Tracking messages in Exchange 2013 log files - easy and quick!
The huge scalability of Microsoft Exchange carries serious disadvantages in addition to all its benefits. One of these cons - difficulties in message tracking from log files. Because of you have multiple transport servers, every message passing through every mailbox server and leave it's trail in logs.
Today I will try to at least partially help you in message tracking in Exchange 2013.
Exchange 2013 Mail Flow / Transport Pipeline described in the following picture:
Message tracking in Exchange 2013
My approach to message tracking in Exchange system is following:
- We are getting ID of the message we're interested in with the help of Get-MessageTrackingLog.
- With Log Parser 2.2 we're getting detailed for specific message.
Why can't we use Get-MessageTrackingLog ONLY (this cmdlet can perform very fast searches on multiple servers)? Get-MessageTrackingLog have only one unpleasant feature: it return records from the logs with some TimeStamp, and this timestamp is calculated with accuracy to seconds, while in the text logs records are stored accurate to a thousandth of a second. As soon as many actions are performed very fast, we're unable to build a chronology of events.
That's why we will pass log files through Log Parser 2.2. It is a universal text files parser from Microsoft which can accept SQL queries.
Searching messages with Get-MessageTrackingLog
There is a nice cmdlet Get-MessageTrackingLog within Exchange 2013. It searches message tracking logs with some filters. The most detailed description of the filters see at: https://technet.microsoft.com/en-us/library/aa997573(v=exchg.150).aspx.
Here is an example how to use Get-MessageTrackingLog for finding MessageId:
Copy MessageId and move on.
Using Log Parser 2.2 and Log Parser Studio
First of all, we need to install Log Parser 2.2 and Log Parser Studio (GUI for Log Parser 2.2). Links:
- https://www.microsoft.com/en-us/download/details.aspx?id=24659 - Log Parser 2.2
- https://gallery.technet.microsoft.com/office/Log-Parser-Studio-cd458765 - Log Parser Studio
Install both programms and start Log Parser Studio - LPS.exe.
Specify paths for logs (useful article on this topic: Moving Exchange 2013 logs from default folders with Powershell):
Take a note: we point to logs folders at both servers!
Then create new query and set the following log files type - EELLOG. Order by - timestamp.
SELECT * FROM '[LOGFILEPATH]' WHERE message-id = '<MessageId>' ORDER BY [#Fields: date-time]
Execute the query and get the results:
Log analysis
Now you can see which way the letter went, and perhaps find the cause of failure. In most cases you will need to chech the following fields:
- client-ip
- client-hostname
- server-ip
- server-hostname
- connector-id
- source
- event-id
The last two fields mentioned source and event-id - tell us about actions performed to the message. Help in analyzing these fields, you can get in this article:
https://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
For your and my convenience, here is the most useful information.
Possible values of the event-id field
Event name | Description |
---|---|
AGENTINFO |
This event is used by transport agents to log custom data. |
BADMAIL |
A message submitted by the Pickup directory or the Replay directory that can't be delivered or returned. |
DEFER |
Message delivery was delayed. |
DELIVER |
A message was delivered to a local mailbox. |
DSN |
A delivery status notification (DSN) was generated. |
DUPLICATEDELIVER |
A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of multiple nested distribution groups. Duplicate messages are detected and removed by the information store. |
DUPLICATEEXPAND |
During the expansion of the distribution group, a duplicate recipient was detected. |
DUPLICATEREDIRECT |
An alternate recipient for the message was already a recipient. |
EXPAND |
A distribution group was expanded. |
FAIL |
Message delivery failed. Sources include SMTP, DNS, QUEUE, and ROUTING. |
HADISCARD |
A shadow message was discarded after the primary copy was delivered to the next hop. For more information, see Shadow redundancy. |
HARECEIVE |
A shadow message was received by the server in the local database availability group (DAG) or Active Directory site. |
HAREDIRECT |
A shadow message was created. |
HAREDIRECTFAIL |
A shadow message failed to be created. The details are stored in the source-context field. |
INITMESSAGECREATED |
