Home > Message Tracking, Powershell, Reporting > WizBang Exchange Message Tracker 2.0

WizBang Exchange Message Tracker 2.0

UPDATE: Version 2.1 is available. For details, click here.

The Exchange tracking logs provide a wealth of information about mail flow through your organization. Unfortunately, the tools that ship with Exchange aren’t very good at leveraging this information in a useful way. You can use the message tracking tool that ships with EMC to search for specific logs but beyond viewing the raw log data, there isn’t much information available. Fortunately, Microsoft has provided us with powershell and powershell can be used in all sorts of interesting ways to gather, aggregate and present data in useful summaries and reports.

One of the great things about powershell and the IT community is that there are plenty of people who have built powershell scripts to solve problems, automate or streamline tasks, and gather and present data. Most people are more than happy to share their scripts with anyone who would like to use them. Those scripts are then sometimes improved or built upon by someone else. I was recently searching for a way to analyze message tracking logs and I came across this blog post. Glen Scales built a powershell script that uses a Windows form GUI to gather Exchange message tracking logs and present a summary of mail flow statistics, including graphs and charts that are built with the Google Charts API. Glen called his script “WizBang 2007 Message Tracker”. While I really like Glen’s script, I decided to make some changes and improvements to better suite the information I needed to get out of the script. Thus “WinzBang Exchange Message Tracker 2.0” was born.

Overview

This script uses Windows forms to accept input and display output. There are five tabs on the form (explained in detail below). The user selects query setting for the search on the first tab. Once the search has been completed, the summary results are displayed on the dashboard tab. The email summaries tab shows a summary of email statistics for each internal recipient. Message tracking logs for a specific user can also be displayed on this tab. The tracking data tab shows raw tracking logs for the period of the search. The final tab is used to find and display individual messages using the EWS service.

Changes in Version 2.0

  • Changed Server Name drop-down list
    • Limited server list to Exchange 2007/2010 Hub Transport, Mailbox, and Edge Transport roles (Previously contained all Exchange servers in org, even legacy)
    • Added “All” to server list to enable searching all servers
  • Added quick date range options for Last Hour, Today, Previous 24 hours, and Previous 7 days (Previously only option was to manually pick starting and end time)
  • Added filter options to match default Exchange Message Tracker
  • Added check box to determine if raw data should be displayed (Raw data collection is system resource intensive)
  • Changed graphs and charts
    • Changed graph from vertical to horizontal
    • Changed graph to display internal, sent to external, and received from external (Previously just sent and received)
    • Changed graph to display data for full time of search query (Was previously last 6 hours max)
      • When time frame is less than 31 minutes, data is graphed in minute increments
      • When time frame is between 31 minutes and 8 hours, data is graphed in 15 minute increments
      • When time frame is between 9 and 24 hours, data is graphed in hourly increments
      • When time frame is greater than 24 hours, data is graphed in daily increments
    • Consolidated pie charts into one, which now displays totals for internal, sent to external, and received from external for total time frame
  • Broke out top senders/receivers report into four separate reports: top internal sender, top internal receiver, top external sender, top external receiver, which covers search time frame (Previously consolidated into one report that covered previous hour)
  • On Organizational Totals report, consolidated total internal received and total internal sent into just total internal as these two values are always equal
  • Excluded message journaling messages from reports (except raw data)
  • Raw tracking data now includes all events; not just SENT and RECEIVED

Prerequisites

To run this script, you need to have the Exchange 2007 or Exchange 2010 management tools installed.

To use the message find functionality, you need to have EWSUtil.dll in C:\temp. You can get the file here.

Query Settings Tab

Server Name

Message tracking logs are stored on Exchange servers with the Mailbox, Hub Transport, and Edge Transport roles. The server name drop-down is automatically populated with servers in your organization that hold those roles. You can select an individual server to search against, or you can search against all servers. Being able to search all servers is a major advantage over the message tracking feature in the Exchange tools, which is only able to search one server at a time.

Date Range

The date range to search tracking logs can be selected here. There are quick selection options for last hour, today, previous 24 hours, and previous 7 days. Additionally, custom date ranges can be selected.

