Tuesday, July 7, 2015

Script for Exchange 2013 Message Tracking

Exchange Server 2010 had a graphical utility for analyzing message tracking logs. Unfortunately, this tool was removed from Exchange Server 2013. Instead in Exchange Server 2013, you have only the Get-MessageTrackingLog cmdlet.

The Get-MessageTrackingLog cmdlet is a pain in the butt for a few reasons:
  • You need to memorize the syntax. Most of it is pretty straight forward, but you need to remember the correct parameters for searching by sender, recipient, or subject.
  • It only searches the local server by default. Without specifying servers, it only searches the local Exchange server that you're running the tool on. In a lot of cases, you need to see information from all your servers to track it down.
While working on a message delivery problem this week, I wrote up a short script help with simple message tracking based on time, sender, recipient, or message subject. The script is as follows:
 Write-Host "Current Date/Time: $(Get-Date)"  
 $StartTime = Read-Host "Start time for search"  
 $EndTime = Read-Host "End time for search"  
 $SearchType = Read-Host "Search for (S)ender, (R)ecipient, (M)essage subject, or display (A)ll"  
 Switch ($SearchType) {  
   'S' {  
            $Sender = Read-Host "Sender"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -Sender $Sender |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'R' {  
            $Recipient = Read-Host "Recipient"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -Recipient $Recipient |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'M' {  
            $MessageSubject = Read-Host "Message subject (performs partial matches)"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -MessageSubject $MessageSubject |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'A' {  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   default {Write-Host "Invalid Option - Run Script Again"}  
 }  
Here is how the script works:
  1. The current date/time are displayed. This shows you the date/time syntax to use for entering time in the next steps.
  2. You are prompted for the time to start searching the logs.
  3. You are prompted for the time to stop searching the logs.
  4. You are prompted for the type of search you want to do: sender, recipient, message subject, or display all.
  5. The switch command uses the $SearchType variable to run a specific code block. The command varies depending on the option, but in general, it prompts for the required information and then runs the query based on it.
  6. Results are displayed by using Out-Gridview. This allows you to sort based on columns.

Notes:

  • This code is used to identify and generate a list of all Exchange servers with message tracking logs which is then piped to the Get-MessageTrackingLog cmdlet.
    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true}  
  • When you search by message subject, it returns all results that include the snippet of text. This can make it hard to track down the specific message that you're looking for sometimes. For example, searching for "text" will include messages with "text" in the subject, but also "context","textbook", etc.
  • Only 1000 results are returned by the Get-MessageTrackingLog cmdlet. It's possible to override this, but if your query is returning more than 1000 results, you should probably be refining your query.
  • Times from Exchange 2007 servers seem off. I was testing in a Mixed 2013 and 2007 environment and the content coming back from the 2007 environment had timestamps outside the range I queried. I have not yet had time to investigate, but be aware of this when sorting results based on time.

No comments:

Post a Comment