How to Use Get-Messagetrackinglog in Powershell
System and organization administrators need to have a comprehensive understanding of message flow inside companies.
To achieve this, it's possible to check the complete message activity from the Exchange Admin Center in Office 365.
However, PowerShell commands allow for more granular control over some features, including message tracking logs.
In this guide, we'll show you how to use the Get-MessageTrackingLog command in PowerShell by following three simplified steps.
What is Get-MessageTrackingLog?
Get-MessageTrackingLog is a PowerShell cmdlet used in Microsoft Exchange Server environments to retrieve information from the message tracking logs.
This cmdlet allows administrators to track and analyze the flow of email messages within the Exchange organization.
The Get-MessageTrackingLog command is a fundamental part of message tracking in Exchange ecosystems, as it provides access to a comma-separated value (CSV) file that contains detailed information about the history of each email message as it travels through an Exchange server.
Get-MessageTrackingLog Syntax & Meaning
The syntax of the Get-MessageTrackingLog is the following:
In this syntax, each parameter and switch has a meaning that alters the output of the command. The meanings of the most important parameters are the following:
- DomainController <Fqdn>: Specifies the fully qualified domain name (FQDN) of the domain controller to be used for the query;
- End <DateTime>: Specifies the end date and time for the message tracking log query, indicating the upper limit for the time range of messages to be included in the results;
- EventId <String>: Filters messages based on the event ID, allowing you to focus on messages with specific events;
- InternalMessageId <String>: Specifies the internal message ID, allowing you to retrieve details about a specific email message;
- MessageId <String>: Allows you to specify one or more message IDs to retrieve details about specific email messages;
- MessageSubject <String>: Filters messages based on the subject of the email;
- Recipients <String>: Filters messages based on the email addresses of the recipients;
- Reference <String>: Specifies a reference string for filtering messages;
- ResultSize <Unlimited>: Specifies the maximum number of results to be returned by the query. The default is unlimited;
- Sender <String>: Filters messages based on the email address of the sender;
- Server <ServerIdParameter>: Specifies the server to be queried for the message tracking log;
- Start <DateTime>: Specifies the start date and time for the message tracking log query, indicating the lower limit for the time range of messages to be included in the results;
- NetworkMessageId <String>: Specifies the network message ID, allowing you to retrieve details about a specific email message;
- Source <String>: Filters messages based on the message source, such as SMTP or STOREDRIVER;
- TransportTrafficType <String>: Filters messages based on the transport traffic type, such as "Receive" or "Send."
Get-MessageTrackingLog vs. Get-MessageTrace
Get-MessageTrackingLog and Get-MessageTrace are two similar yet different cmdlets in the PowerShell environment.
Both commands work to analyze and check message tracing information; still, the differences are noticeable:
1. Deployment Environment:
- Get-MessageTrackingLog is designed for on-premises Exchange environments and is available in Exchange Server versions;
- Get-MessageTrace is tailored for cloud-based services and is available in Exchange Online and Exchange Online Protection. It operates specifically within the cloud-based organization.
2. Date Range and Historical Search:
- Get-MessageTrackingLog allows searching message data without specific limitations on the date range. Administrators can search the message tracking logs without being constrained by a predefined timeframe;
- Get-MessageTrace limits the search to the last 10 days of message data. If you need to search for data older than 10 days, you are required to use the Start-HistoricalSearch and Get-HistoricalSearch cmdlets.
3. Result Output and Time Format:
- Get-MessageTrackingLog returns results in the form of a comma-separated value (CSV) file, allowing administrators to manipulate and analyze the data easily. The output includes fields like Timestamp, Recipients, and Sender;
- Get-MessageTrace returns results with timestamps in UTC time format. Additionally, it limits the maximum number of returned results to 1000 by default and may timeout on very large queries. Administrators are advised to consider splitting up queries for large datasets using smaller date intervals.
What Can You Use Get-MessageTrackingLog For?
Get-MessageTrackingLog retrieves message tracking logs that exist for the Transport service on a Mailbox server, for the Mailbox Transport service on a Mailbox server, and on an Edge Transport server.
