Exchange 2016 Tracking Log Searches

Exchange 2010 was the last iteration that included a decent message tracking log interface. Microsoft intentionally broke that wonder search app with 2013 in order to push admins to use powershell. So, when I had to track down the internal source of an email that was being sent by a job that did not appear to exist (we have dozens of applications that route mail through Exchange) I had to use PowerShell to track down the source IP.

Image result for exchange powershell

 

This proved not to be the easiest thing to do. I was not sure where the original source IP even resided. So, I decided to start with everything for the first query and work my way back from there. I also decided to use the wonderful | Out-Gridview feature to pipe the output to a GUI so that I could filter from there.

Here is the query to use:

Get-MessageTrackingLog -Server mail01 -Start “Aug 7 2017” -sender “customerservice@domain.com” -resultsize unlimited | select-object TransportTrafficType,SchemaVersion,RunspaceId,Timestamp,ClientIp,ClientHostname,

ServerIp,ServerHostname,SourceContext,

ConnectorId,Source,EventId,InternalMessageId,MessageId,

NetworkMessageId,Recipiets,RecipientStatus,TotalBytes,RecipientCount,RelatedRecipientAddress,

Reference,MessageSubject,Sender,ReturnPath,Directionality,

TenantId,OriginalClientIp,MessageInfo,MessageLatency,MessageLatencyType | Out-Gridview

 

This gave me the information that I needed. Too much information in fact, which was easily remedied by the Out-View Grid’s “Add Criteria” feature. In the end, it was the OriginalClientIP field that gave me what I needed!