How To Get A Real Exchange Log

Exchange 2007 logoSo time and time again I have staff come and tell me they didn’t receive an email or they sent something and the other person didn’t receive it. Obviously this takes it toll on an IT Administrator and you need to know how to check (or prove) what really happened to the email. In Exchange 2007 this can be a challenge and for something that should be a common request you will see that it takes a lot of time to resolve. This is my first technical post on my blog so for those not interested it’s time to tune out.

OK, got rid of the non-nerds. Straight into it then. Exchange 2007 can be painful.   You can’t produce a “real” transaction logs from a GUI and you certainly don’t have all the power to get into the nitty-gritty. We will look at the GUI and Exchange Management Shell (EMS) in this blog and if you haven’t used EMS I suggest you start. It is the only real way to manage Exchange 2007 and this continues with Exchange 2010 and also Office 365 (A future post to look out for).

The GUI

So I said you can’t produce a “real” transaction log from the Exchange Management Console (EMC – Exchange 2007 GUI). What I meant by this is that if you have more than one server in your Exchange farm then you’re never going to get a full transport log from the GUI. The GUI can only report from one server at a time. (I have no idea who thought this was a good feature)

To do some reporting you will need to open the EMC. This is found on all Exchange servers and can installed on Windows XP SP3/7.

Exchange Management Tools – 32 Bit: http://www.microsoft.com/en-us/download/details.aspx?id=11876

Exchange Management Tools – 64 Bit: Install from Exchange 2007 DVD/iso

Open EMC.

Exchange Management Console Logo

Go to Toolbox – Message Tracking.

EMC Toolbox Selection

EMC Message Tracking Selection

This will open the Microsoft Exchange Troubleshooting Assistant and it may check and require updates. Let this run its course.

Click “Go to Welcome Screen”. You will be presented with the Message Tracking Parameters screen. It should look similar to the below screen.

EMC Logs - Parameter Selection Screen

 

I have highlighted key components but one thing you will notice is down the bottom is the EMS command. Exchange, like with many of it’s GUI operations, is just running a EMS command. It is good to note this as it is what we will be using it later.

The other important parameter here is the EventID. The EventID is what type of event is written to the log. Was it sent (SEND)? Was it Received (RECEIVE)? For a full an understanding of parameter have a look below.

Here’s a list of some of these EventIDs:

EventID Description
DEFER Message delivery delayed
DELIVER Message delivered to a mailbox
DSN A delivery status notification was generated.
Messages quarantined by the Content Filter are also delivered as DSNs. the recipients field has the SMTP address of the quarantine mailbox.
EXPAND Distribution Group expanded. The RelatedRecipientAddress field has the SMTP address of the Distribution Group.
FAIL Delivery failed. The RecipientStatus field has more information about the failure, including the SMTP response code. You should also look at the Source and Recipients fields when inspecting messages with this event.
POISONMESSAGE Message added to or removed from the poison queue
RECEIVE Message received. The Source field is STOREDRIVER for messages submitted by Store Driver (from
a Mailbox server), or SMTP for messages
a) received from another Hub/Edge
b) received from an external (non-Exchange) host using SMTP
c) submitted by SMTP clients such as POP/IMAP users.
REDIRECT Message redirected to alternate recipient
RESOLVE Generally seen when a message is received on a proxy address and resolved to the default email address. The RelatedRecipientAddress field has the proxy address the message was sent to. The recipients field has the default address it was resolved (and delivered) to.
SEND Message sent by SMTP. The ServerIP and ServerHostName parameters have the IP address and hostname of the SMTP server.
SUBMIT The Microsoft Exchange Mail Submission service on a Mailbox server successfully notified a Hub Transport server that a message is awaiting submission (to the Hub). These are the events you’ll see on a Mailbox server.
The SourceContext property provides the MDB Guid, Mailbox Guid, Event sequence number, Message class, Creation timestamp, and Client type. Client type can be User (Outlook MAPI), RPCHTTP (Outlook Anywhere), OWA, EWS, EAS, Assistants, Transport.
TRANSFER Message forked because of content conversion, recipient limits, or transport agents

Table thanks to Exchangepedia

To be honest we aren’t going spend any more time looking at this. The EMC is useless for anything other than one server Exchange farms. In most organisations this just isn’t going to happen. You want redundancy and high availability in your Exchange platform. (A business without email is an unhappy business)

Moving right along to the EMS…

The “Power”ful shell

EMS is built on Microsoft’s Powershell interface. It is just an extension for Windows Powershell and works on anything you can install the Exchange Management Tools on. For now, I will expect that you have used Exchange PowerShell before. So there won’t be any notes about formatting or other commands here. We will be looking at the “get-messagetrackinglog” command for Exchange 2007 (Exchange 2010 change this command).

So the big problem we faced with the GUI was that we could only report on one server. The EMS allows us to overcome this by querying all of the servers from the one command. This is extremely useful as when people want to track potential emails you don’t have the time to report from all of the different servers. To overcome this you need to use and understand the following command.

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true}

Thankfully EMS commands are almost English. This is saying that you want to find all Exchange servers that have a Hub Transport and/or Mailbox Role. Pretty straight forward. From here we need to get this to work together with the Message Tracking command. You just need to PIPE it “|”. It may look a little something like this.

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Sender "me@jaidametto.com" -Recipients "you@jaidametto.com"  -EventID "RECEIVE" -Start "15/07/2012 12:00:00 AM" -End "18/07/2012 9:39:00 AM"

This command will check the Exchange Farm for all email’s received by you@jaidametto.com that were sent by me@jaidametto.com between a certain time frame.

Almost any of the parameters are optional. You can remove the -End and it will just work from the -Start timestamp and vice-a-versa. You don’t need a -Sender so you can see all of the emails received by you@jaidametto.com.

Whatever it is you need if you use the right parameters you will normally find it. However what good is all this if it just produces it to screen. You probably want it to be in something a little more tangible. This is why we export it from the EMS. Try something like the following command.

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Sender "me@jaidametto.com" -Recipients "you@jaidametto.com"  -EventID "RECEIVE" -Start "15/07/2012 12:00:00 AM" -End "18/07/2012 9:39:00 AM" | Export-CSV ‘c:\logoutput\emails_to_you.csv’

All we have done is piped the command to package it in a nice CSV file. Now we can take it to Excel and produce a proper report. That’s it… Pretty easy. Remember you can’t hurt anything by using these commands so play with the EventIDs until you get the result you’re looking for.

Other Important Information

So depending on your email requirements you may find that you don’t maintain enough logs to be able to report/track back as far as you would like. This can happen quickly because Exchange loves resources. It also loves to log all the transport events we want to report on. However the standard 250MB of logs may not be enough. There is also a default age limit of 30 days. How this is good for any administrator I don’t know but it keeps the HDD space to a minimum. So how do you tell what you have?

Go to EMS. Type in the following.

Get-TransportServer SERVERNAME | fl *tracking*

or

Get-MailboxServer SERVERNAME | fl *tracking*

Where SERVERNAME is one of your transport/mailbox servers. This will show you something similar to the below.

From here you can ensure you have the space on the selected server and increase the log sizes or maximum log file age. To change these parameters use the following commands.

Set-TransportServer SERVERNAME –MessageTrackingLogMaxDirectorySize 1024MB

This will change how large the log directory can get. It is really important that you have provisioned for correctly if you change this.

Set-TransportServer SERVERNAME –MessageTrackingLogMaxFileSize 20MB

This will change how large the individual log files can get inside of the directory. It should only be changed if you know what you’re doing.

Set-TransportServer SERVERNAME –MessageTrackingLogMaxAge DD.HH:MM:SS

This allows you to extend or shorten the time frame of when logs expire. I can’t recommend enough that you extend this. I personally like 365 days (The log will probably run out of space way before then).

0 comments

Find Me On

Visit Us On FacebookVisit Us On GooglePlusVisit Us On LinkedinVisit Us On TwitterCheck Our Feed

Calendar

December 2017
M T W T F S S
« May    
 123
45678910
11121314151617
18192021222324
25262728293031