After using the command, administrators can enjoy the following advantages:
- Troubleshooting Email Delivery Issues: Use Get-MessageTrackingLog to investigate and troubleshoot email delivery problems. It provides detailed information about the status and events of messages as they traverse the mail flow;
- Auditing and Compliance Monitoring: Monitor and audit email communication within the organization for compliance purposes. Get-MessageTrackingLog helps track the movement of emails, providing an audit trail for compliance and regulatory requirements;
- Security Analysis and Threat Detection: Analyze message tracking logs to identify and investigate potential security threats. The cmdlet allows administrators to review email activities and detect anomalies or suspicious patterns that may indicate security incidents;
- Performance Monitoring and Optimization: Monitor the performance of the email system by reviewing message tracking logs. Analyzing the logs can help identify areas for optimization, such as optimizing mail flow, addressing delivery delays, or improving overall system efficiency;
- Reporting and Trend Analysis: Generate reports and conduct trend analysis on email communication. Get-MessageTrackingLog can be used to extract data for reporting purposes, helping administrators understand email usage patterns, peak activity times, and other trends.
Prerequisites to Run the Get-MessageTrackingLog Cmdlet
Before being able to use Get-MessageTrackingLog in PowerShell, it is important to follow three steps to ensure that you are allowed to run it:
- Access Exchange Online: Use a valid Microsoft Account with administrative credentials to establish a connection to Exchange Online PowerShell - we'll show you how to do it below;
- Execute the Get-ManagementRole Command: Upon successfully logging into your Microsoft Account, execute the following command: Get-ManagementRole -Cmdlet <Cmdlet>. Substitute <Cmdlet> with Get-MessageTrackingLog;
- Verify Necessary Permissions: Post-execution, PowerShell will display the roles required to run Get-MessageTrace. If there's a need for additional roles or permissions, reach out to your organization's administrator for further guidance.
How to Use Get-MessageTrackingLog
Now, let's take a look at how to properly use Get-MessageTrackingLog in PowerShell - follow these three steps to learn how to do it.
Step 1: Connect to Exchange Online PowerShell
Start by connecting to Exchange Online PowerShell by running it on your computer and typing in the following command as an Administrator:
Replace "[email protected]" with your organization email, use your Microsoft credentials, and get started to run the desired command.
Step 2: Run Get-MessageTracking Log
To run the Get-MessageTrackingLog command, it is necessary to specify a few parameters that will retrieve the desired message log reports.
Some parameters include the server mailbox, range of dates, sender information, receiver email addresses, and more.
Let's take a look at the following example:
This command will locate the message tracking logs in the Mailbox server named Mailbox 117 for all messages sent from July 14 to July 25, 2023, specifically by the sender, [email protected].
Step 3: Review the Output and Tracking Log
Once you've run the command, you'll see the tracking logs on screen. However, you can get this tracking log in a CSV file if needed as well.
In the previous example, the output would look something like this:
The meaning of each message tracking log parameter is the following:
- The Timestamp column represents the date and time of the message event;
- Sender indicates the email address of the sender ([email protected]);
- Recipients shows the email addresses of the recipients;
- MessageSubject displays the subject of the email;
- EventId specifies the event type, such as "RECEIVE" for incoming messages and "SEND" for outgoing messages;
- TotalBytes represents the total size of the email message in bytes;
- MessageLatency indicates the time taken for the message to traverse the system, typically measured in seconds.
You can see the message tracking log on the screen or get them in a file form to use later.
According to Microsoft resources, it is possible to write the results to a file by piping the output to ConvertTo-Html or ConvertTo-Csv and adding > <filename> to the command.
In this case, the command would look like this:
In this example, this command retrieves message tracking log data for the specified server, date range, and sender, and then it pipes the output to the ConvertTo-Html cmdlet. The results are saved to an HTML file located at "C:\My Documents\message track.html."
Summary: Using Get-MessageTrackingLog in PowerShell
Now that you are familiar with Get-MessageTrackingLog's syntax, key parameters, and practical applications, it's time to use this command at your will. However, before you do so, check out these three key findings:
- Get-MessageTrackingLog retrieves useful email tracking information contained in the logs of different Exchange Server environments;
- For the Get-MessageTrackingLog to return the desired information, it is necessary to modify the cmdlet parameters to match your needs;
- Keep in mind that Get-MessageTrackingLog and Get-MessageTrace are not the same thing - they are two different commands with similar purposes, each of them with its advantages.