Tracking messages in Exchange 2013 log files - easy and quick!

Tracking messages in Exchange 2013 log files - easy and quick!

The huge scalability of Microsoft Exchange carries serious disadvantages in addition to all its benefits. One of these cons - difficulties in message tracking from log files. Because of you have multiple transport servers, every message passing through every mailbox server and leave it's trail in logs.

Today I will try to at least partially help you in message tracking in Exchange 2013.

Exchange 2013 Mail Flow / Transport Pipeline described in the following picture:

 Exchange 2013 Mail flow and Transport pipeline

Message tracking in Exchange 2013

My approach to message tracking in Exchange system is following:

  1. We are getting ID of the message we're interested in with the help of Get-MessageTrackingLog.
  2. With Log Parser 2.2 we're getting detailed for specific message.

Why can't we use Get-MessageTrackingLog ONLY (this cmdlet can perform very fast searches on multiple servers)? Get-MessageTrackingLog have only one unpleasant feature: it return records from the logs with some TimeStamp, and this timestamp is calculated with accuracy to seconds, while in the text logs records are stored accurate to a thousandth of a second. As soon as many actions are performed very fast, we're unable to build a chronology of events.

That's why we will pass log files through Log Parser 2.2. It is a universal text files parser from Microsoft which can accept SQL queries.

Searching messages with Get-MessageTrackingLog

There is a nice cmdlet Get-MessageTrackingLog within Exchange 2013. It searches message tracking logs with some filters. The most detailed description of the filters see at: https://technet.microsoft.com/en-us/library/aa997573(v=exchg.150).aspx.

Here is an example how to use Get-MessageTrackingLog for finding MessageId:

Использование Get-MessageTrackingLog для поиска MessageId

Copy MessageId and move on.

Using Log Parser 2.2 and Log Parser Studio

First of all, we need to install Log Parser 2.2 and Log Parser Studio (GUI for Log Parser 2.2). Links:

Install both programms and start Log Parser Studio - LPS.exe.

Specify paths for logs (useful article on this topic: Moving Exchange 2013 logs from default folders with Powershell):

Setting up Log Parser Studio

Take a note: we point to logs folders at both servers!

Then create new query and set the following log files type - EELLOG. Order by - timestamp.

SELECT * 
FROM '[LOGFILEPATH]'
WHERE message-id = '<MessageId>'
ORDER BY [#Fields: date-time]

Execute the query and get the results:

Tracking messages in Exchange 2013 log files - easy and quick!

Log analysis

Now you can see which way the letter went, and perhaps find the cause of failure. In most cases you will need to chech the following fields:

  • client-ip
  • client-hostname
  • server-ip
  • server-hostname
  • connector-id
  • source
  • event-id

The last two fields mentioned source and event-id - tell us about actions performed to the message. Help in analyzing these fields, you can get in this article:

https://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx 

For your and my convenience, here is the most useful information.

Possible values of the event-id field

Event nameDescription

AGENTINFO

This event is used by transport agents to log custom data.

BADMAIL

A message submitted by the Pickup directory or the Replay directory that can't be delivered or returned.

DEFER

Message delivery was delayed.

DELIVER

A message was delivered to a local mailbox.

DSN

A delivery status notification (DSN) was generated.

DUPLICATEDELIVER

A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of multiple nested distribution groups. Duplicate messages are detected and removed by the information store.

DUPLICATEEXPAND

During the expansion of the distribution group, a duplicate recipient was detected.

DUPLICATEREDIRECT

An alternate recipient for the message was already a recipient.

EXPAND

A distribution group was expanded.

FAIL

Message delivery failed. Sources include SMTP, DNS, QUEUE, and ROUTING.

HADISCARD

A shadow message was discarded after the primary copy was delivered to the next hop. For more information, see Shadow redundancy.

HARECEIVE

A shadow message was received by the server in the local database availability group (DAG) or Active Directory site.

HAREDIRECT

A shadow message was created.

HAREDIRECTFAIL

A shadow message failed to be created. The details are stored in the source-context field.

INITMESSAGECREATED

A message was sent to a moderated recipient, so the message was sent to the arbitration mailbox for approval. For more information, see Manage message approval.

