Query Archived Message Tracking Logs

Similar Messages

• More Info Needed in Message Tracking Logs in Exchnage 2010 MAILBOX

  Hello All
  I would like to understand more on message tracking which was little bit confused for me 2 days back.
  As far as i can know, HUB SERVER is  the main part of the messaging tracking is playing  vital role in Exchange 2010.
  also, mailbox roles too...
  i can see the message tracking logs created in mailbox is only usefull , for  web interface for message tracking is part of the Exchange Control Panel and provides very basic search
  functionality to search for messages either sent by or received by a mailbox, based on the sender, recipients, and subject line.  
  so message tracking logs which is available in mailbox is only user for end users who can perform the message tracking by themself vua ECP without installing EMC. -- AM I RIGHT  
  How will message tracking logs created in mailbox servers .......... will it replicate from HUB servers?  
  so if i have 4 mailbox servers, will all the mailbox servers having the same message tracking logs? or we may get different
  Your information is much valuable to better understand on MT

  Hi Rush,
  Please checkout this technet blog available at below link which clarify your concern in depth:
  http://blogs.technet.com/b/messaging_with_communications/archive/2011/04/22/how-to-track-message-in-exchange-2003-2007-2010.aspx
  http://exchangeserverpro.com/exchange-2010-message-tracking/
  However, a helpful resource you can checkout at here(http://www.exchangereports.net/) which comes with similar features while need to track mailboxes(sent/received emails), server traffic reports or folder reports in exchange server. It facilitates to produce
  the reports in various format which suits better in our environment.

• Exchange Server 2010 - Message Tracking Logs - Log file creation

  Hi,
  I would like to find out on the behavior of the exchange server in the way that it logs the message tracking.
  Currently the parameter used is 
  MessageTrackingLogMaxDirectorySize - 10GBMessageTrackingLogMaxAge - 30daysI would like to check when the Max Directory Size has exceeded the value indicated, does Exchange server immediately deletes the oldest log file to make space for the new logs?And in the event that the oldest file is being open or locked, will exchange server delete the next oldest file? or it will reattempt to delete the "locked" file for a period of time?Lastly, when these "oldest" files is not able to be deleted, will exchange server stops logging new tracking events?Thanks!

  Hi Zack,
  Thank you for your question.
  If you have configured the parameter of “MessageTrackingLogMaxDirectorySize” and “MessageTrackingLogMaxAge”, we think you have enable circular logging, it will delete the oldest message tracking log files for new log file when the either of the following
  conditions is true:
  The message tracking log directory reaches its specified maximum size.
  A message tracking log file reaches its specified maximum age.
  In addition, it didn’t exceeded the value indicated.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Message Tracking logs for secondary smtp address

  Hi,
  There are many people sending mails to secondary smtp address instead of primary smtp address. How can i pull the report of message tracking logs if they sent it to secondary smtp address using get-messagetrackinglog cmdlet?
  Sankar M http://messagingdevelopment.blogspot.in/

  Hi Sankar,
  If I don't understand your description, it seems that you want to get the message tracking log on an mailbox with primary SMTP address and secondary SMTP address.
  If it is the case, please add both primary SMTP address and secondary SMTP address to the "Recipients" parameter. More details to see:
  http://technet.microsoft.com/en-us/library/aa997573(v=exchg.150).aspx
  Thanks
  Mavis Huang
  TechNet Community Support

• Message tracking log of internal users who are all sent the mails to external domain

  Hi ,
  How can i get the message tracking log from internal users to external users?
  We need the report of internal users who are all sent the mails to the external domain
  Regards,
  Sankar M
  Sankar M http://messagingdevelopment.blogspot.in/

  Sankar, your outbound send connector has an address space of *. So when you run "Get-SendConnector", you will see something like the following:
  Identity                                AddressSpaces                          
  Enabled
  Unix System Connection                  {SMTP:*.domfreebusy.contractor.hunti... True
  Outgoing SMTP Connector                
  {SMTP:*;10}                             True
  Mailbox Journaling Connector            {SMTP:pdwastap01.huntington.com;1}      True
  The middle one with the {SMTP:*;10} in my case (you may have a different number than 10 in yours) is my outbound connector. So yours will show an address space of {SMTP:*;<some number, 10 is the default>}. HTH ...

• Message tracking log - time period

  Hi,
  How long are message tracking logs keeped on appliance?
  How can i control message tracking logs.
  Lots of HDD space available and I want 3 months of available Message Tracking logs.
  When are Message traking logs deleted from the appliance?

