therefore logically deduce that both the Hub Transport and Mailbox server roles are hosted on this single server. The first log file created is named MSGTRK20061217-1.log. Once that log file reaches its maximum size, which you’ll remember is 10MB by default, the next log created will be named MSGTRK20061217-2.log.
Figure 1: Log File Names
Figure 2 shows the contents of a sample message tracking log file taken from a Hub Transport server. The first thing you will notice is that the data is contained in Comma Separated Value (CSV) format. Compare this to the sample Exchange 2003 message tracking log shown in Figure 3.
Figure 2: Exchange 2007 Message Tracking Log File Contents
Figure 3: Exchange 2003 Message Tracking Log File Contents
You will see from Figure 2 that the first few lines of the log file contain system information about the log file. It contains the following headers in order: #Software, #Version, #Log-Type, #Date, #Fields. An explanation of these headers is as follows:
- #Software. This is the name of the application that created the log file, which is set to a value of Microsoft Exchange Server in our case here.
- #Version. This is the version number of the application that created the log file. In my testing on a trial version of Exchange 2007 RTM, this was set to 188.8.131.52. This was also the case on Exchange 2007 Beta 2.
- #Log-Type. This is the type of log file created by the application, which is set to Message Tracking Log in our case here.
- #Date. This is the date and time that the log file was created and is shown in the following format: yyyy-mm-ddThh:mm:ss.fffZ. You can almost certainly guess that yyyy refers to the year, the first mm to the month, and so on for the date, whilst hh refers to the hour, the second mm the minute and so on for the time.
- #Fields. This is a comma-delimited list of field names that are shown within the log file. The field names are, in order: date-time, client-ip, client-hostname, server-ip, server-hostname, source-context, connector-id, source, event-id, internal-message-id, message-id, recipient-address, recipient-status, total-bytes, recipient-count, related-recipient-address, reference, message-subject, sender-address, return-path, message-info.
I won’t detail the meaning of each field within this article as there is an excellent description within the Exchange 2007 help file. To be honest, with the exception of a few, most of the field names should be self-explanatory and if you enable message tracking and send a few messages, you should be able to work through each field value to determine what’s going on.
Searching a Log
As you may remember from part one of this article, it’s only possible to configure the message tracking log file settings by using the Exchange Management Shell (EMS); no method exists to configure the settings via the Exchange Management Console (EMC). If you prefer to use graphical tools when administering Exchange, then you’ll be pleased to know that you can use the Message Tracking tool to search the contents of the message tracking log files. Of course, you can also use the EMS but note that there are differences between the two. I’ll cover both methods here and indicate what these differences are later in the article.
First, let’s look at using the Message Tracking tool to search message tracking log files. There’s a reason I’m going to cover the Message Tracking tool first, and that’s simply because the corresponding cmdlet that you could have run is displayed within the Message Tracking tool, making it easy to use EMS next time. Here’s how to run the Message Tracking tool:
- Run the Exchange Management Console.
- In the left-hand pane, known as the Console Tree, select Toolbox.
- In the middle top pane, known as the Result Pane, select Message Tracking from the Mail flow tools area.
- Now you can either select the Open tool option from the right-hand pane, known as the Action Pane, or you can right-click Message Tracking in the Result Pane and choose Open tool from the context menu. By the way, if you don’t see the Action Pane, it may be because it is currently hidden via the View menu option within the EMC snap-in. Click View, then Customize… and in the Customize View window, ensure that the Action pane option is selected.
- A new window opens to reveal the Microsoft Exchange Troubleshooting Assistant. If this is the first time you’ve chosen this option, you may have to skip through a few screens on checking for updates. The end result should be the screen shown below in Figure 4.
Figure 4: Message Tracking Tool
Here you can fill in the relevant search filters, such as the sender, recipient(s), message subject and so on. There are several key things to note:
- At the bottom of this screen, the Exchange management shell command area shows you the corresponding cmdlet that you can run to produce the same search via EMS.
- Note from Figure 2 that the tracking logs store dates and times in the Coordinated Universal Time (UTC) format, whilst the search shown above in Figure 4 uses regional date and time formats. The Message Tracking tool does the conversion for you.
- The EventID search field has many different choices, such as RECEIVE, which is used to search for messages received by the relevant server, or DELIVER, which is used to search for messages delivered to a mailbox. See the Exchange 2007 help file for a detailed breakdown of the remaining choices here.
