You can use the Get-MessageTrackingLog cmdlet within the Exchange Management Shell to investigate mail circulation, message forensics and to get completely different details about messages despatched or obtained by a selected mailbox in your electronic mail group. In this text, I’ll present a number of examples of EnergyShell one-liner instructions which I usually use to trace messages on Exchange Server 2016/2013/2010 and Office 365 (Exchange Online).
Let me remind you that the Exchange transport logs are situated within the
%ExchangeInstallPath%TransportRolesLogsMessageTracking folder. And probably the most environment friendly and versatile strategy to analyze message monitoring logs within the Exchange is to make use of the Get-MessageTrackingLog cmdlet.
First of all, think about the primary Get-MessageTrackingLog parameters that you should utilize to filter occasions within the logs. The following cmdlet parameters are used probably the most usually:
- Sender – search by sender;
- Recipients — search by recipient;
- Server – search on the precise transport server;
- Start “11/30/2019 08:00:00” -End “12/18/2019 21:00:00” — seek for the precise time frame;
- MessageTopic — search by message topic;
- EventID – search by Exchange occasion (as a rule, the next codes are used: RECEIVE, SEND, FAIL, DSN, DELIVER, BADMAIL, RESOLVE, EXPAND, REDIRECT, TRANSFER, SUBMIT, POISONMESSAGE, DEFER);
- messageID – monitor by a message ID.
If you run the Get-MessageTrackingLog cmdlet with none parameters, all occasions from the Exchange transport logs for the final 30 days might be displayed. The cmdlet shows the final 1,00zero occasions solely. To take away this restriction, use the
–ResultSize Unlimited parameter. (It just isn’t advisable to do it with out some further filter parameters as a consequence of doubtlessly excessive load on your transport server.)
You can show the details about your Exchange occasions page-by-page utilizing this command:
Get-MessageTrackingLog | Out-Host –Paging
To show the info within the desk format and alter the column width, the Format-Table cmdlet is used:
Get-MessageTrackingLog | Format-Table –AutoSize
If a number of Hub Transport servers is utilized in your Exchange group, you’ll need to specify the title of a server to go looking as an argument of the
–Server parameter . Or run the message monitoring command for every of your Hub Transport servers with the pipe:
Get-TransportServer | Get-MessageTrackingLog
Let’s show all emails for the final 24 hours (
(Get-Date).AddHours(-24)), through which a recipient from @gmail.com area is specified:
Get-MessageTrackingLog -Start (Get-Date).AddHours(-24) -ResultSize limitless | the place
To show all emails despatched by the precise consumer by the sure server in a given time frame use the command under (solely the precise monitoring fields might be displayed within the report):
Get-MessageTrackingLog -ResultSize limitless –Sender "[email protected]” –server rome-hub-01 -Start "11/30/2019 06:00:00" -End "12/13/2019 22:00:00" |select-object Timestamp,Sender,Recipients,MessageTopic,EventId|ft
Let’s discover all emails despatched by a consumer to a different one and export the search outcomes right into a CSV file:
Get-MessageTrackingLog -Sender "[email protected]" -Recipients "[email protected]" -ResultSize limitless –server rome-hub-01| Select-Object Timestamp,Sender,,MessageTopic | Export-Csv -Path "C:Exportexchangeexchange_tracking_logs.csv" -Encoding Default -Delimiter ";"
You can search by the message topic. To show all emails with “take a look at” phrase within the topic area, run the next command. (To show the ends in a separate graphic window as a desk with the handy sorting, filtering and search options, you should utilize the Out-gridview cmdlet.)
Get-MessageTrackingLog -MessageTopic "take a look at" -ResultSize limitless –server rome-hub-01| Select-Object Timestamp,Sender, , MessageTopic | out-gridview
You can search by the precise message ID (you will get it from the message header in Outlook):
Get-MessageTrackingLog -messageID "[email protected]" -ResultSize limitless –server rome-hub-01| Select-Object Timestamp,Sender, , MessageTopic
To depend the variety of incoming electronic mail messages for the precise mailbox for the final 7 days, run the next command:
(Get-MessageTrackingLog -EventID "RECEIVE" -Recipients "[email protected]" -ResultSize limitless).Count
You can show the extra insteresing message statistics. For instance, you wish to see what number of emails from completely different senders from the
gmail.com have been obtained by customers of your organization over the last 5 days (we are going to show the whole variety of emails despatched by every exterior sender):
Get-MessageTrackingLog -EventId "Receive" -Start (Get-Date).AddDays(-5) -ResultSize Unlimited | Where-Object | Group-Object Sender | Sort-Object Count -Descending | Format-Table *
Office 365 means that you can carry out message monitoring logs search from the Exchange Admin Center (EAC). Go to the Mail Flow -> Message Trace. Fill within the search fields. This is definitely the online interface for the Get-MessageTrackingLog cmdlet, which permits the consumer to generate EnergyShell monitoring command in a easy internet type.