Filter Criteria

Tracking logs can be filtered based on the same criteria used in the message tracking log searcher built into the Exchange tools. For example, logs can be filtered to look for a specific, sender, recipient, or message subject. This is helpful is you are trying to find information on a specific sender, recipient, or message.

Presentation Options

This option allows the user to choose whether or not to show raw tracking data. This option should only be selected for narrow searches as displaying large amounts of raw tracking date is system memory intensive.

Dashboard Tab

The dashboard tab displays a summary of message tracking log data, based on the search criteria. A graph of mail flow is displayed at the top of the window. Below the graph, there are four tables which show the top 5 internal recipients, internal senders, external recipients, and external senders. A table also shows the organizational totals broken down by internal email, received from external, and sent to external email. This table is accompanied by a pie chart.

Email Summaries Tab

This tab displays a summary of the number and size of emails sent and received by individual internal users in the top table. A user can be highlighted and the “Get Messages” button pressed to to display all the tracking logs related to that user in the bottom table. If the option to show raw tracking data was selected on the query settings tab, an individual cell is highlighted in the bottom table, the “Show Message” button can be pressed to populate fields on the Message Find tab. Both tables can be exported to csv files but pressing the appropriate export button.

Tracking Data Raw Tab

If the option to show raw tracking data was selected on the query settings tab, this tab displays the full raw message tracking data. This data is filtered based on the settings on the Query Settings tab.

Message Find Tab

You can use the Message Find tab to search a mailbox for a specific message, if you have the message ID. This will display the To, From, Subject, and body of the message. You can also download any attachments and view the message headers.

Note: There is an issue when Outlook users are in cached mode, as described in this KB article. You won’t be able to find messages in the user’s sent items folder if they are in cached mode.

DOWNLOAD SCRIPT (Change extension from to ps1)

Advertisements
  1. Nick Kessler
    October 31, 2012 at 10:24 pm

    Jaime,
    Wondering if you can guide a newb with your script… My goal is to find the # of messages sent and # of messages received for specific users in our organization. Running Exchange 2010 I’ve downloaded your script and placed it in the c:/temp along with the EWSUtil.dll and Class1.cs I’ve verified I have Exchange Management tools installed. I verified Exchange message logs is set to 30 days. Users are NOT in cached exchange mode. But do have 3 different databases mailboxes are stored, but all within one organization on one server…

    I’m just not sure what to do next or if I have saved everything to the proper location. If not too much trouble to ask, can you tell me:
    1) If I have saved everything to the right location
    2) How/Where to go to initiate the script, including the command please
    3) What options I might need to select to get the data needed…

    Thank you very much for your time and effort, much appreciated… Having only one production exchange server makes running these tough w/o detailed instructions.

    Cheers,
    Nick

  2. November 1, 2012 at 1:10 am

    Hello Nick,

    The only location requirement is that EWSUtil.dll be in the C:\\temp directory. You can put the script wherever you want. To run the script, launch the Exchange Management Shell and navigate to the directory where you placed the script. You would then type .\wbmsgtrack.ps1 and hit enter.

    To get the data you want, select in the servers drop-down, select the data range you want to search on and leave the rest of the boxes unchecked. Once the search is finished, go to the Email Summaries tab and you will see the total number of sent and received emails for each of your users.

    Let me know if you need any further assistance.

    Jamie

  3. Nick Kessler
    November 1, 2012 at 6:00 pm

    I tried to run the script but saying not digitally signed, researching how to do now, reply if available now, or I will post results… Thanks!

  4. Nick Kessler
    November 1, 2012 at 6:05 pm

    Unblocked the script, running now… Will post comment when see data… Thanks again for your assistance!!!

    • June 28, 2013 at 6:15 pm

      how do you unblock the script

      • July 4, 2013 at 4:34 pm

        You need to run set-executionpolicy unrestricted

        Jamie

  5. Nick Kessler
    November 1, 2012 at 8:50 pm

    Lovely… Cheers and many thanks!!!

  6. umar
    December 13, 2012 at 12:08 pm

    wow wow wow wow Amazing tool.. Safe me hours of work.

