This section examines message tracking, protocol logging, and diagnostic logging. You use these features to monitor Exchange Server and to troubleshoot messaging problems.
1. Using Message Tracking
You use message tracking to
monitor the flow of messages into and out of an organization and within
it. With message tracking enabled, Exchange Server maintains daily log
files, with a running history of all messages transferred within an
organization. You use the logs to determine the status of a message,
such as whether a message has been sent, has been received, or is
waiting in the queue to be delivered. Because Exchange Server handles
postings to public folders in much the same way as e-mail messages, you
can also use message tracking to monitor public folder usage.
Tip:
Tracking
logs can really save the day when you're trying to troubleshoot
delivery and routing problems. The logs are also useful in fending off
problem users who blame e-mail for their woes. Generally speaking, users
can't claim they didn't receive e-mails if you can find the messages in
the logs. That said, if you use third-party applications that integrate
with Outlook, those applications could potentially delete messages
before the user sees them.
1.1. Configuring Message Tracking
By default, all Hub
Transport, Edge Transport and Mailbox servers perform message tracking.
You can enable or disable message tracking on a per-server basis by
setting the –MessageTrackingLogEnabled parameter of the
Set-TransportServer cmdlet to $true or $false, as appropriate. The
following example disables message tracking on MailServer16:
Set-TransportServer -Identity "MailServer16"
-MessageTrackingLogEnabled $false
Tip:
You can configure basic
message tracking options in the Exchange Management Console. Expand the
Server Configuration node and then select the Hub Transport node. In the
main pane, double-click the server you want to configure to display the
related Properties dialog box. On the Log Settings tab, select or clear
the Enable Message Tracking Log check box. If you enable message
tracking, you can enter the desired directory path for logging as well
or accept the default setting.
Each Transport and Mailbox server in your organization can have different message tracking settings that control
By default, message tracking
logs are stored in the
%ExchangeInstallPath%\TransportRoles\Logs\MessageTracking directory.
Generally, message tracking does not have high enough input/output
activity to warrant a dedicated disk. However, in some high usage
situations, you might want to move the tracking logs to a separate disk.
Before you do this, however, you should create the directory you want
to use and set the following required permissions:
Full Control For Administrator
Full Control For Local System
Read, Write, And Delete Subfolders And Files For Network Service
After you've
created the directory and set the required permissions, you can change
the location of the tracking logs to any local directory by setting the
–MessageTrackingLogPath parameter of the Set-TransportServer cmdlet to
the desired local directory. The following example sets the message tracking directory as G:\Tracking on MailServer16:
Set-TransportServer -Identity "MailServer16"
-MessageTrackingLogPath "G:\Tracking"
Note:
When you change the location of the message tracking directory, Exchange Server does not copy any existing tracking
logs from the old directory to the new one. You must manually copy the
old logs to the new location if you want all the logs to be in the same
location.
By default, all Hub
Transport, Edge Transport, and Mailbox servers perform extended message
tracking, which allows you to perform searches based on message subject
lines, header information, sender, and recipient. If you don't want to
collect information on potentially sensitive subject lines, you can
disable subject line tracking by setting the
–MessageTrackingLogSubjectLoggingEnabled parameter of the
Set-TransportServer cmdlet to $false, as shown in the following example:
Set-TransportServer -Identity "MailServer16"
-MessageTrackingLogSubjectLoggingEnabled $false
Exchange Server continues to
write to message tracking logs until a log grows to a specified maximum
size, at which point Exchange Server creates a new log and then uses
this log to track current messages. By default, the maximum log file
size is 10 megabytes (MB). You can change this behavior by setting the
–MessageTrackingLogMaxFileSize parameter to the desired maximum file
size. You must qualify the desired file size using B for bytes, KB for
kilobytes, MB for megabytes, or GB for gigabytes. The following example
sets the message log file size to 50 MB:
Set-TransportServer -Identity "MailServer16"
-MessageTrackingLogMaxFileSize "50MB"
Exchange Server
overwrites the oldest message tracking logs automatically when tracking
logs reach a maximum age or when the maximum log directory size is
reached. By default, the maximum age is 30 days and the maximum log
directory size is 250 MB. You can use the –MessageTrackingLogMaxAge
parameter to set the maximum allowed age in the following format:
DD.HH:MM:SS
where DD is the number of days,
HH is the number of hours, MM is the number of minutes, and SS is the
number of seconds. The following example sets the maximum age for logs
to 90 days:
Set-TransportServer -Identity "MailServer16"
-MessageTrackingLogMaxAge "90.00:00:00"
You can set the maximum log
directory size using the –MessageTrackingLogMaxDirectorySize parameter.
As with the maximum log file size, the qualifiers are B, KB, MB, and
GB. The following example sets the maximum log directory size to 2 GB:
Set-TransportServer -Identity "MailServer16"
-MessageTrackingLogMaxDirectorySize "2GB"
1.2. Searching Through the Tracking Logs
The tracking logs are useful in troubleshooting problems with routing and delivery. In the Exchange Management Shell, you use Get-MessageTrackingLog to search through the message tracking logs. The related syntax is:
Get-MessageTrackingLog [-Start DateTime] [-Server ServerId]
[-End DateTime] {AddtlParams}
{AddtlParams}
[-DomainController DCName] [-EventId {"BadMail" | "Defer" | "Deliver" |
"DSN" | "Expand" | "Fail" | "PoisonMessage" | "Receive" | "Redirect" |
"Resolve" | "Send" | "Submit" | "Transfer"} ] [-InternalMessageId
MessageTrackingLogId] [-MessageId MessageId] [-MessageSubject
Subject] [-Recipients SMTPEmailAddress1, SMTPEmailAddress2,...]
