Message Tracking
Of the auditing techniques
available in Exchange Server, message tracking is by far the least
resource-intensive and will likely be the most commonly used by
administrators. Because this feature has proven to be so valuable in
previous versions of Exchange Server, Microsoft has enabled it by
default in Exchange Server 2010. Previously, message tracking was
disabled by default, and had to be enabled on a server-by-server basis.
Administrators
can use message tracking logs for message forensics, reporting, and
troubleshooting, as well as analyzing mail flow in an organization.
Message tracking records
the SMTP transport activity of all messages sent to or from any Exchange
Server 2010 Hub Transport, Edge Transport, or mailbox server.
To perform these procedures
on a computer with the Hub Transport or mailbox server role installed,
administrators must be logged on using an account that is a member of
the Exchange Administrators group. The account must also be a member of
the local Administrators
group on that computer. For a computer with the Edge Transport server
role installed, administrators must be logged on using an account that
is a member of the local Administrators group on that computer.
Enabling or Disabling Message Tracking
As previously
stated, by default, message tracking is enabled on all Exchange Server
2010 computers that deal with message transport. This includes Hub
Transport, Edge Transport, and mailbox servers. Message tracking can
prove to be extremely useful, and administrators should avoid disabling
the feature unless there are overwhelming reasons.
To set or review the message tracking on a Hub Transport server, use the following procedure:
1. | Open the Exchange Management Console.
|
2. | Expand the Server Configuration folder and select the Hub Transport folder.
|
3. | In the right pane, right-click on the Exchange server to configure and select Properties.
|
4. | Select the Log Settings tab to access the Message tracking log settings.
|
The message tracking can
also be set via command-line. All commands must be run from the
Exchange Management Shell. As in other shell commands, the <Identity> argument is replaced by the server name. To enable the feature, use the $true argument, and to disable it use $false.
To enable or disable message tracking on a Hub Transport or Edge Transport server:
Set-TransportServer <Identity> -MessageTrackingLogEnabled:<$true or $false>
To enable or disable message tracking on a mailbox server:
Set-MailboxServer <Identity> -MessageTrackingLogEnabled:<$true or $false>
Sample command: To disable message tracking on a mailbox server named Server1, use the following command:
Set-MailboxServer Server1 –MessageTrackingLogEnabled:$false
Note
If a server has both the Mailbox server role and the Hub Transport server role installed, you can use either the Set-MailboxServer or Set-TransportServer cmdlet.
Changing the Location of Message Tracking Logs
Exchange Server 2010
allows administrators to specify the location of the message tracking
logs. The new location becomes effective immediately upon the completion
of the command; however, any existing log files are not copied to the
new directory—they will remain in the old directory.
By default, these files are located in the C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking directory.
When creating a new directory, the following permissions are required:
Administrator— Full Control
System— Full Control
Network Service— Read, Write, and Delete Subfolders and Files
The location can be set on
the properties of the Hub Transport or Edge Transport server in the
Exchange Management Console using the procedure previously described. To
change the default location for these log files via command-line, use
the following commands in the Exchange Management Shell.
Change message tracking log file location for a Hub Transport server or an Edge Transport server:
Set-TransportServer <Identity> -MessageTrackingLogPath <LocalFilePath>
Change message tracking log file location for a mailbox server:
Set-MailboxServer <Identity> -MessageTrackingLogPath <LocalFilePath>
Sample command: To change the location of the message tracking log to D:\Message Tracking on an Exchange Server 2010 Hub Transport server named Server1, use the following command:
Set-TransportServer Server1 –MessageTrackingLogPath "D:\Message Tracking"
Configuring Message Tracking Log File and Log Directory Maximum Size
To prevent log files
from growing so large that they deplete all available disk space,
Exchange Server 2010 allows administrators to configure maximum log file
and directory sizes. This configuration setting is a per-server setting
and, by default, the maximum directory size is 250MB, whereas the
maximum log file size is 10MB. When the maximum file size is reached,
Exchange Server opens a new log file. When the maximum directory size is
reached, Exchange Server overwrites the log files, starting with the
oldest logs first.
To configure message
tracking log directory and file sizes, use the following commands in
the Exchange Management Shell. This cannot be done with the Exchange
Management Console. Be aware that these commands must be performed for
each server you want to modify. The <DirectorySize> and <FileSize> arguments should be entered as a number followed by one of the following:
B (bytes)
KB (kilobytes)
MB (megabytes)
GB (gigabytes)
TB (terabytes)
Change maximum size for message tracking log directory on a Hub Transport or Edge Transport server:
Set-TransportServer <Identity> -MessageTrackingLogMaxDirectorySize <DirectorySize>
Change maximum size for message tracking log directory on a mailbox server:
Set-MailboxServer <Identity> -MessageTrackingLogMaxDirectorySize <DirectorySize>
Change maximum size for individual message tracking log files on a Hub Transport or Edge Transport server:
Set-TransportServer <Identity> -MessageTrackingLogMaxFileSize <FileSize>
Change maximum size for individual message tracking log files on a mailbox server:
Set-MailboxServer <Identity> -MessageTrackingLogMaxFileSize <FileSize>
Sample command: To
set the maximum size for the message tracking log directory on a Hub
Transport server named Server1 to 500MB, use the following command:
Set-TransportServer Server1 –MessageTrackingLogMaxDirectorySize 500MB
Configuring the Maximum Age for the Message Tracking Logs
In addition to having
the ability to configure the maximum file and directory sizes for
message tracking logs, administrators can also configure a maximum age
for each message tracking log file. The default age is set to 30 days,
and any log files that exceed this age are deleted by Exchange Server.
To change the
maximum age of message tracking log files, use the following commands in
the Exchange Management Shell. This cannot be done with the Exchange
Management Console. The <Age> argument is entered in the following format: DD.HH:MM:SS, for Days, Hours, Minutes, Seconds.
Change maximum age for the message tracking log files on a Hub Transport or Edge Transport server:
Set-TransportServer <Identity> -MessageTrackingLogMaxAge <Age>
Change maximum age for the message tracking log files on a mailbox server:
Set-MailboxServer <Identity> -MessageTrackingLogMaxAge <Age>
Sample command: To
set the maximum age of the message tracking log files on an Exchange
Server 2010 mailbox server named Server1 to 45 days, use the following
command:
Set-MailboxServer Server1 –MessageTrackingLogMaxAge 45.00:00:00