As an example, to perform a simple search for all messages containing “hello” within the subject line, you’ll need to perform at least two tasks in the screen shown above in Figure 4. First, you’ll need to click the Subject check box and supply the “hello” text in the field next to it. Second, you’ll need to ensure that the end date is later than the start date. By default, these dates are the same and failure to change the end date results in an error when performing the search. Also, in the case where you have separate Mailbox and Hub Transport servers and you’re performing the search from the Mailbox server, you’ll also need to change the EventID to the SUBMIT option, since Mailbox servers only contain the SUBMIT event. These are used to track when Mailbox servers submit messages to Hub Transport servers. You will no doubt recall from your Exchange 2007 reading that all messages pass through Hub Transport servers.
Assuming you’ve entered valid details and clicked the Next button, you should be presented with a screen similar to the one shown below in Figure 5.
Figure 5: Results Via Message Tracking Tool
Note the text that says Selected row will populate parameters for next message tracking search. This is a nice feature that does exactly what it says – whatever is selected, such as the message subject text in Figure 5, will be used as the basis of the next search when you click the Next button at the bottom of the screen.
One extra thing to note with message tracking is the dependency on the Microsoft Exchange Transport Log Search service. You may have already noted that on an Exchange 2007 server, there is a notable increase in the number of Exchange-related services displayed within the Services applet. Searching tracking logs requires that the Microsoft Exchange Transport Log Search service is running. If it isn’t running, you’ll see the error message shown in Figure 6. Note that if you do disable this service for whatever reason, the only thing affected is your ability to search the message tracking log files; no other Exchange function should be affected.
Figure 6: Message Tracking Search Error (EMC)
Now let’s look at using EMS to search message tracking log files. This functionality centers around using the Get-MessageTrackingLog cmdlet. You can use this cmdlet without any other options which will result in the last 1,000 message tracking log entries being shown. This may not prove too useful, so there are many parameters to add to the cmdlet to refine our search. You can limit the number of returned entries by using the ResultSize parameter. To repeat our previous search, we could simply paste in the cmdlet that the Message Tracking tool shows us. It is as follows:
Get-MessageTrackingLog –EventID “RECEIVE” –MessageSubject “hello” –Start “01/12/2006 00:00:00” –End “28/12/2006 18:50:00”
Note that in my example the start and end dates are displayed in UK format. Other than that, it should be fairly obvious what is being searched for. The result is as follows:
Figure 7: Message Tracking Results Via EMS
You’ll see from Figure 7 that the 5 default fields displayed are EventId, Source, Sender, Recipients and MessageSubject. If you use the format-list or fl formatting cmdlet, you can obtain much more information. For example, Figure 8 shows detailed information for the first search result listed above in Figure 7. Of course, you also have the option to re-direct the results of your cmdlet to a text file by appending something like > “C:\results.txt” to the end of your cmdlet.
Figure 8: Message Tracking Results Via EMS Using Format-List
The logical deduction is that it’ll more than likely make the most sense for you to use the Message Tracking tool first and see what the corresponding EMS cmdlets are. Once you’re comfortable with the relevant cmdlets, you may choose to use EMS solely. The choice is yours.
To complete our look at using the EMS to search message tracking log files, don’t forget that if the Microsoft Exchange Transport Log Search service isn’t running you’ll get an error in exactly the same way as you do within the Message Tracking tool. In the case of the EMS, you’ll see the self-explanatory error shown in Figure 9.
Figure 9: Message Tracking Search Error (EMS)
Are there any differences between using the Message Tracking tool and EMS? Yes, there are. First, you’ll see from Figure 4 that the Message Tracking tool offers the Server field as a search filter. If you use the Server parameter within EMS, it is actually used to name the server whose message tracking log files you wish to search.
Going the other way, EMS has the Reference search filter that isn’t contained within the Message Tracking tool. This search filter is linked to the reference field within the actual tracking log, which contains information such as the message IDs of Delivery Status Notification (DSN) messages.
Hopefully, across the two parts of this article, I’ve given you a good working knowledge of how message tracking is configured by default, how to change the configuration, and also how to perform basic searches. Naturally, searching the tracking logs for information will be different for each and every reader, so I encourage you to have a play with both the Message Tracking tool and the command-line interface.
If you missed the first part in this article series please read Exchange 2007 Message Tracking (Part 1).