Sometimes I just love linux even more. Message tracking and just plain logging in Exchange is just unbearable. I love the way it is so simple to get right to the problem a linux system.

Determining what has happened to message in Exchange is just a nightmare. It seems even worse in Exchange 2013, but I know there is a lot of information there. It would just be nice to see a simple standards based SMTP type of log. I have yet to stumble on it in the mountain of logging options in EMS.

First, you have to set the event log level. At least, I believe you do. Regardless, it is something to note here, because it could useful for troubleshooting other kind of issues.

To check the current event log levels:

[PS] C:\>Get-EventLogLevel

I highly recommend piping this out to more, because there are a lot of them. By default, almost all of the log levels are set to Lowest.

To change a log level:

[PS] C:\>Set-EventLogLevel -Identity identityname -Level newlevel

For example:

[PS] C:\>Set-EventLogLevel -Identity MSExchangeTransport\SmtpReceive -Level High

To change the retention in days of the logs. The default is 30 days.:

Set-TransportServer -Identity MY-SERVER -MessageTrackingLogMaxAge 90

Other options include:

MessageTrackingLogMaxDirectorySize (for example: 1000 MB)
MessageTrackingLogMaxFileSize (for example: 10 MB)
MessageTrackingLogPath (for example: L:\ExchangeLogs)

[PS] C:\>get-messagetrackinglog -start “6/6/2014 10:00:00” -end “6/17/2014 23:59” -recipient “recipientemailaddress” -sender “senderemailaddress” | format-list | more

If you get a log of output, you may need to use ResultSize to increase the number of items listed. Also, you can use Select to selectively choose your display columns:

[PS] C:\>get-messagetrackinglog -start “6/6/2014 10:00:00” -end “6/17/2014 23:59” -EventID RECEIVE -ResultSize 10000 -recipient “recipientemailaddress” -sender “senderemailaddress” | Select Recipients,Sender,MessageSubject,TimeStamp