Search messages in Exchange 2016 using Get-MessageTrackingLog

Message tracking in Microsoft Exchange Server 2016 is very easy with the help of the Message Tracking Logs tool. In this article I’ll show yous some features of the Get-MessageTrackingLog cmdlet, which was created specifically for processing message tracking logs.

Run the Get-MessageTrackingLog cmdlet without any additional parameters:

By default, all message transmission events will be displayed from the last 30 days and not more than 1000 strings.

To remove the limit of 1000 strings, you can use the -ResultSize parameter and set the value to Unlimited (be careful with it because it can heavily load the server). The results can be displayed in page-by-page form (depending on a console size) using the Out-Host cmdlet.

The -Paging parameter is responsible for page output.

The message tracking logs contain a lot of information and some of it can be extremely useful in analyzing server operation, message monitoring and many other tasks. Message tracking log files are stored in the directory %ExchangeInstallPath%TransportRoles\Logs\MessageTracking.

Analysis of these logs files can be a difficult task. If you want to display the values of only certain columns, you will run into difficulties. The fact is that the column names in the file and the names of the same columns in PowerShell are different. You can use the Format-List cmdlet, which displays the properties of each object on a separate line. We display all the fields and data for the first log entry.

Now it is possible to operate the received data freely and to select only that is necessary. For example, you want to see through which connectors the message passes (we narrow the search area by specifying the subject of the letter), when you send it from within the organization to the internal recipient. To do this, we use the ConnectorID property. You can use the Format-Table cmdlet to present the data in a table form and align the width of the columns with the -AutoSize.

As you can see everything is simple and clear and even the names of connectors, including system ones, are visible.

Next we’ll try to process the output of Get-MessageTrackingLog with the help of a very interesting Group-Object cmdlet. It allows you to group objects by some property and count their number. This cmdlet is usually used last (or one of the last), because it creates new objects in the pipeline and you can no longer process the objects of the Get-MessageTrackingLog cmdlet.

We will try to count the number of all messages sent and received by users of your organization to recipients on outlook.com. To do this, you need to enter an additional condition that will filter necessary recipients. You can do this with the help of the Where-Object.

Received messages:

I do not recommend putting the -ResultSize Unlimited key without specifying the start date. You can set the date in this way -Start (Get-Date).AddDays(-1). The command will return the current timestamp and subtract one day from it. That is, you will be returned recipients statistics for the last 24 hours.

Searching Message Tracking Logs by Sender Email Address

To get the messages sent the last hour, use the following PowerShell command:

If we search over a broader time range you may see more results than you really want to see:

Searching Message Tracking Logs by Recipient Email Address

It doesn’t matter whether the recipient was in the To, CC, or BCC of the message, the search will return any match regardless.

Here both the test email sent to David and Xinul, as well as another email sent only to David, are returned in the same results.

Searching Message Tracking Logs for Wildcard Values or Partial Matches

Wildcard searches are not allowed with the -Sender and -Recipient parameters. But you can use wildcards if you pipe the output of Get-MessageTrackingLog into Where-Object instead.

You can see that the wildcard is used with the -like operator, but another technique is to use the -match operator which doesn’t require the wildcard character.

Thank you for spending some time at my site and in my blog. I hope you come to visit again soon 😉

About Lex van der Horst 201 Articles
Techwire

Be the first to comment

Leave a Reply