How to group message tracking logs by Sender
Get-MessageTrackingLog -start “10/22/2011 00:00:00” -end “11/21/2011 11:59:00” | group-object -Property Sender
Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Sender john@example.com -Recipients bill@example.net -Start 12/3/2009 -End 13/3/2009 | SelectTimestamp, ClientIp, ClientHostname, ServerIp, ServerHostname, SourceContext,ConnectorId, Source, EventId, InternalMessageId, MessageId, {$_.Recipients}, {$_.RecipientStatus}, TotalBytes, RecipientCount, RelatedRecipientAddress, {$_.Reference}, MessageSubject, Sender, ReturnPath, MessageInfo | Export-CSVC:\Temp\SearchResults.csv
Reporting on e-mail messages sent and received yesterday
Using PowerShell scripts it’s possible to use the message tracking logs to create reports. This example will get the messages sent and received on the previous day for a group of mailboxes in a specific database.
# Get the start date for the tracking log search
$Start = (Get-Date -Hour 00 -Minute 00 -Second 00).AddDays(-1)
# Get the end date for the tracking log search
$End = (Get-Date -Hour 23 -Minute 59 -Second 59).AddDays(-1)
# Declare an array to store the results
$Results = @()
# Get the SEND events from the message tracking logs
$Sent = Get-MessageTrackingLog -Server EXCHANGE01 -EventID SEND -Start $Start -End $End-resultsize unlimited
# Get the RECEIVE events the message tracking logs
$Received = Get-MessageTrackingLog -Server EXCHANGE01 -EventID RECEIVE -Start $Start -End $End -resultsize unlimited
# Get the mailboxes we want to report on
$Mailboxes = Get-Mailbox -Database "EXCHANGE01\SG1\DB1"
# Set up the counters for the progress bar
$Total = $Mailboxes.Count
$Count = 1
# Sort the mailboxes and pipe them to a For-Each loop
$Mailboxes | Sort-Object -Property DisplayName | ForEach-Object {
# Update the progress bar
$PercentComplete = $Count / $Total * 100
Write-Progress -Activity "Message Tracking Log Search" -Status "Processing mailboxes" -percentComplete $PercentComplete
# Declare a custom object to store the data
$Stats = "" | Select-Object Name,Sent,Received
# Get the email address for the mailbox
$Email = $_.WindowsEmailAddress.ToString()
# Set the Name property of our object to the mailbox's display name
$Stats.Name = $_.DisplayName
# Set the Sent property to the number of messages sent
$Stats.Sent = ($Sent | Where-Object { ($_.EventId -eq "SEND") -and ($_.Sender -eq$email) }).Count
# Set the Received property to the number of messages received
$Stats.Received = ($Received | Where-Object { ($_.EventId -eq "RECEIVE") -and($_.Recipients -match $email) }).Count
# Add the statistics for this mailbox to our results array
$Results += $Stats
# Increment the progress bar counter
$Count += 1
}
# Output the results
$ResultsMessage tracking events
| Event name | Description |
|---|---|
AGENTINFO
|
This event is used by transport agents to log custom data.
|
BADMAIL
|
A message submitted by the Pickup directory or the Replay directory that can't be delivered or returned.
|
DEFER
|
Message delivery was delayed.
|
DELIVER
|
A message was delivered to a local mailbox.
|
DSN
|
A delivery status notification (DSN) was generated.
|
DUPLICATEDELIVER
|
A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of multiple nested distribution groups. Duplicate messages are detected and removed by the information store.
|
DUPLICATEEXPAND
|
During the expansion of the distribution group, a duplicate recipient was detected.
|
DUPLICATEREDIRECT
|
An alternate recipient for the message was already a recipient.
|
EXPAND
|
A distribution group was expanded.
|
FAIL
|
Message delivery failed. Sources include SMTP, DNS, QUEUE, and ROUTING.
|
HADISCARD
|
A shadow message was discarded after the primary copy was delivered to the next hop. For more information, see Shadow redundancy.
|
HARECEIVE
|
A shadow message was received by the server in the local database availability group (DAG) or Active Directory site.
|
HAREDIRECT
|
A shadow message was created.
|
HAREDIRECTFAIL
|
A shadow message failed to be created. The details are stored in the source-context field.
|
INITMESSAGECREATED
|
A message was sent to a moderated recipient, so the message was sent to the arbitration mailbox for approval. For more information, see Managing message approval.
|
LOAD
|
A message was successfully loaded at boot.
|
MODERATOREXPIRE
|
A moderator for a moderated recipient never approved or rejected the message, so the message expired. For more information about moderated recipients, see Managing message approval.
|
MODERATORAPPROVE
|
A moderator for a moderated recipient approved the message, so the message was delivered to the moderated recipient.
|
MODERATORREJECT
|
A moderator for a moderated recipient rejected the message, so the message wasn't delivered to the moderated recipient.
|
MODERATORSALLNDR
|
All approval requests sent to all moderators of a moderated recipient were undeliverable, and resulted in non-delivery reports (NDRs).
|
NOTIFYMAPI
|
A message was detected in the Outbox of a mailbox on the local server.
|
NOTIFYSHADOW
|
A message was detected in the Outbox of a mailbox on the local server, and a shadow copy of the message needs to be created.
|
POISONMESSAGE
|
A message was put in the poison message queue or removed from the poison message queue.
|
PROCESS
|
The message was successfully processed.
