Hi,

Exchange 2010 sp3

I'm trying to find out an ip address that is sending over 2000 emails daily. This is an internal address sending to a DL.

Get-TransportServer | Get-MessageTrackingLog -Start(get-date).addhours(-3) -ResultSize unlimited -MessageSubject "Invoice Workflow Monitor" -Recipients "userA@domain.com" | Select-Object -Property clientid,connectorid

The output is blank. When i run the same command and select property messageid the results are hundreds of emails. Is there a switch I'm missing somewhere to get the connectorID and clientID?

Thanks,

Alexis

Why not select the messageID along with these others?

Get-TransportServer | Get-MessageTrackingLog -Start(get-date).addhours(-3) -ResultSize unlimited -MessageSubject "Invoice Workflow Monitor" -Recipients "userA@domain.com" | Select messageID, clientid, connectorid

Is the message ID something you wish to hide for some reason? Normally, I also include the timestamp, sender and recipients in the output I want to view.

Why not select the messageID along with these others?

Get-TransportServer | Get-MessageTrackingLog -Start(get-date).addhours(-3) -ResultSize unlimited -MessageSubject "Invoice Workflow Monitor" -Recipients "userA@domain.com" | Select messageID, clientid, connectorid

Is the message ID something you wish to hide for some reason? Normally, I also include the timestamp, sender and recipients in the output I want to

As a test, I just ran your command with my ID and all the ClientIDs were also blank - I got connector IDs for some, though.  However, there is no field for an email message named "ClientID" - you want ClientIP.

Something else that may help:  I'd suggest expanding your script to include more fields (such as the ClientHostName and EventID), to help you make sense out of your empty search results.  Normally, when I want output in a CSV, I use the following for my Select statement:

select TimeStamp, Sender, MessageSubject, ClientHostName, ServerHostname, ConnectorId, EventId, MessageId, @{E={ "$($_.Recipients)" };L='Recipients'}, @{E={ "$($_.RecipientStatus)" };L='RecipientStatus'}, TotalBytes, RecipientCount, MessageLatency

The way this returns the results allows even the multi-value fields to be captured in user readable format.  If I don't need fields, I remove them after the fact.  HTH ...

If you are looking for the clientIP for the message which is generated by Outlook (in other word RPC connection) then tracking log won't have it. Try the RPC Client Access Logs (C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access) in this case with a caveat that outlook connections are not coming via load balancer which has inetting configured...

If you are looking for the clientIP for the message which came via SMTP receive connector created for application or external to internal communication via smarthost or something then message tracking log would have that information.

Hi,

As descripted in this document

https://technet.microsoft.com/en-us/library/bb124375(v=exchg.141).aspx

The message event information that is stored on each line is organized by fields. These fields are separated by commas. The field name is generally descriptive enough to determine the type of information that it contains. However, some fields may be blank, or the type of information that is stored in the field may change based on the message event type as described in Table 1. General descriptions of the fields that are used to classify each message tracking event are explained in Table 2.

Clientid and connectorid are also blank in the message tracking log in my environment.

As suggested by Amit Tank, here is an example in my environment.

Best Regards.