With Exchange 2016, the process of searching the message tracking logs can be easily done by using the Get-MessageTrackingLog cmdlet.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix Microsoft Exchange related queries.

In this context, we shall look into the process to track logs in Exchange 2016.

The idea of Search message tracking logs?

Message tracking records the message activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. The most effective way to search the message tracking logs is to use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell.

The following search criteria can be applied to search for entries in the message tracking log:

i.Find out what happened to a message that was sent by a user to a specific recipient.

ii. Detect if a mail flow rule is acting on a message.

iii. Find out if a message sent from an Internet sender made it into your Exchange organization.

iv. Find all messages sent by a specified user during a specified time period.

How does Exchange 2016 search message tracking logs works?

Here, we will take a look at how to search message tracking logs.

To display the information about the Exchange events page-by-page, simply run the command:

Get-MessageTrackingLog | Out-Host –Paging

To display the data in the table format and adjust the column width, use the Format-Table cmdlet:

Get-MessageTrackingLog | Format-Table –AutoSize

If several Hub Transport servers are used in the Exchange organization, you need to specify the name of a server to search as an argument of the –Server parameter. Or else, run the message tracking command for each of the Hub Transport servers with the pipe:

Get-TransportServer | Get-MessageTrackingLog

Now to display all emails for the last 24 hours ((Get-Date).AddHours(-24)), in which a recipient from @gmail.com domain is specified:

Get-MessageTrackingLog -Start (Get-Date).AddHours(-24) -ResultSize unlimited | where {[string]$_.recipients -like "*@gmail.com"}

You can run the below command to display all emails sent by the specific user through a certain server in a given period of time.

Get-MessageTrackingLog -ResultSize unlimited –Sender "cmansion@ibmimedia.com” –server rome-hub-01 -Start "12/01/2020 06:00:00" -End "12/0/2020 22:00:00" |select-object Timestamp,Sender,Recipients,MessageSubject,EventId|ft

Similarly, you can find all the emails sent by a user to any other user and export the search results into a CSV file. For that, simply run the below command.

Get-MessageTrackingLog -Sender "cmansion@ibmimedia.com" -Recipients "user@ibmimedia.com" -ResultSize unlimited –server rome-hub-01| Select-Object Timestamp,Sender,{$_.recipients},MessageSubject | Export-Csv -Path "C:\Export\exchange\exchange_tracking_logs.csv" -Encoding Default -Delimiter ";"

Also, it is possible can search by message subject. Here is the command to execute to display all emails with the “test” word in the subject field, run the following command;

Get-MessageTrackingLog -MessageSubject "test" -ResultSize unlimited –server rome-hub-01| Select-Object Timestamp,Sender, {$_.recipients}, MessageSubject | out-gridview

In case, if we have the message ID then execute the following command;

Get-MessageTrackingLog -messageID "41A4321C3543314FFFFF23122F2BDB7ABD00342@rome-hub-01.ibmimedia.com" -ResultSize unlimited –server rome-hub-01| Select-Object Timestamp,Sender, {$_.recipients}, MessageSubject

Moreover, to count the number of incoming email messages for the specific mailbox for the last 7 days, simply run the following command:

(Get-MessageTrackingLog -EventID "RECEIVE" -Recipients "admin@ibmimedia.com" -ResultSize unlimited).Count

[Need additional assistance with Exchange queries? – We are here to help you]