|
RECEIVE
|
A message was received by the SMTP receive component of the transport service or from the Pickup or Replay directories (source:
SMTP), or a message was submitted from a mailbox to the Mailbox Transport Submission service (source: STOREDRIVER). |
REDIRECT
|
A message was redirected to an alternative recipient after an Active Directory lookup.
|
RESOLVE
|
A message's recipients were resolved to a different email address after an Active Directory lookup.
|
RESUBMIT
|
A message was automatically resubmitted from Safety Net. For more information, see Safety Net.
|
RESUBMITDEFER
|
A message resubmitted from Safety Net was deferred.
|
RESUBMITFAIL
|
A message resubmitted from Safety Net failed.
|
SEND
|
A message was sent by SMTP between transport services.
|
SUBMIT
|
The Mailbox Transport Submission service successfully transmitted the message to the Transport service. For SUBMIT events, thesource-context property contains the following details:
|
SUBMITDEFER
|
The message transmission from the Mailbox Transport Submission service to the Transport service was deferred.
|
SUBMITFAIL
|
The message transmission from the Mailbox Transport Submission service to the Transport service failed.
|
SUPPRESSED
|
The message transmission was suppressed.
|
THROTTLE
|
The message was throttled.
|
TRANSFER
|
Recipients were moved to a forked message because of content conversion, message recipient limits, or agents. Sources includeROUTING or QUEUE.
|
Fields in Message Tracking
| Field name | Description |
|---|---|
date-time
|
The UTC date-time of the message tracking event. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss= second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
|
client-ip
|
The IPv4 or IPv6 address of the messaging server or messaging client that submitted the message.
|
client-hostname
|
The host name or FQDN of the messaging server or messaging client that submitted the message.
|
server-ip
|
The IPv4 or IPv6 address of the source or destination Exchange server.
|
server-hostname
|
The host name or FQDN of the destination server.
|
source-context
|
Extra information associated with the source field. For example, transport agent information.
|
connector-id
|
The name of the source or destination Send connector or Receive connector. For example, ServerName\ConnectorName or ConnectorName.
|
source
|
The Exchange transport component responsible for the message tracking event. The values found in this field are described in the Source values in the message tracking log section later in this topic.
|
event-id
|
The message event type. The event types are described in the Event types in the message tracking log section later in this topic.
|
internal-message-id
|
A message identifier assigned by the Exchange server currently processing the message.
A specific message's value of internal-message-id is different in the message tracking log of every Exchange server that's involved in the transmission of the message. An example value is
73014444033. |
message-id
|
The value of the Message-Id: header field found in the message header. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message. For messages created in Exchange, the value is in the format
<GUID@ServerFQDN>, including the angle brackets (< >). For example,<4867a3d78a50438bad95c0f6d072fca5@mailbox01.contoso.com>. Other messaging systems may use different syntax or values. |
network-message-id
|
A unique message ID value that persists across copies of the message that may be created due to bifurcation or distribution group expansion. An example value is
1341ac7b13fb42ab4d4408cf7f55890f. |
recipient-address
|
The email addresses of the message's recipients. Multiple email addresses are separated by the semicolon character (;).
|
recipient-status
|
This field contains the recipient status for each recipient separated by the semicolon character (;). The status values are presented for the recipients in the same order as the values in the recipient-address field. Example status values include
250 2.1.5 Recipient OK or550 4.4.7 QUEUE.Expired;<ErrorText>. |
total-bytes
|
The size of the message that includes attachments, in bytes.
|
recipient-count
|
The number of recipients in the message.
|
related-recipient-address
|
This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient email addresses associated with the message.
|
reference
|
This field contains additional information for specific types of events. For example:
DSN Contains the report link, which is the Message-Id value of the associated delivery status notification (DSN) if a DSN is generated subsequent to this event. If this is a DSN message, the Reference field contains the Message-Id value of the original message for which this DNS was generated.
EXPAND The Reference field contains the related-recipient-address value of the related messages.
RECEIVE The Reference field may contain the Message-Id value of the related message if the message was generated by other processes, for example, journaling or Inbox rules.
SEND The Reference field contains the Internal-Message-Id value of any DSN messages.
THROTTLE The Reference field contains the reason why the message was throttled.
TRANSFER The Reference field contains the Internal-Message-Id of the message that is being forked.
For messages generated by inbox rules, the Reference field contains the Internal-Message-Id value of the inbound message that caused the inbox rule to generate the outbound message.
For other types of events, the Reference field may contain the Internal-Message-Id value for forked messages.
For other types of events, the Reference field is usually blank.
|
message-subject
|
The message's subject found in the
Subject: header field. The tracking of message subjects is controlled by theMessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportService or Set-MailboxServer cmdlets. By default, message subject tracking is enabled. |
sender-address
|
The email address specified in the
Sender: header field, or the From: header field if Sender: is not present. |
return-path
|
The return email address specified by
MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>. |
message-info
|
Additional information about the message. For example:
|
directionality
|
The direction of the message. Example values include
Incoming, Undefined, and Originating. |
tenant-id
|
This field isn't used in on-premises Exchange 2013 organizations.
|
original-client-ip
|
The IPv4 or IPv6 address of the original client.
|
original-server-ip
|
The IPv4 or IPv6 address of the original server.
|
custom-data
|
This field contains data related to a specific event types. For example, the Transport Rule agent uses this field to record the GUID of the transport rule or DLP policy that acted on the message. For more information about these Transport Rule agent values, see the "Data logging" section in the DLP policy detection reports topic,
|
No comments:
Post a Comment