A message was sent to a moderated recipient, so the message was sent to the arbitration mailbox for approval. For more information, see Manage message approval. |
LOAD |
A message was successfully loaded at boot. |
MODERATOREXPIRE |
A moderator for a moderated recipient never approved or rejected the message, so the message expired. For more information about moderated recipients, see Manage message approval. |
MODERATORAPPROVE |
A moderator for a moderated recipient approved the message, so the message was delivered to the moderated recipient. |
MODERATORREJECT |
A moderator for a moderated recipient rejected the message, so the message wasn't delivered to the moderated recipient. |
MODERATORSALLNDR |
All approval requests sent to all moderators of a moderated recipient were undeliverable, and resulted in non-delivery reports (NDRs). |
NOTIFYMAPI |
A message was detected in the Outbox of a mailbox on the local server. |
NOTIFYSHADOW |
A message was detected in the Outbox of a mailbox on the local server, and a shadow copy of the message needs to be created. |
POISONMESSAGE |
A message was put in the poison message queue or removed from the poison message queue. |
PROCESS |
The message was successfully processed. |
RECEIVE |
A message was received by the SMTP receive component of the transport service or from the Pickup or Replay directories (source: |
REDIRECT |
A message was redirected to an alternative recipient after an Active Directory lookup. |
RESOLVE |
A message's recipients were resolved to a different email address after an Active Directory lookup. |
RESUBMIT |
A message was automatically resubmitted from Safety Net. For more information, see Safety Net. |
RESUBMITDEFER |
A message resubmitted from Safety Net was deferred. |
RESUBMITFAIL |
A message resubmitted from Safety Net failed. |
SEND |
A message was sent by SMTP between transport services. |
SUBMIT |
The Mailbox Transport Submission service successfully transmitted the message to the Transport service. For SUBMIT events, the source-context property contains the following details:
|
SUBMITDEFER |
The message transmission from the Mailbox Transport Submission service to the Transport service was deferred. |
SUBMITFAIL |
The message transmission from the Mailbox Transport Submission service to the Transport service failed. |
SUPPRESSED |
The message transmission was suppressed. |
THROTTLE |
The message was throttled. |
TRANSFER |
Recipients were moved to a forked message because of content conversion, message recipient limits, or agents. Sources include ROUTING or QUEUE. |
Possible values of the source field
Source value | Description |
---|---|
ADMIN |
The event source was human intervention. For example, an administrator used Queue Viewer to delete a message, or submitted message files using the Replay directory. |
AGENT |
The event source was a transport agent. |
APPROVAL |
The event source was the approval framework that's used with moderated recipients. For more information, see Manage message approval. |
DNS |
The event source was DNS. |
DSN |
The event source was a delivery status notification (DSN). For example, a non-delivery report (NDR). |
GATEWAY |
The event source was a Foreign connector. For more information, see Foreign connectors. |
MAILBOXRULE |
The event source was an Inbox rule. For more information, see Inbox rules. |
ORAR |
The event source was an Originator Requested Alternate Recipient (ORAR). You can enable or disable support for ORAR on Receive connectors using the OrarEnabled parameter on the New-ReceiveConnector or Set-ReceiveConnector cmdlets. |
PICKUP |
The event source was the Pickup directory. For more information, see Pickup directory and Replay directory. |
POISONMESSAGE |
The event source was the poison message identifier. For more information about poison messages and the poison message queue, see Queues |
PUBLICFOLDER |
The event source was a mail-enabled public folder. |
QUEUE |
The event source was a queue. |
REDUNDANCY |
The event source was Shadow Redundancy. For more information, see Shadow redundancy. |
ROUTING |
The event source was the routing resolution component of the categorizer in the Transport service. |
SAFETYNET |
The event source was Safety Net. For more information, see Safety Net. |
SMTP |
The message was submitted by the SMTP send or SMTP receive component of the transport service. |
STOREDRIVER |
The event source was a MAPI submission from a mailbox on the local server. |
exchange (en), exchange 2013 (en)
- Hits: 73114