  Message tracking is based on the drive space available on the ESA appliance.
  It is not possible to configure the # of days for retention of message tracking data. The set HDD storage allocation for message tracking data is limited. HDD storage allocation is set based on the hardware:
  C1X0: 10G
  C3X0: 20G
  C6X0: 50G
  X10X0: 50G
  Your best solution in order to store mail logs/message tracking - would be to also have configured to store the mail_logs off to a syslog server --- that way you can determine the full extent/length of the retention period.  (And also allows you to search/manipulate all mail_logs with a little easier access that may be available on the ESA.)
  Hope that helps!
  -Robert

• Definition of timestamp field in the message tracking log

  Hi,
  anyone can help me with the exact definition of timestamp field that I retrieve in the messagetracking log?
  I think that is the exact time by which the exchange server receive a mail and start to elaborate it
  Can you confirm please
  Thank you very much
  Luca Pozzoli

  Hi ,
  Please have a look in to the below mentioned points .
  Anyone can help me with the exact definition of timestamp field that I retrieve in the messagetracking
  log?
  Time stamp in exchange will help us identity at when and what time the message has been received and processed
  from source server to destination server.
  With the help of time stamps we can able to identify the message delay between the hops .
  As an additional info you can review the time stamps in message headers as well on the message tracking logs.
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• Attachment Name of emails from Message Tracking Logs

  Hi,
  I have been able to get NDR from message tracking logs in Exchange 2010 using Exchange Management Shell. Is it possible to include the file name of the attactment of the emails from the report generated?
  Regards,
  Emansky
  All the best, Eman Lacuata

  Hi,
  No that is not possible. 
  Message tracking will never include names of attachments.
  Martina Miskovic - http://www.nic2012.com/
  Agree.
  Refer to:
  Managing Message Tracking
  http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx
  Note: Content specific to Exchange 2010 SP1 will be available at a later date.   
  Best Regards Fiona Liao E: [email protected]

• RecipientThreadLimitExceeded in message tracking logs, queuing and holding up local email delivery to office365

  Please let me know if anyone knows an answer to this one... We're in a Hybrid Exchange environment, with 2 x Exchange 2007 servers,  and 1 x Exchange 2013 Hybrid server which is pointing to Office 365 for the purposes of relaying mail to O365 while
  we migrate our users out there.
  We have just finished migrating, but just a couple of days ago we started experiencing delays in email delivery to O365... Not all mail, but some!  Incoming email or locally generated email gets relayed out through the Hybrid server and out to O365,
  but not all email is delayed... only some, but it's constant.  During the busiest part of the day, about 200 messages are sitting in the Queue in Exch2013... but they all eventually resolve between 5 and 45minutes.  The users are not happy.
  The last error in the queue viewer for each hung email reads:  451 4.4.0 Temporary server error.  Please try again later.
  If I look at the message tracking logs, I find an interesting item -- "RecipientThreadLimitExceeded":
  2014-05-15T14:15:51.608Z,192.168.3.11,hydra,207.46.163.215,company-mail-onmicrosoft-com.mail.protection.outlook.com,RecipientThreadLimitExceeded,Outbound to Office 365,SMTP,DEFER,10307921510617,<[email protected]>,885ea3ce-a020-41b1-8950-08d13e58d6d3,[email protected],451
  4.4.0 Temporary server error. Please try again later,10117,1,,,Read: This is your generic subject line,[email protected],[email protected],2014-05-15T14:16:51.608Z,Undefined,,,,S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:Microsoft.Exchange.Transport.MailRecipient.EffectiveTlsAuthLevel=EncryptionOnly;S:DeliveryPriority=Normal
  I have tried to find some documentation on resolution for this RecipientThreadLimitExceeded error, but I can only come up with some Exchange 2011 documentation which recommends adding some entries to the EdgeTransport.exe.config file to bump up the RecipientThreadLimit
  value... I have not found anything pertaining to 2013.  I cannot even find any powershell commands to see what the current RecipientThreadLimit is on 2013!  Aghg!
  Has anyone seen this before, or have any recommendations?
  Thank you,
  Mike

  After many days of frustration, Microsoft Support finally resolved this issue.  Believe it or not, but the issue was actually on the Office365 side.  Here's the fix:
  Exchange Admin Center -> Mail Flow -> Connectors -> Inbound Connectors
  Open your "Inbound from <guid>" with the "On-premises" connector type
  Click on Scope -> scroll down to "Associated accepted domains"
  We had an entry in there "<organization>.mail.onmicrosoft.com"... Microsoft support had us remove this entry so that the box was completely empty.
  That RESOLVED it... amazing what what little entry could do.  We've had this entry in there for about 2 months, and it had been working fine.  Support acknowledged that several customers have had this issue, that they are working on getting it
  fixed on the back-end.
  Hope this helps somebody... 
  -Mike

