Retrieve Microsoft Exchange Message Tracking Log with PowerShell

  • by

Please refer to the steps below on how to retrieve Microsoft Exchange Message Tracking Log with PowerShell

Default Configuration of Message Tracking Log – Retention of 30 Days with Max file size of 10MB and MAX folder size of 1GB. The message tracking log will be generated hourly

MessageTracking-01

Get-TransportService | Select MessageTrackingLogEnabled, MessageTrackingLogMaxAge, MessageTrackingLogMaxDirectorySize, MessageTrackingLogMaxFileSize, MessageTrackingLogPath  


MessageTrackingLogEnabled          : True
MessageTrackingLogMaxAge           : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 1000 MB (1,048,576,000 bytes)
MessageTrackingLogMaxFileSize      : 10 MB (10,485,760 bytes)
MessageTrackingLogPath             : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking
  1. Filter Message for particular sender
$Sender = "kwyong@aventistech.com"
Get-TransportServer | Get-MessageTrackingLog -Sender $Sender `
| Select Timestamp, Source, Eventid, MessageSubject, Sender,Recipients

We will normally pay attention on the following EVENTID & SOURCE to ensure that Email is successfully Sent

RECEIVE – A message was received by the SMTP receive component of the transport service or from the Pickup or Replay directories (source: SMTP), or a message was submitted from a mailbox to the Mailbox Transport Submission service (source: STOREDRIVER).

SUBMIT – The Mailbox Transport Submission service successfully transmitted the message to the Transport service.

Source

STOREDRIVE – The event source was a MAPI submission from a mailbox on the local server.

SMTP – The message was submitted by the SMTP send or SMTP receive component of the transport service.

Timestamp      : 8/3/2019 11:40:50 AM
Source         : STOREDRIVER
EventId        : RECEIVE
MessageSubject : user/group email
Sender         : kwyong@aventistech.com
Recipients     : {kmwong@aventistech.com}

Timestamp      : 8/3/2019 11:40:51 AM
Source         : STOREDRIVER
EventId        : SUBMIT
MessageSubject : user/group email
Sender         : kwyong@aventistech.com
Recipients     : {kmwong@aventistech.com}

You can also export the result (-ResultSize unlimited – To extract all records, but it will take some time to complete) to CSV

$Sender = "kwyong@aventistech.com"
Get-TransportServer | Get-MessageTrackingLog -ResultSize unlimited -Sender $Sender `
| Select Timestamp, Source, Eventid, MessageSubject, Sender,{$_.Recipients} | Export-Csv C:\Temp\kwyong-send.csv -NoTypeInformation
  1. Filter Message for particular Recipient with on 8 March, 2019 only
$Recipient = "m3test@benalec.com.my"
$Date = "3/8/2019"
#Message receive in past 1 hour only
$Hours = (Get-Date).AddHours(-1) 
Get-TransportServer | Get-MessageTrackingLog -Recipients $Recipient -Start $Date `
| Select Timestamp, Source, Eventid, MessageSubject, Sender,{$_.Recipients}

We will normally pay attention on the following EVENTID & SOURCE to ensure that Email is successfully Delivered

HAREDIRECT – A shadow message was created.

AGENTINFO – This event is used by transport agents to log custom data.

SMTP RECEIVE , SMTP SEND and STOREDRIVE DELIVER

Timestamp      : 8/3/2019 12:28:23 PM
Source         : SMTP
EventId        : HAREDIRECTFAIL
MessageSubject : RE: Email Testing @1226PM
Sender         : kwyong@aventistech.com
$_.Recipients  : m3test@benalec.com.my

Timestamp      : 8/3/2019 12:28:23 PM
Source         : SMTP
EventId        : RECEIVE
MessageSubject : RE: Email Testing @1226PM
Sender         : kwyong@aventistech.com
$_.Recipients  : m3test@benalec.com.my

Timestamp      : 8/3/2019 12:28:23 PM
Source         : AGENT
EventId        : AGENTINFO
MessageSubject : RE: Email Testing @1226PM
Sender         : kwyong@aventistech.com
$_.Recipients  : m3test@benalec.com.my

Timestamp      : 8/3/2019 12:28:23 PM
Source         : SMTP
EventId        : SEND
MessageSubject : RE: Email Testing @1226PM
Sender         : kwyong@aventistech.com
$_.Recipients  : m3test@benalec.com.my

Timestamp      : 8/3/2019 12:28:23 PM
Source         : STOREDRIVER
EventId        : DELIVER
MessageSubject : RE: Email Testing @1226PM
Sender         : kwyong@aventistech.com
$_.Recipients  : m3test@benalec.com.my

Reference
1. https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-2019#EventTypes