    Thanks For this brilliant tool

  7. Paul
    February 1, 2013 at 9:53 pm

    Link is broken

  8. Martyn Butler
    April 9, 2013 at 10:10 am

    This is amazing!! How do we get the message and headers, when i click search mailbox and get message its just empty – only the message id is showing with the email address

    Martyn

    • April 30, 2013 at 12:51 pm

      Hello Martyn,

      Have you placed EWSUtil.dll in C:\temp?

      Jamie

  9. Pravarun
    April 30, 2013 at 6:07 am

    Have multiple HUB servers and journaling servers. To save time, is it possible to select multiple HUB servers only with drop-down.

    • April 30, 2013 at 1:05 pm

      Hello Pravarun,

      At this time, the only option is to select one server or select all servers. I will consider the option to select multiple servers in a future release.

      Jamie

  10. Bruno Carlos Gomes
    July 3, 2013 at 5:42 pm

    Hello Pravarun,

    I’m running on edge server, but the server is not listed, only the transport hub. How to run the Edge?

    But congratulations on the great job!!

    • July 4, 2013 at 4:33 pm

      Hello,

      I will fix this in the next update.

      Jamie

  11. Jared
    July 10, 2013 at 9:25 am

    Hi
    When Clicking the “get logs” no data is displayed on the dashboard tab and the following error is displayed in the powershell console. Any help would be appreciated

    Attempted to divide by zero.
    At E:\Program Files\Microsoft\Exchange Server\Scripts\wbmsgtrack.ps1:855 char:5
    5
    + $InternalNumRec = ($intTotalNumberrcvd.ToString() / <<<< $TotalM
    ail) * 100
    + CategoryInfo : NotSpecified: (:) [], RuntimeException
    + FullyQualifiedErrorId : RuntimeException

    Attempted to divide by zero.
    At E:\Program Files\Microsoft\Exchange Server\Scripts\wbmsgtrack.ps1:856 char:5
    1
    + $ExtNumSent = ($extTotalNumberSent.ToString() / <<<< $TotalMail)
    * 100
    + CategoryInfo : NotSpecified: (:) [], RuntimeException
    + FullyQualifiedErrorId : RuntimeException

    Attempted to divide by zero.
    At E:\Program Files\Microsoft\Exchange Server\Scripts\wbmsgtrack.ps1:857 char:5
    0
    + $ExtNumRec = ($extTotalNumberrcvd.ToString() / <<<< $TotalMail)
    * 100
    + CategoryInfo : NotSpecified: (:) [], RuntimeException
    + FullyQualifiedErrorId : RuntimeException

    • July 11, 2013 at 5:42 pm

      Hello,

      This usually indicates no data was returned. Do you have tracking logs turned on?

      Jamie

  12. Richard
    August 2, 2013 at 9:07 pm

    Great job Jamie… impressive! Thanks for sharing your work!

    I’m in the same boat as previous posts. I get no results in the GUI and in the PowerShell console get the divide by zero error. We’re also using an Edge server in our DMZ. I’m wondering if that’s why we’re not getting any data? Only our HT and MBx server shows in the server name pick list.

    Curious, when I run “Get-MessageTrackingLog -Start (Get-Date).AddHours(-1)” on our MBx server (Exchange 2007) I get output. Not sure if that’s because the MBx server is pulling data from the Edge? We’ve got ports restricted between clients (PC where I’m running your script) and our HT and Edge servers. Perhaps your script is using ports which we’ve not got open?

    I’m reluctant at this point to run your script on our MBx (or Edge) server. Is this advisable? Or do I simply need to be patient and wait until you come out with your next version as per your update on 20130704 ?

    thanks in advance!
    …Richard

    PS – The reason for my search when I found your posting was to be able to exactly get the type of output your script provides for quick reports to management and simply getting a better pulse on our Exchange environment. Ultimately however, I am researching towards finding/creating a script which will tally the total emails sent in the past hour by user and then automatically disable(or change the password) for any account which has sent more than 1000 emails (at 1000 I’ll assume that the mailbox credentials have been compromised and being used for spam). I’d then run this script every hour using Windows task scheduler. Regrettably too often we get one user or another who gets roped into some phishing scam to harvest their AD credentials regardless of how hard we try to educate them.