[-Reference ReferenceField] [-ResultSize NumEntriesToReturn]
[-Sender SMTPEmailAddress]
These parameters allow you to search the message tracking logs in several ways:
To begin a search, you must
specify one or more of the previously listed identifiers as the search
criteria. You must also identify a server in the organization that has
processed the message in some way. This server can be the sender's
server, the recipient's server, or a server that relayed the message.
You set the search criteria using the following parameters:
–End Sets the end date and time for the search.
–EventID Specifies the ID of the event for which you want to search, such as a RECEIVE, SEND, or FAIL event.
–InternalMessageID Specifies the ID of the message tracking log entries for which you want to search.
–MessageID Specifies the ID of the message for which you want to search.
–MessageSubject Specifies the subject of the message for which you want to search.
–Recipients Sets recipient's SMTP e-mail address or addresses to return
–Reference Specifies the reference field value within the message for which you want to search.
–Sender Sets the sender's SMTP e-mail address (listed in the From field of the message) to return.
–Server Sets the name of the Transport or Mailbox server that contains the message tracking logs to be searched.
–Start Sets the start date and time for the search.
Using the –Start and –End
parameters, you can search for messages from a starting date and time to
an ending date and time. Using the –Server parameter, you specify the
server to search. Consider the following example:
Get-MessageTrackingLog -Start "05/25/2010 5:30AM"
-End "05/30/2010 7:30PM" -Server MailServer18 -Sender [email protected]
In this example, you search for a messages sent by [email protected] between 5:30 A.M. May 25, 2010 and 7:30 P.M. May 30, 2010.
Note:
Keep in mind that only
messages that match all of the search criteria you've specified are
displayed. If you want to perform a broader search, specify a limited
number of parameters. If you want to focus the search precisely, specify
multiple parameters.
1.3. Reviewing Message Tracking Logs Manually
Exchange Server creates message tracking
logs daily and stores them by default in the
%ExchangeInstallPath%\TransportRoles\Logs\MessageTracking directory. For
US-English, each log file is named by the date on which it was created,
using one of these formats:
MSGTRKYYYYMMDD-N.log, such as MSGTRK20100325-1.log for the first log created on March 25, 2010.
MSGTRKMYYYYMMDD-N.log, such as MSGTRKM20100325-1.log for the first log created on March 25, 2010.
The message tracking log
stores each message event on a single line. The information on a
particular line is organized by comma-separated fields. Logs begin with a
header that shows the following information:
A statement that identifies the file as a message tracking log file
The version of the Exchange Server that created the file
The date on which the log file was created
A comma-delimited list of fields contained in the body of the log file
Table 1 summarizes message event fields and their meaning. Not all of the fields are tracked for all message events.
Table 1. Message Tracking Log Fields
| LOG FIELD | DESCRIPTION |
|---|
| Client-hostname | The hostname of the client making the request |
| Client-ip | The IP address of the client making the request |
| Connector-id | The identity of the connector used |
| Custom-Data | Optional custom data that was logged |
| Date-Time | The connection date and time |
| Directionality | An indication of the source of the message |
| Event-id | The type of event being logged, such as Submit |
| Internal-message-id | The internal identifier used by Exchange to track the message |
| Message-id | The message identifier |
| Message-info | Any related additional information on the message |
| Message-subject | The subject of the message |
| Original-client-ip | The IP address for the original client |
| Original-server-ip | The IP address for the original server |
| Recipient-address | The e-mail addresses of the message recipients |
| Recipient-count | The total number of recipients |
| Recipient-status | The status of the recipient e-mail address |
| Reference | The references, if any |
| Related-recipient-address | The e-mail addresses of any related recipients |
| Return-path | The return path on the message |
| Sender-address | The distinguished name of the sender's e-mail address |
| Server-hostname | The server on which the log entry was generated |
| Server-ip | The IP address of the server on which the log entry was generated |
| Source | The messaging component for which the event is being logged, such as StoreDriver |
| Source-context | The context of the event source |
| Tenant-id | A tenant identifier |
| Total-bytes | The total size of the message in bytes |
You can view the message tracking
log files with any standard text editor, such as Microsoft Notepad. You
can also import the message tracking log files into a spreadsheet or a
database. Follow these steps to import a message tracking log file into
Microsoft Office Excel:
Start
Excel 2007 or Excel 2010. Click the Microsoft Office button and then
click Open. Use the Open dialog box to select the message tracking log
file you want to open. Set the file type as All Files (*.*), select the
log file, and then click Open.
The Text Import Wizard starts automatically. Click Next. On the Delimiters list, choose Comma. Click Next and then click Finish.
The
log file should now be imported. You can view, search, and print the
message tracking log as you would any other spreadsheet.
