Tracking down messages is part of every Exchange Server administrator's job. With the advent of the Sarbanes-Oxley (SOX) Act, the ability to find lost messages has taken on even more importance. Exchange Server offers message-tracking capabilities, but to get the most out of them, you need to know how they work.
How Exchange Uses Tracking Logs
Exchange uses tracking-log data to follow the path of messages within an Exchange organization. You can follow this process via the Message Tracking Center, which is now available through the Exchange System Manager (ESM) console's Tools menu. Exchange records every step in a message's path—from submission through the Exchange routing engine to final delivery to an external gateway or local mailbox—as events in the log. Different events record each processing step—for example, event 1027 indicates that a client has submitted a message to the Information Store—and each message has a unique message identifier that lets you select all the recorded events for a specific message. (Events for a message aren't grouped together in the log because Exchange writes events as messages pass through the different components of the routing and delivery systems. Thus, the events for any message can be interwoven with events relating to other messages.) The Microsoft article "Tracking Log Event Numbers for Exchange Server 2003" (http://support.microsoft.com/?kbid=822930) provides a list of the events that Exchange logs as messages pass through the routing system.
Figure 1 shows the Message Tracking Center in action. If you click one of the found messages, Exchange scans the tracking logs to discover the exact path of the message and reports that path, as Figure 2 shows. Each step corresponds to one event in a tracking log. Exchange can perform searches across a range of servers to provide an end-to-end picture of a message's path through your organization. Tracking finishes as soon as a message is delivered to a destination mailbox or to an external gateway for transmission to another messaging system.
How to Enable Message Tracking
When you set an Exchange Server 2003 or Exchange 2000 Server system's properties to Enable message tracking, as Figure 3 shows, Exchange will create a new log each night at midnight GMT. This log resides in the log-file directory, which by default is named \xxx.log (where xxx is the name of the server) under the directory that holds the Exchange program files. For example, you might end up with a directory called server1.log; inside the directory, you'll have a set of tracking logs, each named after the date it was created (e.g., 20051010.log). You can control the settings for message-tracking logs by means of a system policy that you apply to every server in the organization. Ensuring that every server in your organization applies the same message-tracking log policy will guarantee you that you'll be able to track a message across the entire organization, without encountering a black hole because someone disabled message tracking on a server that the message passed through.
A separate check box (Enable subject logging and display) in the Properties dialog box controls whether Exchange writes information about message subjects into the tracking log. Your company might decide not to gather this data to preserve employee privacy, as conversation threads can sometimes be interpreted by examining message subjects together with sender and recipient data. European companies tend to be more sensitive in this aspect than companies in other locations do.
By default, Exchange retains tracking logs for 10 days. The System Attendant process automatically removes older logs during Exchange's nightly background-maintenance operations.
Reviewing Log Data
Exchange generates message tracking logs in World Wide Web Consortium (W3C) format (just like Microsoft IIS logs). The Microsoft article "XADM: Message Tracking Logs Field Descriptions in Exchange 2000 Server" (http://support.microsoft.com/?kbid=246965) provides a detailed list of the fields in these logs. You can open the logs by using a text editor such as NotePad or WordPad, but using Microsoft Excel makes it easier to follow the structure of the data and the progression of events as Exchange processes messages. W3C format files use the tab character as a field delimiter, and Excel does a good job of displaying the data in an accessible format. You'll see the same data that the Message Tracking Center uses to display information about messages, but I find it easier to follow exactly what has happened to a message on a server by analyzing the logs in Excel.
Review the data in message-tracking logs from time to time. Apart from seeing the flow of messages, you can gauge which domains are sending messages to your servers and perhaps detect whether any users are receiving messages from a domain that might not be appropriate. If many messages from such domains show up in the logs, it's a good bet that gaps exist in your antispam defenses. Of course, finding the time to conduct reviews of message-tracking data can be difficult. That's where utilities such as LogParser come in handy. See "Need to Know More?" for more message-tracking resources.