Exchange Message Tracking and my friend Powershell

Just before Christmas, the CEO of the company came up to me and asked for some basic stats on email traffic. At the time I was able to provide some detail from our email filtering software, and some very basic stats from the Exchange Message Tracking Log through Powershell. At the time it did the job, but I have since picked up the task again to add to my Exchange Information script (which is what it will become once it is no longer just Mailbox Stats).

What is the Message Tracking Log and what does it contain?

If you have ever been tasked with looking after Exchange, you are probably well aware of the Message tracking log. For those of you that aren’t, it is basically as it sounds: a tracking log of messages as they flow through your Exchange environment. This allows us to track a message from sender to reciever, and any steps in between. This log is invaluable in diagnosing mail flow issues, as well as being used as a basis for reports.

Viewing your message tracking log info

To determine what your current message tracking log settings, we have to use the Exchange Management Shell. To do this we use the following command:

```powershell Get-TransportServer $server | fl *messagetracking` Which will return something like this:

MessageTrackingLogEnabled : True MessageTrackingLogMaxAge : 30.00:00:00 MessageTrackingLogMaxDirectorySize : 250MB MessageTrackingLogMaxFileSize : 10MB MessageTrackingLogPath : L:\MessageTracking MessageTrackingLogSubjectLoggingEnabled : True

The main one to note is the MessageTrackingLogMaxAge entry, this is structured as dd.hh.mm.ss (d = day, h =hour, m= minute, s = second). So, anything over 30 days old will not be able to be queried.

Now that you know the path of your tracking logs, you can also have a look through them with any text editor to see what they contain. There is however, a better way to see what is in your logs…

Gathering information from the Message Tracking Log

There are two ways to query the tracking log;

  1. Exchange Management Console, located in the Toolbox section. or;
  2. Get-MessageTrackingLog Powershell cmdlet

I will be focussing on the Powershell cmdlet, as this is more useful to me in the current objective of gathering stats. If you are after purely message tracking, the Console is a bit more user-friendly.

Distribution group usage

Collecting information on distribution group usage is reletively simple: there will be an EXPAND entry in the log from where Exchange expands the group from the alias, to all of the members. With this in mind, we can query the log with something like this:

powershell Get-MessageTrackingLog -server $server -EventId Expand -resultsize Unlimited | Sort-Object RelatedRecipientAddress | group-object RelatedRecipientAddress Where you will need to replace $server with your Exchange server name.

This little code segment does the following:

  1. Returns all EXPAND entries from the message tracking log. This is then;
  2. Sorts the list by the email address, and finally;
  3. Groups by the email address, which introduces a new “Count” attribute with the number of items that were grouped per address

So there we have it, stats on how many times your distribution groups recieved mail in your entire tracking log. You can also use the -Start and -End parameters of Get-MessageTrackingLog to restrict this search.

User emails

Received mail

Users emails are fairly similar to the distribution groups, but obviously are based around a different event. In the case of recieved mail, this is DELIVER (as this counts only mail that is delivered to a mailbox). The only complication to this is that a DELIVER event can have several recipients, so we have to do a bit more work:

powershell Get-MessageTrackingLog -server $sever -start $Start -end $End -resultsize unlimited -EventID DELIVER | Select -Expand Recipients | Group | Sort Name Here we can see the usual query to GetMessageTrackingLog, which then gets piped to a select function to expand the Recipients field, then finally group by the Name (in this case the email address)

Sent Mail

Sent mail is a little more tricky, but I didn’t realise this at first. The obvious choice is to just look for SEND events, right? Well yes…but this is not the full picture. The SENT event is only actually logged when an email is sent outside your Exchange server. i.e. mail sent from one Exchange user to another does not raise a SEND event. So, after a little investigation, I found that filtering by the RECEIVE event from the STOREDRIVER source seems to give the right numbers, but I’m not entirely sure. If anyone knows a 100% guaranteed answer, please let me know!

```powershell Get-MessageTrackingLog -Server $server -EventID RECEIVE -Start $Start -End $End -resultsize unlimited ?{$_.Source -eq “STOREDRIVER”} Group-Object Sender Sort-Object Name 
Last words

So there we have it, a basic run-down of the message tracking log in Exchange, and how we can use it to pull out some interesting information. I hope it has been useful to you. In the coming days or weeks (depending how much time I have), I will be posting an updated version of the Exchange Information script with these improvements included.