• Cannot locate client IP Addess in message tracking logs

  Hello
  Im having trouble with a client who has an Exchange 2010 environment. They wish to identify users (via their client IP addresses of their workstations) who may be sending a large number of emails.
  In this environment there are two CAS servers that are hardware load balanced.
  My client wishes to interrogate the Message tracking logs (I believe this is the right place) in order to identify the IP address of a client which sent the originating mails. However the message tracking logs returns only the address of the Load Balancer
  and not the client IP Address of the sending machine.
  Is this anyway this can resolved?
  Many thanks in advance

  Hi,
  Or we can use
  IIS Advanced Logging. Add field “X-Forwarded-For” to the Advance Logging configuration to find the real IP address of the client device. Here are steps.
  Install “Advanced Logging” on each CAS server: Double click on msi file. Check the accept checkbox and click, next, next and finish for the installation.
  Add field “X-Forwarded-For” to the Advance Logging configuration.
  From your Windows Server 2008 or Windows Server 2008 R2 device, open the Internet Information Services (IIS) Manager.
  From the Connections navigation pane, click the appropriate CAS or CHM server on which you are configuring Advanced Logging. The Home page appears in the main panel.
  From the Home page, under IIS, double-click Advanced Logging.
  From the Actions pane on the right, click Edit Logging Fields.
  From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following:
  In the Field ID box, type X-Forwarded-For.
  From the Category list, select Default.
  From the Source Type list, select Request Header.
  In the Source Name box, type X-Forwarded-For.
  Click the OK button in the Add Logging Field box, and then click the OK button in the Edit Logging Fields box.
  Click a Log Definition to select it. By default, there is only one: %COMPUTERNAME%-Server. The log definition you select must have a status of Enabled.
  From the Actions pane on the right, click Edit Log Definition or right click and select Edit Log Definition.
  Click the Select Fields button, and then check the box for the X-Forwarded-For logging field.
  Click the OK button.
  From the Actions pane, click Apply.
  Click Return To Advanced Logging.
  In the Actions pane, click Enable Advanced Logging.
  Now, when you look at Inetpublogs, you will see a new AdvancedLogs folder will be available with new logs and these logs will have the client device IP address.
  Best Regards.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Lynn-Li
  TechNet Community Support

• Ironport Message Tracking Logs

  Hi,
  Am unable to post this in the Ironport Security section due to the restricted access on my Cisco support login ID.
  I need to export the message tracking logs for a particular user for the last one year (or the period for which logs are available) on Ironport M660.
  The GUI only reports 250 search results for every search and I have approx to export logs for approx. 20,000 messages.
  Is there a Unix/CLI command which can be executed to export all tracking logs between a time frame in Ironport?
  Thanks.

  This was a defect covered in the 8.5.6-093 release:
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_HP1_Release_Notes.pdf
  So, if running the -074 revision... found defect:
  https://tools.cisco.com/bugsearch/bug/CSCuq49620
  I wouldn't say that running repengupdate force is not suppose to be done, aside from a formal request... is odd to see or hear that would have been mentioned.  With the force updates for any of the processes on the ESA, this is usually always a good troubleshooting step for any customer --- as the process will instantly call out to the updater servers, compare manifests, and then pull regardless of what is running the latest engine and rules sets for the process... and then silently implement in the background.  While for the customers who might have bandwidth limiting options running on their network, the only major side effect is the package size that is coming across... since the engine is tagged into the rules... 
  But, normally with antivirus and antispam - this is the most helpful to run antivirusupdate force or antispamupdate ironport force.  Especially in times where the update process itself may have been interrupted with a network related hiccup or staled out download.
  -Robert

• Is there throttling going on here? Constantly queued emails on Hybrid Exch 2013 server with error RecipientThreadLimitExceeded in message tracking logs...