LOAD

A message was successfully loaded at boot.

MODERATOREXPIRE

A moderator for a moderated recipient never approved or rejected the message, so the message expired. For more information about moderated recipients, see Manage message approval.

MODERATORAPPROVE

A moderator for a moderated recipient approved the message, so the message was delivered to the moderated recipient.

MODERATORREJECT

A moderator for a moderated recipient rejected the message, so the message wasn't delivered to the moderated recipient.

MODERATORSALLNDR

All approval requests sent to all moderators of a moderated recipient were undeliverable, and resulted in non-delivery reports (NDRs).

NOTIFYMAPI

A message was detected in the Outbox of a mailbox on the local server.

NOTIFYSHADOW

A message was detected in the Outbox of a mailbox on the local server, and a shadow copy of the message needs to be created.

POISONMESSAGE

A message was put in the poison message queue or removed from the poison message queue.

PROCESS

The message was successfully processed.

RECEIVE

A message was received by the SMTP receive component of the transport service or from the Pickup or Replay directories (source: SMTP), or a message was submitted from a mailbox to the Mailbox Transport Submission service (source: STOREDRIVER).

REDIRECT

A message was redirected to an alternative recipient after an Active Directory lookup.

RESOLVE

A message's recipients were resolved to a different email address after an Active Directory lookup.

RESUBMIT

A message was automatically resubmitted from Safety Net. For more information, see Safety Net.

RESUBMITDEFER

A message resubmitted from Safety Net was deferred.

RESUBMITFAIL

A message resubmitted from Safety Net failed.

SEND

A message was sent by SMTP between transport services.

SUBMIT

The Mailbox Transport Submission service successfully transmitted the message to the Transport service. For SUBMIT events, the source-context property contains the following details:

  • MDB   The mailbox database GUID.

  • Mailbox   The mailbox GUID.

  • Event   The event sequence number.

  • MessageClass   The type of message. For example, IPM.Note.

  • CreationTime   Date-time of the message submission.

  • ClientType   For example, User, OWA ,or ActiveSync.

SUBMITDEFER

The message transmission from the Mailbox Transport Submission service to the Transport service was deferred.

SUBMITFAIL

The message transmission from the Mailbox Transport Submission service to the Transport service failed.

SUPPRESSED

The message transmission was suppressed.

THROTTLE

The message was throttled.

TRANSFER

Recipients were moved to a forked message because of content conversion, message recipient limits, or agents. Sources include ROUTING or QUEUE.

 

Possible values of the source field

Source valueDescription

ADMIN

The event source was human intervention. For example, an administrator used Queue Viewer to delete a message, or submitted message files using the Replay directory.

AGENT

The event source was a transport agent.

APPROVAL

The event source was the approval framework that's used with moderated recipients. For more information, see Manage message approval.

DNS

The event source was DNS.

DSN

The event source was a delivery status notification (DSN). For example, a non-delivery report (NDR).

GATEWAY

The event source was a Foreign connector. For more information, see Foreign connectors.

MAILBOXRULE

The event source was an Inbox rule. For more information, see Inbox rules.

ORAR

The event source was an Originator Requested Alternate Recipient (ORAR). You can enable or disable support for ORAR on Receive connectors using the OrarEnabled parameter on the New-ReceiveConnector or Set-ReceiveConnector cmdlets.

PICKUP

The event source was the Pickup directory. For more information, see Pickup directory and Replay directory.

POISONMESSAGE

The event source was the poison message identifier. For more information about poison messages and the poison message queue, see Queues

PUBLICFOLDER

The event source was a mail-enabled public folder.

QUEUE

The event source was a queue.

REDUNDANCY

The event source was Shadow Redundancy. For more information, see Shadow redundancy.

ROUTING

The event source was the routing resolution component of the categorizer in the Transport service.

SAFETYNET

The event source was Safety Net. For more information, see Safety Net.

SMTP

The message was submitted by the SMTP send or SMTP receive component of the transport service.

STOREDRIVER

The event source was a MAPI submission from a mailbox on the local server.

 

 

Tags: exchange (en), exchange 2013 (en)

PrintEmail

Add comment


Security code
Refresh