Message Tracking in Exchange 2013 using Get-MessageTrackingLog

In addition to directly analyzing transport log files, tracking messages in MS Exchange Server 2013 is very easy to carry out with the help of Message Tracking Logs tool. In this post we will discuss some features of the Get-MessageTrackingLog cmdlet, which was created specifically for processing message tracking logs.

You can run the cmdlet without any additional parameters:


The data will be taken from the server on which the command is executed. By default, all message transmission events will be displayed for the last 30 days (not more than 1000).


The output of the cmdlet is not very convenient.

To remove the limit of 1000 strings, you can use the -ResultSize option, setting the value to Unlimited (be careful, it can heavily load the server). Results can be displayed in page-by-page form (depending on a console size) using the Out-Host cmdlet.

Get-MessageTrackingLog | Out-Host –Paging

The -Paging key is responsible for paginal output.

get-messagetrackinglog examples

It’s more convenient, but the data still looks completely uninformative.

In fact, the message tracking logs contain a lot of information and some of it can be extremely useful in analyzing server operation, message monitoring and many other tasks. Message tracking log files in text format are stored in the directory %ExchangeInstallPath%TransportRoles\Logs\MessageTracking. Manual analysis of these logs is very inconvenient and difficult for any Exchange Administrator.

get-messagetrackinglog full details

If you want to display the values of only certain columns, you will run into difficulties. The fact is that the column names in the file and the names of the same columns in Powershell are different! Microsoft developers are not looking for easy ways! :) To help you get column names, you can use the Format-List cmdlet (fl), which displays the properties of each object on a separate line. We display all the fields and data for the first log entry.

Get-MessageTrackingLog | Select-Object -First 1 | Format-List

get-messagetrackinglog eventid

Now it is possible to operate the received data freely and to select only that is necessary. For example, you want to see through which connectors the message passes (we narrow the search area by specifying the subject of the letter), when you send it from within the organization to the internal recipient. To do this, we use the ConnectorID property. You can use the Format-Table (ft) cmdlet to present the data in a table form. Align the width of the columns with the -AutoSize:

Get-MessageTrackingLog -MessageSubject "test" | Format-Table Timestamp,ConnectorID,EventID,Source -AutoSize

And here is the output of the command:

get-messagetrackinglog exchange 2013

Everything is simple and clear and even the names of connectors, including system ones, are visible.

Finally, we’ll try to process the output of Get-MessageTrackingLog with the help of a very interesting Group-Object cmdlet. It allows you to group objects by some property and count their number. This cmdlet is usually used last (or one of the last), because it creates new objects in the pipeline and you can no longer process the objects of the Get-MessageTrackingLog cmdlet.

We will try to count the number of all messages sent by users of our organization to recipients on To do this, you need to enter an additional condition that will filter necessary recipients. You can do this with the help of Where-Object.

Get-MessageTrackingLog -EventId "Send" -ResultSize Unlimited | Where-Object {$_.Recipients -like "*"} | Group-Object Recipients | Sort-Object Count -Descending | Format-Table *

Not so difficult. Here’s what we saw in the results:

exchange 2013 get-messagetrackinglog

We do not recommend putting the -ResultSize Unlimited key without specifying the start date. You can set the date in this way -Start (Get-Date).AddDays(-1). The command will return the current timestamp and subtract one day from it. That is, you will be returned recipients statistics for the last 24 hours.

You also need to remember that each Exchange server has its own tracking log files. Therefore, this command must be executed on all Exchange Mailbox servers in your organization.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.