Solved

searching exchange logs

Posted on 2014-11-05
9
250 Views
Last Modified: 2014-11-30
I am using exchange 2013, and I've ran the following PS command, but it's not very good,as it doesn't tell me much.

get-messagetrackinglog -resultsize unlimited -sender "sender@domain.com" -start "date" -end "date" | out-gridview

So you can see from the attache screen that it actually doesn't show date/time in the output, which is not very helpful.

Also, my problem is that I have a user that said he sent an email at 7:33 am, but no one every received it, as it went to a DL.  So how can I research this to see why exchange never sent the email.  The strange thing is that when a different user sent out an email to the same DL, it worked fine.

Any ideas?  How can I search in exchange, in the ECP, as that will be easier to search?

error
0
Comment
Question by:afacts
  • 5
  • 3
9 Comments
 
LVL 41

Assisted Solution

by:Amit
Amit earned 100 total points
ID: 40425504
First check if user is allowed to send email to that DL
0
 

Author Comment

by:afacts
ID: 40425509
Yes he is, but how do I check that, because I thought anyone can send email to a DL?
0
 
LVL 5

Assisted Solution

by:Dave Gould
Dave Gould earned 400 total points
ID: 40425812
By default, using out-gridview only shows a limited number of columns but you can change what is displayed by using select. ie :
get-messagetrackinglog -resultsize unlimited -sender sender@domain.com | select EventId, Source, timestamp, recipients, messagesubject |out-gridview

Also, if you have more thzan one mail hub, you shoul prefix the command with get-TransportServer

ie
get-TransportServer | get-messagetrackinglog -resultsize unlimited .....etc
0
 

Author Comment

by:afacts
ID: 40426663
I don't think I do.

Also, how can I follow every transaction and the sequence and why it failed?

Is there any way to search for what I'm looking for in the ECP?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 5

Expert Comment

by:Dave Gould
ID: 40427961
First check the eventid. Did you see the mail in question in the transport logs?
If so what eventID's does it show?
Does your exchange send directly to the Internet or does it go via a relay?
You might want to check the transport logs on the server. (should be something like "exchange\TransportRoles\Logs\ProtocolLog\SmtpSend\SENDyyyymmdd-1.log"
0
 

Author Comment

by:afacts
ID: 40435871
well, my logs are here:
transportroles\logs\hub\protocol\smtpsend
There's no files in that folder

Then for the smtpreceive:
transportroles\logs\hub\protocol\smtpreceive
There's only 1 file from over 1 month ago, with a 0 kb

Apparently either logging is turned off, or they are somewhere else?

Not sure what to do?
0
 

Author Comment

by:afacts
ID: 40436320
I did a search in powershell, and here's what came up, now what do I do this this, how can I research this further to see why the routing failed.  Why didn't the email from home get sent correctly?

error
0
 
LVL 5

Accepted Solution

by:
Dave Gould earned 400 total points
ID: 40439331
First of all, it does appear that your protocol logging is turned off so you might want to turn it on for future issues. This is done on the "log settings" tab on the hub server settings via the EMC console.

On the tracking log, you have an HAREDIRECTFAIL. This is for the shadow redundancy in a multi server environment. you can turn it off if you are not using the HA features. Here is a useful link giving more info:
http://technet.microsoft.com/en-us/library/jj657506(v=exchg.150).aspx

On the other hand, it is difficult to see where the routing fail comes from
0
 

Author Comment

by:afacts
ID: 40440451
Hello Dave,

Are you referring to servers -> servers -> and then "transport logs" section?
Both Message tracking log and connectivity log settings are enabled.
If you're referring about another place, then I'm not sure what you're referring to?

I'll review the website you mentioned.

I only have 1 exchange server, so I do not have any HA enabled.

I can't believe that it's this hard to try to fire out why an email that a user sent internally did not get delivered to other users internally.  Every user is an internal user, so that just frustrates me as why Microsoft makes it so hard.

So are there any commands I need to know to be able to run that will give me more information about why it failed?
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sync Global Address List between Exchange & Office 365 4 33
outlook 4 23
Mail flow stock ? Exchange 2016 3 18
outlook 4 0
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now