  Please let me know if anyone knows an answer to this one... We're in a Hybrid Exchange environment, with 2 x Exchange 2007 servers,  and 1 x Exchange 2013 Hybrid server which is pointing to Office 365 for the purposes of relaying mail to O365 while we
  migrate our users out there.
  We have just finished migrating, but just a couple of days ago we started experiencing delays in email delivery to O365... Not all mail, but some!  Incoming email or locally generated email gets relayed out through the Hybrid server and out to O365, but
  not all email is delayed... only some, but it's constant.  During the busiest part of the day, about 200 messages are sitting in the Queue in Exch2013... but they all eventually resolve between 5 and 45minutes.  The users are not happy.
  The last error in the queue viewer for each hung email reads:  451 4.4.0 Temporary server error.  Please try again later.
  If I look at the message tracking logs, I find an interesting item -- "RecipientThreadLimitExceeded":
  2014-05-15T14:15:51.608Z,192.168.3.11,hydra,207.46.163.215,company-mail-onmicrosoft-com.mail.protection.outlook.com,RecipientThreadLimitExceeded,Outbound
  to Office 365,SMTP,DEFER,10307921510617,<[email protected]>,885ea3ce-a020-41b1-8950-08d13e58d6d3,[email protected],451
  4.4.0 Temporary server error. Please try again later,10117,1,,,Read: This is your generic subject line,[email protected],[email protected],2014-05-15T14:16:51.608Z,Undefined,,,,S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:Microsoft.Exchange.Transport.MailRecipient.EffectiveTlsAuthLevel=EncryptionOnly;S:DeliveryPriority=Normal
  I have tried to find some documentation on resolution for this RecipientThreadLimitExceeded error, but I can only come up with some Exchange 2011 documentation which recommends adding some entries to the EdgeTransport.exe.config file to bump up the RecipientThreadLimit
  value... I have not found anything pertaining to 2013.  I cannot even find any powershell commands to see what the current RecipientThreadLimit is on 2013!  Aghg!
  Has anyone seen this before, or have any recommendations?
  Thank you,
  Mike

  After many days of frustration, Microsoft Support finally resolved this issue.  Believe it or not, but the issue was actually on the Office365 side.  Here's the fix:
  Exchange Admin Center -> Mail Flow -> Connectors -> Inbound Connectors
  Open your "Inbound from <guid>" with the "On-premises" connector type
  Click on Scope -> scroll down to "Associated accepted domains"
  We had an entry in there "<organization>.mail.onmicrosoft.com"... Microsoft support had us remove this entry so that the box was completely empty.
  That RESOLVED it... amazing what what little entry could do.  We've had this entry in there for about 2 months, and it had been working fine.  Support acknowledged that several customers have had this issue, that they are working on getting it fixed
  on the back-end.
  Hope this helps somebody... 
  -Mike

• Exchange 2010 Message Tracking Logs and Calendar appointments

  A little context here...  We consume our message tracking logs with splunk so I can easily search and locate entries as needed.  I have an alert that generates an email when specific calendars accept a meeting request.
  I can pull the meeting title and specific calendar name, but the problem I am having is determining when the "meeting" is scheduled.  The data in the tracking logs shows me that the meeting was accepted today, but the actual meeting may not
  be for a week or more in the future.
  Is there any data in the tracking logs that can be translated to show the actual date of the meeting?
  Here is an example sanitized meeting request and acceptance
  REQUEST:
  2014-05-29T18:44:29.183Z,fe80::xxx,xxx,,xxx,"MDB:xxxx,
  Mailbox:xxxx,
  Event:92395630, MessageClass:IPM.Schedule.Meeting.Request,
  CreationTime:2014-05-29T18:44:28.762Z,
  ClientType:MOMT",,STOREDRIVER,SUBMIT,,<[email protected]>,,,,,,,Leaving
  Early,[email protected],,2014-05-29T18:44:28.762Z;LSRV=xxx.com:TOTAL=0,,,,,S:ItemEntryId=00-00-00-00-72-F7-4F-55-9A-2E-40-4C-93-52-BC-B4-7A-79-0D-92-07-00-40-1B-2D-18-F9-4B-C3-40-84-81-FF-EA-46-AC-E3-0D-00-00-00-00-00-09-00-00-40-1B-2D-18-F9-4B-C3-40-84-81-FF-EA-46-AC-E3-0D-00-00-09-95-6F-D7-00-00
  RESPONSE
  2014-05-29T18:44:31.211Z,fe80::xxx,xxx,,xxx,"MDB:xxx,
  Mailbox:xxx,
  Event:47712341, MessageClass:IPM.Schedule.Meeting.Resp.Pos,
  CreationTime:2014-05-29T18:44:30.353Z,
  ClientType:EventBasedAssistants",,STOREDRIVER,SUBMIT,,<[email protected]>,,,,,,,Accepted:
  Leaving Early,[email protected],,2014-05-29T18:44:30.353Z;LSRV=xxx.com:TOTAL=0,,,,,S:ItemEntryId=00-00-00-00-F2-AF-A9-28-DA-90-61-43-92-18-C5-86-08-7C-FE-1C-07-00-66-37-7F-D0-4D-82-73-48-8B-E2-10-A1-0B-58-DF-77-00-00-00-A5-FF-57-00-00-66-37-7F-D0-4D-82-73-48-8B-E2-10-A1-0B-58-DF-77-00-00-00-A6-31-9A-00-00

