Hello!

There are two CAS servers - Exch1 and Exch2, the user connection point - mail.testcompany.com - uses dns round-robin to point either to Exch1 or Exch2. Outbound internet connector resides on Exch1.

User3 connects to https://mail.testcompany.com (this time that was Exch1) and sends two test messages (one of them to the outside receipient). I want to make sure I can find these messages in the logs.

Exch1:

- that's what I'm expecting to  see.

Exch2:

Q1: Why do both exchange servers show these two messages - as far as I get it a single message can't be sent through two servers simulteniously?

Q2: Why does Exchange GUI shows both messages while PS only one?

Thank you in advance,

Michael

• Edited by MF47 Friday, August 28, 2015 10:23 AM

Hello!

There are two CAS servers - Exch1 and Exch2, the user connection point - mail.testcompany.com - uses dns round-robin to point either to Exch1 or Exch2. Outbound internet connector resides on Exch1.

User3 connects to https://mail.testcompany.com (this time that was Exch1) and sends two test messages (one of them to the outside receipient). I want to make sure I can find these messages in the logs.

Exch1:

- that's what I'm expecting to  see.

Exch2:

Q1: Why do both exchange servers show these two messages - as far as I get it a single message can't be sent through two servers simulteniously?

Q2: Why does Exchange GUI shows both messages while PS only one?

Thank you in advance,

Michael

My guess would be the message that shows the count of 2 is the one with multiple recpeients on it (Subject: TEst1) and the message that says count 1 is the single recpient (Test2).

The reason this is happening, is Exchange just choose a random server to send the mail from.

"My guess would be the message that shows the count of 2 is the one with multiple recpeients on it (Subject: TEst1) and the message that says count 1 is the single recpient (Test2)." - yes, theoreticaly this could be, ... but sounds rather strange to me.

But in any case, both Exchange GUI and PS must display the same nubmer of messages - how their figures may differ(Q2)???

• Edited by MF47 Sunday, August 30, 2015 9:01 AM

You can find multiple records in message tracking log for single email sent/received. And these records may exist in multiple mailbx servers. This is the designed behavior.

1. If you take a look at the details of the message tracking log records, you'll find they're all different. Basically they refect different actions performed agaist the same email message.
2. Email is routed by mailbox servers. Depending on the location of sender/recipient, a email message could be processed by multiple mailbox servers.

1, 2 - I agree, but that does not explain "But in any case, both Exchange GUI and PS must display the same nubmer of messages - how their figures may differ(Q2)???"

There is no way to retrieve message tracking log using GUI in Exchange 2013. The one you see is message not message tracking log.

"There is no way to retrieve message tracking log using GUI in Exchange 2013. The one you see is message not message tracking log." - Why do you think so???

http://msexchangeguru.com/2015/03/10/message-tracking/

"Using Shell to view Message Tracking Reports:

We can view the message tracking report using Exchange Management Shell:

Get-MessageTrackingLog

Tracking Message using the Exchange Admin Console (Delivery Reports):

Delivery reports for administrators using the Exchange admin center (EAC) to search message tracking logs of a specific mailbox. We can search for messages sent by or to the mailbox, search a message using subject etc. These delivery reports only has the subject line of the message & we cannot see the body of the message.

We can do the following to track the delivery report:

Go to EAC > Mail Flow ->Click on Delivery Reports => Mailbox."

Regards,

Michael

• Edited by MF47 Monday, August 31, 2015 8:33 AM

As you can see in the post, from EAC, what you get is Delivery Report. It's different from message tracking log.

• Delivery report, tells you which email is delivered and which is not.
• Message tracking log, tells you every action Exchange server takes against an email message.

You may also notice that delivery report has only 4 columns while message tracking log has 10 times more than that.

Delivery report comes from message tracking log but it's only a subset of it. As I said, if you need to retrieve message tracking log, you have to use EMS.

• Edited by Li Zhen Monday, August 31, 2015 9:55 AM

"Delivery report comes from message tracking log but it's only a subset of it" - that's the most important fact. Different tools should not yeild various results when using the same database.

I don't need to retrieve a message tracking log, I need to answer (for instance) a very simple question -How many messages have been sent by User3? - using any available means. If the message tracking log itself "answers" - only 1 message - how Delivery Reports that are based on the same logs can show 2 (I don't think the number of columns may influence the result)?

Regards,

Michael

If you want message tracking log to answer this question, you have to do some filtering. If your filtering criteria is properly configured, you'll definitely get the same answer as the delivery report.

Sorry, I should have posted it earlier: I'm using this code for parsing tracking log:

$Messages = get-messagetrackinglog -server Exch2 -EventID "SEND" -Start (get-date).AddDays(-6) -ResultSize unlimited
$messages | where{$_.sender -like "user3@TestCompany.com"} | select sender | group sender | sort count -Descending | ft count,name

Would you please tell me if there's any error that prevents displaying all messages sent (for example, during a day) by User3?

Thank you in advance,

Michael

I would suggest you stay with delivery report because there is no simple command can achieve what you want.

