exchange 2013

Track messages in Exchange 2013 using Get-MessageTrackingLog

In addition to directly analyzing transport log files, tracking messages in MS Exchange Server 2013 is very easy to carry out with the help of Message Tracking Logs tool. In this post we will discuss some features of the Get-MessageTrackingLog cmdlet, which was created specifically for processing message tracking logs.

You can run the cmdlet without any additional parameters:


The data will be taken from the server on which the command is executed. By default, all message transmission events will be displayed for the last 30 days (not more than 1000).

message tracking log exchange

The output of the cmdlet is not very convenient.

To remove the limit of 1000 strings, you can use the -ResultSize option, setting the value to Unlimited (be careful, it can heavily load the server). Results can be displayed in page-by-page form (depending on a console size) using the Out-Host cmdlet.

Get-MessageTrackingLog | Out-Host –Paging

The -Paging key is responsible for paginal output.

message tracking log exchange list

It’s more convenient, but the data still looks completely uninformative.

In fact, the message tracking logs contain a lot of information and some of it can be extremely useful in analyzing server operation, message monitoring and many other tasks. Message tracking log files in text format are stored in the directory %ExchangeInstallPath%TransportRoles\Logs\MessageTracking. Manual analysis of these logs is very inconvenient and difficult for any Exchange Administrator.

message tracking log notepad

If you want to display the values of only certain columns, you will run into difficulties. The fact is that the column names in the file and the names of the same columns in Powershell are different! Microsoft developers are not looking for easy ways! 🙂 To help you get column names, you can use the Format-List cmdlet (fl), which displays the properties of each object on a separate line. We display all the fields and data for the first log entry.

Get-MessageTrackingLog | Select-Object -First 1 | Format-List

message tracking log format list

Now it is possible to operate the received data freely and to select only that is necessary. For example, you want to see through which connectors the message passes (we narrow the search area by specifying the subject of the letter), when you send it from within the organization to the internal recipient. To do this, we use the ConnectorID property. You can use the Format-Table (ft) cmdlet to present the data in a table form. Align the width of the columns with the -AutoSize:

Get-MessageTrackingLog -MessageSubject "test" | Format-Table Timestamp,ConnectorID,EventID,Source -AutoSize

And here is the output of the command:

message tracking log format table

Everything is simple and clear and even the names of connectors, including system ones, are visible.

Finally, we’ll try to process the output of Get-MessageTrackingLog with the help of a very interesting Group-Object cmdlet. It allows you to group objects by some property and count their number. This cmdlet is usually used last (or one of the last), because it creates new objects in the pipeline and you can no longer process the objects of the Get-MessageTrackingLog cmdlet.

We will try to count the number of all messages sent by users of our organization to recipients on To do this, you need to enter an additional condition that will filter necessary recipients. You can do this with the help of Where-Object.

Get-MessageTrackingLog -EventId "Send" -ResultSize Unlimited | Where-Object {$_.Recipients -like "*"} | Group-Object Recipients | Sort-Object Count -Descending | Format-Table *

Not so difficult. Here’s what we saw in the results:

message tracking log values

We do not recommend putting the -ResultSize Unlimited key without specifying the start date. You can set the date in this way -Start (Get-Date).AddDays(-1). The command will return the current timestamp and subtract one day from it. That is, you will be returned recipients statistics for the last 24 hours.

You also need to remember that each Exchange server has its own tracking log files. Therefore, this command must be executed on all Exchange Mailbox servers in your organization.

You may also like:

Add An Out Of Office Message In Outlook for A Diff... Did an employee just leave for vacation and forget to do something? Below the instructions will show you how to add an out of office message in Outloo...
How to Recreate Virtual Directories OWA and ECP on... This article describes how to recreate virtual directories OWA and ECP on Exchange 2016. The rebuilding of these virtual directories helps to reset al...
How to Delete IIS Log Files on Windows Server 2012 IIS (Internet Information Services) Web Server on Windows Server generates a sufficiently large amount of log files during its work. The main problem ...
Moving Exchange Mailboxes to Another Database Exchange administrator can move user mailboxes in the Active Directory forest from one database to another between Exchange servers, or between mailbo...
How to Add or Remove SMTP Alias to Exchange 2016 M... Sometimes you need to add another email address to the existing user. In Exchange, in addition to the primary address, each mailbox can be assigned to...

Add Your Comment