In Exchange 2016, the easy way to search the message tracking logs is to use the Get-MessageTrackingLog cmdlet.

Here at Bobcares, we have seen several such Microsoft Exchange related queries as part of our Server Management Services for web hosts and online service providers.

Today we will take a look at how to track logs in Exchange 2016

Search message tracking logs

Message tracking records the message activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. The best way to search the message tracking logs is to use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell.

We make use of some search criteria to search for entries in the message tracking log. Here are some:

• Find out what happened to a message that was sent by a user to a specific recipient.
• Detect if a mail flow rule is acting on a message.
• Find out if a message sent from an Internet sender made it into your Exchange organization.
• Find all messages sent by a specified user during a specified time period.

Exchange 2016 search message tracking logs

Now let’s take a look at the commands our Support Engineers use to search message tracking logs.

To display the information about the Exchange events page-by-page, we run the command:

Get-MessageTrackingLog | Out-Host –Paging

To display the data in the table format and adjust the column width, we use the Format-Table cmdlet:

Get-MessageTrackingLog | Format-Table –AutoSize

If several Hub Transport servers are used in the Exchange organization, we need to specify the name of a server to search as an argument of the –Server parameter. Or else, we run the message tracking command for each of the Hub Transport servers with the pipe:

Get-TransportServer | Get-MessageTrackingLog

Let’s display all emails for the last 24 hours ((Get-Date).AddHours(-24)), in which a recipient from @gmail.com domain is specified:

Get-MessageTrackingLog -Start (Get-Date).AddHours(-24) -ResultSize unlimited | where {[string]$_.recipients -like "*@gmail.com"}

We run the below command to display all emails sent by the specific user through a certain server in a given period of time.

Get-MessageTrackingLog -ResultSize unlimited –Sender "cmansion@bobcares.com” –server rome-hub-01 -Start "11/30/2020 06:00:00" -End "12/13/2020 22:00:00" |select-object Timestamp,Sender,Recipients,MessageSubject,EventId|ft

Also, we can find all the emails sent by a user to any other user and export the search results into a CSV file. For that, we run the below command.

Get-MessageTrackingLog -Sender "cmansion@bobcares.com" -Recipients "amorato@bobcares.com" -ResultSize unlimited –server rome-hub-01| Select-Object Timestamp,Sender,{$_.recipients},MessageSubject | Export-Csv -Path "C:\Export\exchange\exchange_tracking_logs.csv" -Encoding Default -Delimiter ";"

Also, we can search by message subject. Here is the command we run to display all emails with the “test” word in the subject field, run the following command.

Get-MessageTrackingLog -MessageSubject "test" -ResultSize unlimited –server rome-hub-01| Select-Object Timestamp,Sender, {$_.recipients}, MessageSubject | out-gridview

In case, if we have the message ID then we run the below.

Get-MessageTrackingLog -messageID "41A4321C3543314FFFFF23122F2BDB7ABD00342@rome-hub-01.bobcares.com" -ResultSize unlimited –server rome-hub-01| Select-Object Timestamp,Sender, {$_.recipients}, MessageSubject

Moreover, to count the number of incoming email messages for the specific mailbox for the last 7 days, we run the following command:

(Get-MessageTrackingLog -EventID "RECEIVE" -Recipients "admin@bobcares.com" -ResultSize unlimited).Count

[Need any further assistance with Exchange queries? – We are here to help you]

Conclusion

In short, we can search the message tracking logs by using the Get-MessageTrackingLog cmdlet in Exchange 2016. Today, we saw how our Support Engineers do it.