• The outbound (sent) message is logged as event RECEIVE in message tracking log. It may sounds strange to you but this is how it works.
• With the RECEIVE event, you still can not determine whether it is really delivered to recipient. You have to look for other event, such as FAIL, which may reside in a different mailbox server. You may even need to search for NDR in certain scenario.

• Edited by Li Zhen Tuesday, September 01, 2015 2:15 PM

"The outbound (sent) message is logged as event RECEIVE in message tracking log. It may sounds strange to you but this is how it works." - this is because the definition  of SEND field-
"SEND A message was sent by SMTP between transport services."

-is correct only for messages sent between services and does NOT include the messages submitted from a mailbox?

As I mentioned, message submitted (sent) from a mailbox is logged as RECEIVE event.

By default, the message tracking log only gets messages sent through the specified server using the -Server parameter or the local server if the parameter is not specified. If you want logs for all Exchange 2013 mailbox servers or Exchange 2007/2010 hub transport servers, you can use the below:

$startdate = [datetime]::Now.AddDays(-1)
$enddate = [datetime]::Now

$HTServers = "server1","server2"    
$messageSubject = "subject"
    foreach($HTServer in $HTServers)
        {
            $emails += Get-MessageTrackingLog -Start $Start -End $End -ResultSize Unlimited -Server $HTServer -MessageSubject $messageSubject -Sender sender@company.com
        }

Let me know if that's what you're after.

Thanks.

Hello all,

Thank you for your replies!

Mark, thank you for the usefull script! When I don't use the keyword "SEND" or "RECEIVE" in the Get-MessageTrackingLog... as you do in your script I have the output showing User3 has sent 8 messages, not  3 (as I sent one more message).

Regarding parsing the log: replacing "SEND" with "RECEIVE" in my script

$Messages = get-messagetrackinglog -server Exch2 -EventID "RECEIVE" -Start (get-date).AddDays(-6) -ResultSize unlimited
$messages | where{$_.sender -like "user3@TestCompany.com"} | select sender | group sender | sort count -Descending | ft count,name

...does not effect the output: PS still displays only one message sent whilst Delivery Reports shows 3 (I has sent one more message to public folder DOCUMENTS), so the question remains: suppose User3 has sent today a couple of messages to 1) User1 2) Administrator using Exch2.

Q) What code may I use to find these messages in the tracking log given that no aforementioned examples had the correct results?

Regards,

Michael

Try this which will get the number of unique messageIDs sent by the user:

$HTServers = "server1","server2"
$startdate = [datetime]::Now.AddDays(-1)
$enddate = [datetime]::Now
$emails = @()
    
$messageSubject = "subject"
$sender = "sender@company.com"
    foreach($HTServer in $HTServers)
        {
            $emails += Get-MessageTrackingLog -Start $startdate -End $enddate -ResultSize Unlimited -Server $HTServer -Sender $sender -MessageSubject $messageSubject
        }

    ($emails | select messageid -Unique).Count

The message tracking logs will log a few events for each email but this should get the unique emails.

Let me know if this answers your question.

Thanks.

Thank you very much for the code, Mark!

It differs from my own by the single parameter: -Unique. As soon as I added it to my script the results became the same:

It means a single message can be logged several times within a single server - is there any explanation to this somewhere on techent because this page says nothing about messages recorded more than once ?

https://technet.microsoft.com/en-us/library/Bb124375%28v=EXCHG.150%29.aspx?f=255&MSPPError=-2147217396

And the last question: you, like me, is using parameter "SEND", but Li Zhen said
"The outbound (sent) message is logged as event RECEIVE in message tracking log." - ???

Regards,

Michael

• Edited by MF47 23 hours 28 minutes ago

"It means a single message can be logged several times within a single server - is there any explanation to this somewhere on techent because this page says nothing about messages recorded more than once ?"

As I mentioned earlier, message tracking log record each and every action Exchange server has taken against an email message. I believe that answers your question.

"And the last question: you, like me, is using parameter "SEND", but Li Zhen said
"The outbound (sent) message is logged as event RECEIVE in message tracking log." - ???"

To be more accurate, you need to filter by event id RECEIVE and source STOREDRIVER. E.g. Get-MessageTrackingLog | ? EventId -eq RECEIVE | ? Source -eq STOREDRIVER. You'll get the email message sent out but it may or may not be delivered to recipient, as I mentioned earlier.

• Edited by Li Zhen 21 hours 31 minutes ago

Take a look at the table here: https://social.technet.microsoft.com/Forums/en-US/389ab7a8-0c3a-4eec-a4e7-e771fbfd8078/help-messagetrackinglog-data-differences?forum=exchangesvrsecuremessaging and here: https://technet.microsoft.com/en-us/library/bb124375%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396#EventTypes

It lists the source and eventIDs for the messages and what they refer to. The message tracking logs from PowerShell include all events for each message and this is why the numbers don't match the more simplified output that you see through the GUI which includes only limited information. 

Let me know if this answers your question.

Yes, this is a very usefull discussion: https://social.technet.microsoft.com/Forums/en-US/389ab7a8-0c3a-4eec-a4e7-e771fbfd8078/help-messagetrackinglog-data-differences?forum=exchangesvrsecuremessaging

Thank you all for your help!

Regards,

Michael