How to Run Get-MessageTrackingLog cmdlet in Exchange?

Aftab Alam
Aftab Alam linkedin | Published On - February 06, 2023 |

Read time: 4 minutes

The secure environment of the Exchange Server makes sure that a mailbox remains in a consistent state in which all the incoming and outgoing emails are put in their respective folders. Generally, a manager does not need to take care of individual emails or the mail flow. Still, they may require checking the message activity moving in the transport pipeline in rarer circumstances.

For the convenience of checking the mail flow, Exchange Server registers a message tracking log that is accessible through Exchange Management Shell. It will provide the following information to you-

  • Learn what happened to an email message that a user delivered to a certain recipient.
  • Determine if a transport rule, sometimes referred to as a mail flow rule, affected a message.
  • Check to see if a message that was delivered through the Internet made it into your Exchange organization.
  • Find every message that was sent by a certain user during a given time frame.

Important points to remember before checking the message logs in Exchange.

  1. The Administrator account must have additional permissions like Organization Management Role, Records Management Role, and Recipient Management.
  2. The Microsoft Exchange Transport Log Search service must be active in order to search the message tracking logs. You cannot run delivery reports or check the message tracking logs if you disable or terminate this service. However, disabling this service has no impact on Exchange’s other functions.
  3. The Get-MessageTrackingLog cmdlet cannot be used to search the message tracking log files copied from another Exchange server. Additionally, if you manually save an existing message tracking log file, the query logic that Exchange uses to search the message tracking logs is broken due to the change in the file’s date-time stamp.
  4. Message tracking logs on Exchange 2013 Mailbox servers and Exchange 2010 Hub Transport servers in the same Active Directory site may be searched using the Get-MessageTrackingLog cmdlet in Exchange 2016. The message tracking logs on Exchange 2016 and Exchange 2013 Mailbox servers inside the same Active Directory site may be searched using the Get-MessageTrackingLog cmdlet in Exchange 2019.
How to run Get-MessageTrackingLog cmdlet in Exchange Management Shell

Once you have started the Exchange Management Shell as the Administrator, then you can run the Get-MessageTrackingLog in multiple ways.

  1. The basic usage of the cmdlet is the following-
  2. Get-MessageTrackingLog

    It will bring the first 1000 recent message log entries from the single server.

  3. For getting some specific entries from a specific time frame, you can input the cmdlet a little differently.
  4. Get-MessageTrackingLog -ResultSize Unlimited -Start “3/28/2015 8:00AM” -End “3/28/2015 5:00PM” – -Sender “”

    The results will bring a list of emails sent from the given sender between a start and end date.

  5. There are various events in Exchange that require a quick glance and you can check them using another cmdlet.
  6. Get-MessageTrackingLog [-Server <ServerIdentity>] [-ResultSize <Integer> | Unlimited] [-Start <DateTime>] [-End <DateTime>] [-EventId <EventId>] [-InternalMessageId <InternalMessageId>] [-MessageId <MessageId>] [-MessageSubject <Subject>] [-Recipients <RecipientAddress1,RecipientAddress2…>] [-Reference <Reference>] [-Sender <SenderAddress>
Practical usage of Message tracking logs

Message tracking logs can play a good part in solving different purposes of a business-

  • Resolving email delivery issues – message monitoring logs can provide you with information about why a message wasn’t delivered, if it arrived late, and more. Especially, it may create several issues like Exchange cannot open mailbox or show some specific errors.
  • Statistics – Every communication that passed via your servers is tracked in message tracking logs. How many messages were processed or who sent the most messages inside the firm are two examples of data that can be obtained relatively easily for analysis.
  • Forensics – Let’s say you don’t have an email backup, and someone deletes an email. Even worse, your rival firm received the email that included private information. Message monitoring logs can help you out in this situation by giving you some useful email-related information.
  • Litigation – similar to the preceding circumstance When a message tracking record is needed as evidence in court, it is frequently employed.


Suppose you are trying to look at the message tracking logs for deleted messages and checking the methods to recover them. In that case, you can also check the retention policies set for your organization. But the manual techniques to recover the deleted messages are not up to the mark. It would help if you used professional software like Kernel for Exchange Recovery software to recover deleted and corrupted items.

The software can completely recover emails, contacts, calendars, notes, and other details. The lost items will be placed in their exact location where they were located before the deletion. Its functional process is adaptive enough to recover deleted mailbox in Exchange 2010 and newer versions alike.

Kernel for Exchange Server