  13. Pravarun
    September 24, 2013 at 11:35 am

    There are several email domains apart from authoritative domain. How do I pull out the complete statistics in this case? Appreciate your thought

    • September 24, 2013 at 5:28 pm

      Hello,

      Do you mean “authoritative” or “primary”? The script will pull any domain for which your server is authoritative. If you have relay domains, the script will count those as external. Those emails will still appear in the reports, they just won’t be counted as internal email.

      -Jamie

  14. cyw77
    November 21, 2013 at 12:40 am

    This is top programming. Microsoft should just buy this from you and replace with their Message Tracking Explorer. Their message tracking is such a let down. I prefer the old Exchange 2003 Message Tracking tool.
    Anyway, the tool ran fine but it just can’t display the Google Charts and Graphs. I know the problem is because we are behind a proxy as when I export to html, I can see the graph from my browser as I have proxy configure on my browser.
    So my question is how to make your Powershell Forms proxy aware?

    • November 23, 2013 at 9:13 pm

      Thanks for the compliment. As I stated in the description, this toll isn’t my original work; I just expanded upon the work of someone else.

      I’m not sure how to address your proxy issue. I’ll look into it and see if I can come up with a solutions.

      -Jamie

      • cyw77
        November 27, 2013 at 12:25 am

        Thanks for looking into it. It will be good if the forms can allow input or grab the settings from my IE settings.

  15. cheryl
    January 23, 2014 at 1:26 pm

    I don’t get any results for External Received Mail. Any ideas? other than that this is awesome!

    • January 24, 2014 at 1:27 pm

      Hi Cheryl,

      Are you using the latest version (2.1)? Do you see any errors in the powershell window?

      -Jamie

  16. Melanie
    January 30, 2014 at 5:53 am

    Hi,

    This tool is really awesome!!!
    Just a quick question, I see previous people have asked, but I don’t see a definitive answer. I am getting results for received with eventid receive, but not getting results for sender with eventid send or deliver, would there be a reason for this ? Ihave the latest version of 2.1.

    • January 30, 2014 at 8:11 pm

      Hi Melanie,

      Are you selecting “All” from the server drop-down or a specific server? Do you see any errors in the powershell window?

      -Jamie

  17. svuksano
    February 4, 2014 at 9:30 pm

    Hi

    I have migrated from Exchange 2007 to Exchange 2013 and I removed Exchange 2007. How can I open message tracking logs from Exchange 2007 I have backup from Exchange 2007 hub servers?

    S

    • February 7, 2014 at 5:08 pm

      Hello,

      Unfortunately, the original server would need to be functional in order to use the tracking logs.

      -Jamie

  18. Dean Clark
    February 12, 2014 at 10:47 am

    Hi, I’ve just come across this script which looks great, but when I run it I get the ‘Attempted to divide by zero’ error on lines 855, 856, 857.

    Any suggestions please?

    Thanks

  19. February 25, 2014 at 9:29 pm

    After I initially left a comment I appear to have clicked on the -Notify me when new comments are added- checkbox
    and from now on every time a comment is added I recieve 4 emails with the exact same comment.
    Is there a means you are able to remove me from that service?

    Kudos!

  20. James Heathcote
    March 27, 2014 at 12:04 am

    Great script! Any chance of being able to look in the deleted folder/soft delete or dumpster I think it’s called on the Message Find tab?

  21. James Heathcote
    March 27, 2014 at 12:49 am

    James Heathcote :
    Great script! Any chance of being able to look in the deleted folder/soft delete or dumpster I think it’s called on the Message Find tab?

    Scrap that – user error! On another note, are you able to expose the EWS API messageid in the tracking logs as this differs from the Exchange Message ID and Internet Message ID. Thanks again!

    • March 27, 2014 at 7:09 pm

      Hello,

      The EWS API messageid is not stored in the tracking logs so you would need to make a call to EWS for each message to get that, which would be resource intensive.

      -Jamie

  22. April 2, 2014 at 7:33 am

    Hello. Gread script thanks for your work. There is any way to automate mail flow statistic tab result for send mail to administrators in html format?

    • April 17, 2014 at 7:01 pm

      Hi,

      I will consider adding this functionality in the next version.

      -Jamie

  1. April 30, 2013 at 12:50 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: