You can use the Get-MessageTrackingLog cmdlet in the exchange management shell to analyze the mail flow, review messages and obtain various information about messages sent or received for a specific mailbox in your organization. In this article I will show you some examples of single-line PowerShell commands which I often use to follow messages on Exchange Server 2016/2013/2010 and Office 365 (Exchange Online).
I remind you that the Exchange transport logs can be found in the %ExchangeInstallPath%TransportRolesLogsMessageTracking folder. And the most efficient and flexible way to analyze logs in Exchange is by using the Get-MessageTrackingLog cmdlet.
Let’s first have a look at the Get-MessageTrackingLog parameters that can be used to filter events in the logs. The following control parameters are most commonly used:
- Sender – Search for sender ;
- Recipients – Recipient search ;
- Server – Find a specific transport server;
- From 30/11/2019 at 8:00 – and 18/12/2019 at 21:00 – search by time period ;
- MessageSubject – Find the subject of the message ;
- EventID – search for an exchange event (the following codes are generally used: RECEIVE, SEND, FAIL, DSN, DELIVER, BADMAIL, RESOLVE, EXTEND, REDIRECT, TRANSMIT, SEND, POST, DELAY) ;
- Message ID – Track by message ID.
If you run the Get-MessageTrackingLog cmdlet without parameters all events will be displayed in the Exchange transport logs of the last 30 days. The command displays only the last 1000 events. To remove this limitation, use the parameter -ResultSize Unlimited. (It is not recommended to do this without some additional filter settings, as this may result in a high load on the transport server).
Use this command to view information about your Exchange events page by page:
Get-MessageTrackingLog | Out-Host -Paging
The Format-Table command is used to display the data in tabular form and to adjust the width of the columns:
Get-MessageTrackingLog | Format-Table -AutoSize
If you have multiple Hub transport servers in your Exchange organization you will need to enter the name of the server to search for the -Server parameter as an argument. Or run a message tracking command for each of your hub servers with a :
Get-TransportServer | Get-MessageTrackingLog
View all emails from the last 24 hours ((Get-Date).AddHours(-24)) specifying a recipient of the @gmail.com domain:
Get-MessageTrackingLog -Start (Get-Date).AddHours(-24) -ResultSize unlimited |, where {[string]$_.recipient -like *@gmail.com}.
To view all emails sent by a specific user through a specific server in a specific period of time, use the following command (only specific tracking fields are displayed in the report) :
Get-MessageTrackingLog -ResultSize unlimited -Sender [email protected] -server contoso hub-01 -Start 11/30/2019 06:00:00 -End 12/13/2019 22:00:00 |select object Time stamp,Transmitter,Recipients,MessageSubject,EventId|ft.
Find all emails sent from one user to another and export the search results to a CSV file:
Get-MessageTrackingLog -Sender [email protected] -Recipients [email protected] -ResultSize unlimited -server contoso-hub-01| Select-Object Timestamp,Sender,{$_.addresses},MessageSubject | Export-Csv -Path C:Exportexchange_tracking_logs.csv -Encoding Default -Delimiter ;
You can search for a message subject. To display all E-mails with the test word in the subject line, execute the following command. (To display the results in a separate tabular graphical window with convenient sorting, filtering and search functions, you can use the Out-gridview command).
Get-MessageTrackingLog -MessageSubject test -ResultSize unlimited -server contoso-hub-01| Select-Object Timestamp,Sender, {$_.addresses}, MessageSubject | out-gridview
You can search for a specific message ID (you will find it in the message header in Outlook) :
Get-MessageTrackingLog -messageID [e-mail protected]om -ResultSize unlimited -server contoso-hub-01| Select-Object Timestamp,Sender, {$_.addresses}, MessageSubject
To count the number of incoming e-mails for a specific mailbox in the last 7 days, execute the following command:
(Get-MessageTrackingLog -EventID RECEIVE -Recipients [e-mail protected] -ResultSize unlimited size).Count
You can display more intuitive message statistics. You want z. B. See how many emails from different gmail.com senders have been received by users in your organization in the past 5 days (we show the total number of emails sent by each external sender):
Get-MessageTrackingLog -EventId Receive -Start (Get-Date).AddDays(-5) -ResultSize Unlimited | Where-Object {$_.Sender -like *@gmail.com}. | In this case, it is not possible to determine the size of the data and the size of the data.
To find the messages stored in the mailboxes of Exchange users use the Find Mailbox command.
In Office 365 you can search the message logs of the Exchange Administration Centre (EAC). Go to Mail Flow -> Message Tracking. Fill in the search fields. This is actually the web interface of the Get-MessageTrackingLog cmdlet, which allows the user to generate the PowerShell tracking command in a simple web form.
The methods described above allow you to obtain statistics about the messages sent and received on your Exchange system and to diagnose various problems with e-mail transport.
Related Tags:
haredirectfail,get-messagetrackingreport,get-messagetrackinglog export to csv,exchange 2013 message tracking gui,hadiscard,exchange 2010 message log location,get-messagetrace,get-messagetrackinglog sender wildcard,'m log reports system string,search messagetrackingreport date range,get messagetrackinglog timeframe,get messagetrackinglog last 2 hours,searching message tracking logs by subject,powershell get messagetrackinglog subject,get-messagetrackinglog by subject,get-messagetrackinglog get-date,get-messagetrackinglog how far back,get-messagetrackinglog fail reason,get-messagetrackinglog count messages,get-messagetrackinglog totalbytes,get-messagetrackinglog has attachment,exchange 2016 message tracking logs location,exchange logs location,get-messagetrackinglog all servers,get-messagetrackinglog exchange online,exchange 2016 message tracking gui,exchange 2013 message tracking logs location,get-messagetrackinglog eventid,get-messagetrackinglog messageid