Just before Christmas, the CEO of the company came up to me and asked for some basic stats on email traffic. At the time I was able to provide some detail from our email filtering software, and some very basic stats from the Exchange Message Tracking Log through Powershell. At the time it did the job, but I have since picked up the task again to add to my Exchange Information script (which is what it will become once it is no longer just Mailbox Stats).
If you have ever been tasked with looking after Exchange, you are probably well aware of the Message tracking log. For those of you that aren't, it is basically as it sounds: a tracking log of messages as they flow through your Exchange environment. This allows us to track a message from sender to reciever, and any steps in between. This log is invaluable in diagnosing mail flow issues, as well as being used as a basis for reports.
To determine what your current message tracking log settings, we have to use the Exchange Management Shell. To do this we use the following command:
Get-TransportServer SERVERNAME | fl *messagetracking*
Which will return something like this:
MessageTrackingLogEnabled : True
MessageTrackingLogMaxAge : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 250MB
MessageTrackingLogMaxFileSize : 10MB
MessageTrackingLogPath : L:\MessageTracking
MessageTrackingLogSubjectLoggingEnabled : True
The main one to note is the MessageTrackingLogMaxAge entry, this is structured as dd.hh.mm.ss (d = day, h =hour, m= minute, s = second). So, anything over 30 days old will not be able to be queried.
Now that you know the path of your tracking logs, you can also have a look through them with any text editor to see what they contain. There is however, a better way to see what is in your logs...
There are two ways to query the tracking log;
I will be focussing on the Powershell cmdlet, as this is more useful to me in the current objective of gathering stats. If you are after purely message tracking, the Console is a bit more user-friendly.
Collecting information on distribution group usage is reletively simple: there will be an EXPAND entry in the log from where Exchange expands the group from the alias, to all of the members. With this in mind, we can query the log with something like this:
Get-MessageTrackingLog -server server -EventId Expand -resultsize Unlimited | Sort-Object RelatedRecipientAddress | group-object RelatedRecipientAddress
Where you will need to replace server with your Exchange server name.
This little code segment does the following:
So there we have it, stats on how many times your distribution groups recieved mail in your entire tracking log. You can also use the -Start and -End parameters of Get-MessageTrackingLog to restrict this search.
Users emails are fairly similar to the distribution groups, but obviously are based around a different event. In the case of recieved mail, this is DELIVER (as this counts only mail that is delivered to a mailbox). The only complication to this is that a DELIVER event can have several recipients, so we have to do a bit more work:
Get-MessageTrackingLog -server server -start $Start -end $End -resultsize unlimited -EventID DELIVER | Select -Expand Recipients | Group | Sort Name
Here we can see the usual query to GetMessageTrackingLog, which then gets piped to a select function to expand the Recipients field, then finally group by the Name (in this case the email address)
Sent mail is a little more tricky, but I didn't realise this at first. The obvious choice is to just look for SEND events, right? Well yes...but this is not the full picture. The SENT event is only actually logged when an email is sent outside your Exchange server. i.e. mail sent from one Exchange user to another does not raise a SEND event. So, after a little investigation, I found that filtering by the RECEIVE event from the STOREDRIVER source seems to give the right numbers, but I'm not entirely sure. If anyone knows a 100% guaranteed answer, please let me know!
Get-MessageTrackingLog -Server server -EventID RECEIVE -Start $Start -End $End -resultsize unlimited | ?{$_.Source -eq "STOREDRIVER"} | Group-Object Sender | Sort-Object Name
So there we have it, a basic run-down of the message tracking log in Exchange, and how we can use it to pull out some interesting information. I hope it has been useful to you. In the coming days or weeks (depending how much time I have), I will be posting an updated version of the Exchange Information script with these improvments included.