MS Exchange has message tracking logs which admins can use to fetch message delivery details and monitor mailbox traffic. These logs are available in both on-premises Exchange and Office 365 environments. In an on-premises Exchange server, you can access these logs via PowerShell by using the Get-MessageTrackingLog cmdlet. In Office 365, you can access them via the Exchange Admin Center (EAC).
Significance of Message Tracking Logs
The following are some practical uses of message tracking logs in MS Exchange:
- Analytics: Message tracking logs store the details of every message that goes through the server. Thus, you can use these logs for analytics - reviewing who sent/received the most number of messages, how many messages were sent on a particular day, etc.
- Message Delivery Monitoring: You can use message tracking logs to look into message delivery issues. If a message is undelivered, you can find its details in the logs.
- Email Forensics: Email investigation is one of the most critical email forensics investigation techniques. Message tracking logs can help in such investigations. Let’s say, an investigation is conducted in an organization and someone deleted some important emails from the server. In that case, you can examine message tracking logs for details about the deleted emails.
Message Tracking Logs Location
Message tracking logs are CSV files with .LOG extension. These files are stored in the Exchange Server at the following default location:
Exchange Server uses circular logging. This means that old log files are overwritten when the folder reaches its maximum size or when the files reach their maximum age. By default, the maximum folder size is 10 GB and the maximum log file age is 30 days.
Log Files in an Exchange Server
Important Fields in Message Tracking Logs
- Sender, Recipient, MessageSubject: Show the name of sender, receiver, and message’s subject.
- Timestamp: The time when an event took place.
- TotalBytes: Shows the size of the message.
- EventID, RecipientStatus, and MessageInfo: Provide details about what happened to a message.
How to Use Get-MessageTrackingLog Cmdlet?
You can use the Get-MessageTrackingLog cmdlet to search for message delivery details in the message tracking log.
Note: The Get-MessageTrackingLog cmdlet is available only for on-premises Exchange Server.
You can use the Get-MessageTrackingLog cmdlet to generate custom reports by using a wide range of parameters and syntaxes. Some of these parameters are:
For demonstration, we ran the following command in our Exchange Server:
Get-MessageTrackingLog –Recipients firstname.lastname@example.org –Start “03/04/2021 4:00:00” –End “03/04/2021 5:00:00”
This fetched the message log entries between 4:00:00 and 5:00:00 AM on March 4, 2021 of email@example.com (the recipient). In the MessageSubject column, you can see the email subject for each entry. In the EventId column, there are different event types denoted by different values. For instance, RECEIVE denotes that the particular message was received by transport service’s SMTP receive component or the Replay or Pickup directories. For details of these events, refer the Microsoft’s Message Tracking document.
Let’s take another example of the Get-MessageTrackingLog cmdlet:
Get-MessageTrackingLog -Start (Get-Date).AddDays(-10) -ResultSize Unlimited | Where -Property Recipients -NotLike "*HealthMailbox*"
This command will fetch the entries of last 10 days from the message tracking logs. The Where -Property Recipients -NotLike "*HealthMailbox*" part leaves out the entries related to Health Mailboxes.
Message Tracking in Office 365
In Office 365, you can search message tracking logs by using the Exchange Admin Center (EAC). For this, go to Mail Flow > Message Trace. The EAC provides a simple search form that you can fill as per your requirements.
Advanced Message Tracking with Stellar Reporter & Auditor for Exchange Server
Stellar Reporter & Auditor for Exchange Server is an advanced software that helps in auditing and monitoring Exchange Server mailboxes. It’s a valuable tool for all Exchange administrators as it creates as many as 142 reports on different Exchange activities.
Stellar Reporter & Auditor for Exchange Server offers a complete solution for message tracking and analytics in an Exchange environment. It also saves time and makes message analysis more accurate.
The software has a separate category for Mailbox Traffic Reports. These reports provide details of the inflow and outlook of traffic from MS Exchange mailboxes.
The following reports are offered under Mailbox Traffic:
- Number of Messages by Sender: It provides details about the number of messages sent by the users during a specific period. The report contains the mailbox address, total number of emails sent, including internal and external emails, and a graph displaying the top 10 senders based on total number of emails sent.
- Size of Messages by Sender: This report provides details about the size of messages sent by different users. The report contains the mailbox address, size of emails sent, including the size of internal and external emails, and a graph displaying the top 10 senders based on the total size of the emails sent.
- Number of Messages by Receiver: This provides details about the number of messages received by different users. The report contains the mailbox address, total number of emails received, including internal and external emails, and a graph displaying the top 10 receivers based on the total number of emails received.
- Size of Messages by Receiver: It provides details about the size of messages received by different users. The report contains the mailbox address, size of emails received, including the size of internal and external emails, and a graph displaying the top 10 receivers based on the total size of the emails received.
- Sent Traffic for Users: The report provides sent traffic details for specific users, including the date, sender’s email address, recipient’s name, email subject, size, and ID.
- Received Traffic for Users: The report provides received traffic details for specific users, including the date, receiver’s email address, receiver’s name, email subject, size, and ID.
Stellar Reporter & Auditor makes message tracking more accurate and easier because it:
- Offers detailed email statistics, alerts, dynamic graphs, etc.
- Allows the administrators to schedule mailbox traffic and other message-related scanning and reporting tasks
- Offers remote access to reports through a web interface for mailbox traffic monitoring
Stellar Reporter & Auditor for Exchange Server is a highly advanced solution for Exchange monitoring and reporting. It’s compatible with Exchange Server 2016, 2013, 2010, and 2007 and is free for up to 60 days. Try it today!
The message tracking logs in Exchange Server help monitor message deliveries, generate reports for analytics, etc. You can access these logs by using the Get-MessageTrackingLog cmdlet. However, executing these cmdlets is time-consuming and requires complete technical knowledge. Alternatively, you can use a dedicated Exchange auditing and monitoring software, such as Stellar Reporter & Auditor for Exchange Server that simplifies Exchange monitoring task. You can use the software to generate various reports (including message tracking reports), monitor mailbox activities, and more.