none
Restore old Message tracking logs RRS feed

  • Question

  • I need to search through old message tracking logs for some correspondence between email addresses. I’ve restored the necessary logs from the period required as they were no longer available on the hub transport servers. How do I replay these logs so that Exchange Message Tracking can inspect them and display the necessary logs? If I just add them to the current message tracking directory would they just removed as they are older logs? I’m just trying to find out the cleanest and easiest way of restoring/viewing these. Thanks in advance. Exchange 2007
    Wednesday, November 25, 2015 10:37 AM

Answers

All replies

  • To be safe, you should extend the amount of time you keep the logs (e.g. 30 days shown below).

    Set-TransportServer -Identity SERVERNAME -MessageTrackingLogMaxAge 30

    https://technet.microsoft.com/en-us/library/bb676561(v=exchg.80).aspx

    I believe if the logs are present, they'll be searched if needed.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, November 25, 2015 11:40 PM
    Moderator
  • Hi,

    Great advice from Ed.

    During my research, Exchange server have two ways to defrag mailbox database: Online defragmentation and Offline defragmentation by using the ESE utility (ESEUTIL).

    Online defragmentation preform daily maintenance at a time when there is little activity on the databases.  We can modify the schedule for each mailbox database. The default setting is 2:00 AM every day. More details about Online defragmentation, for your reference: https://technet.microsoft.com/en-us/library/bb123760(v=exchg.80).aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    • Proposed as answer by Prem P Rana Friday, November 27, 2015 1:55 PM
    • Unproposed as answer by Prem P Rana Friday, November 27, 2015 1:55 PM
    Thursday, November 26, 2015 9:43 AM
    Moderator
  • Allen, I think you misunderstand the question.  You are speaking to the mailbox database, not the message tracking logs.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, November 26, 2015 9:48 AM
    Moderator
  • Hi,

    Thank you for your correct.

    I do not find a clarified description in Microsoft document, however the process to clean expired message tracing log cannot be run in real time, for server load designing.

    Thanks again.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Thursday, November 26, 2015 10:04 AM
    Moderator
  • That's not the question either, Allen.  I think I've answered what he's asking for.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, November 26, 2015 10:13 AM
    Moderator
  • Thanks Ed!
    Thursday, November 26, 2015 2:30 PM
  • Please feel free to mark posts as the answer and/or helpful as appropriate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, November 27, 2015 8:10 AM
    Moderator
  • Hi Ed,

    I just tried the above but it still won't retrieve the results I want. I set the max age to 365 and copied a couple of log files from Feb and June but no results. Is there something else I need to configure?

    Thanks in advance.


    • Edited by shoc86 Friday, November 27, 2015 10:09 AM
    Friday, November 27, 2015 10:09 AM
  • Just put the logs in the log path, and try to search the using the below command.

    get-messagetrackinglog -Sender abc@domain.com -MessageSubject "again" -Start "12/01/2013 12:00:00 AM" -End "12/02/2013 11:59:00 PM" | Export-Csv "C:\Temp\outfile.csv"

    You can also open the file in text and search with the sender or other attributes.


    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Friday, November 27, 2015 1:58 PM
  • Hi Prem, the command still didn't retrieve any results. Is transport service restart required?

    Also, I have month's worth of log files so lots and lots of text files so searching them all isn't really an option, but thanks for the advice.

    Monday, November 30, 2015 4:05 PM
  • Also increase the log retention for transport logs.

    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Monday, November 30, 2015 4:44 PM
  • You could try using the Log Parser tool instead.

    http://www.microsoft.com/en-us/download/details.aspx?id=24659


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by shoc86 Monday, January 11, 2016 4:22 PM
    Tuesday, December 1, 2015 12:40 AM
    Moderator
  • I finally got around to using Log Parser tool so thanks for that. However it can only output 10 elements which I guess is the default. How can I set this to unlimited for my search query? Looking for the ps equivalent of -resultsize unlimited
    Friday, January 8, 2016 2:48 PM
  • Got it - use -rtp:-1 at the end.
    • Marked as answer by shoc86 Thursday, April 28, 2016 8:02 PM
    Monday, January 11, 2016 9:30 AM