  Actual date of the meeting wouldn't be there in the message tracking log. As name says its tracking log for the message in transit, not the content information :) 
  Actual meeting date/time should be inside the meeting message under one of the message property which you can look by opening meeting in outlook or via MFCMapi if you want.
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• Messaging tracking logs filename format changed in Exchange Server 2013 sp1

  Hi,
  I have noticed that the file name format is changed for exchange server 2013 sp1.
  Now it will have hh attached to it like
  MSGTRKMSyyyymmddhh-n.log;
  MSGTRKMDyyyymmddhh-n.log:
  MSGTRKyyyymmddhh-n.log.
  So the "hh" will goes from 00 to 23 for single day.
  So Lets say at 24 april 2014 first fill is created @7.30 AM, so the first file name will be
  MSGTRK2014042400-1.log. Now exchange server will create new file every hour by incrementing hh part of file name. Now the last file i.e
  MSGTRK2014042423-1.log will be created on 25 April 2014 at 6.30 AM.
  I am not able to understand why exchange server is creating the file with old date on next day ( with 24 April on file name time stamp on 25 April).
  And also how it will be decided to create the first file @ 7.30 AM.
  Can anyone explain to me about this ? Why it is happening like this?
  Thanks
  Sandeep Gupta

  Hi Sandeep,
  This could related to the time difference. What’s the time zone of your server? In my lab, many files in the last day were created in the next day. For example, files in 20140410
  were created on 20140411.
  Also, as you mentioned, the file name format is as:
  MSGTRKMSyyyymmddhh-n.log;
  MSGTRKMDyyyymmddhh-n.log:
  MSGTRKyyyymmddhh-n.log.
  However as I know, the format is like
  MSGTRKyyyymmdd-m.log, it will not have “hh”(you mean hours) in the behind and the file is not created every hour but create a new file when the old is full. So please capture some screenshots of the message tracking files
  and the date/time information of the file to verify.
  Title: Message Tracking
  Link:
  http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
  Regards, Eric Zou

• Query slow messages in logs

  Hi,
     We have a FAST ESP SP3 set up in windows 2010 server. Recently I have observed that below logs are getting logged in the error logs frequently.
   [2014-08-14 10:46:28] 
   WARNING 
   fdispatch 
   sdsdd
   15700 
   systemmsg 
   engine sdsdd:15751 query slow by 6.842s + 1.114s  
   [2014-08-14 10:46:26] 
   WARNING 
   fdispatch 
   sdsdsd
   15700 
   systemmsg 
   engine sdsdd:15745 query slow by 5.759s + 0.107s  
   [2014-08-14 10:40:50] 
   WARNING 
   fdispatch 
   sdsdd
   15700 
   systemmsg 
   engine sdddss:15741 query slow by 9.774s + 0.943s  
   [2014-08-14 10:21:54] 
  So what are the possible causes for this delay.
  How can it be rectified. Is this to do with indexer partitions are getting filled with loads of documents.
   WIth Regards,
   WARNING 
   fdispatch 
  sdsdds
   15700 
   systemmsg 
   engine sdsdds:15751 query slow by 42.360s + 18.154s  
  Santanu Mishra

  Santanu,
  Your snippet did not contain any error messages.
  Slow query can be caused by variety of factors but as you mentioned index partitions can be one of them. The query slow by messages can come from a partition that contains the most documents.
  Could you monitor resources like CPU usage (should not be pegged), swap usage (there should be none) and I/O when you get these messages.
  Also, querylogs may be helpful from these query slow timeframes . Querylogs contains some statistics that can help identify reason of slow queries. You can add more timings :http://qrserver:15100/control?debug.timings=1
  I`ve as well seen cases where slow queries are causedby  dynamic teaser generation. This can be prevented by setting an upper bound on it. This is set on the admin node, in $FASTSEARCH/etc/config_data/RTSearch/webcluster/fsearch.addon, and the setting
  to be appended at the bottom is:
  juniper.matcher.max_workset_duplicates 35
  After making this change, search-1 must be restarted on all nodes.