Tracking Log

Maintenance and Troubleshooting	<<	>>

Tracking Log

The tracking log is stored in Exchsrvr\tracking.log. Each day, a new log is created that records one day's activities on the server. Each daily log is named by the date on which it was created, in yyyymmdd.log format. The file name date, like all time in the tracking log, is in UTC.

The log can be displayed in any text editor, imported into spreadsheets such as Microsoft Excel, or used as input data to custom applications.

Activities recorded in the tracking log often include a message ID, which is a unique message identifier. By searching the tracking log for the message ID, you can follow the message as it is handled and transported within the site.

The Microsoft Exchange Server Administrator program includes an automated message tracking process. The Track Message command traces messages through all existing logs in the network. You can use this process instead of attempting a manual search of the logs.

Interpreting Tracking Log Fields

The following table describes the tab-separated columns in the tracking logs.

Field # Field Name Description

1 Message ID or MTS-ID Message ID is a unique identifier assigned to the message by Microsoft Exchange Server. It stays with the message from its origination to delivery or transfer from the network.
Messages from foreign systems include a message transfer system-ID (MTS-ID) that uniquely identifies the component that transported the message.

2 Event # Represents the event type. For event details, see "Interpreting Events" later in this chapter.

3 Date/Time Date and time of the event UTC.

4 Gateway name Name of the gateway or connector that generated the event. If no gateway was involved, the field is blank.

5 Partner name Name of the messaging service associated with the event. In Microsoft Exchange Server, the partner is the MTA or the information store.

6 Remote ID Message ID used by the gateway.

7 Originator Distinguished name of the originating mailbox, if known.

8 Priority Priority set by the sender.
0 = Normal

1= High

-1 = Low

9 Length Message length in bytes.

10 Seconds Transport time in seconds.
Not used by Microsoft Exchange Server. The value in this field is 0 or blank.

11 Cost Cost per second for message transfer.
Not used by Microsoft Exchange Server. The value in this field is always 1.

12 Recipients Number of recipients.

13 Recipient name Distinguished name of the recipient of the message or a proxy address.
This field is separated from the previous field by a line feed. This field is repeated for each recipient.

14 Recipient report status A number representing the result of an attempt to deliver a report to the recipient.
Delivered = 0

Not delivered = 1

This is used only for reports. On other events, it is blank. This field is repeated for each recipient.

Field #	Field Name	Description
1	Message ID or MTS-ID	Message ID is a unique identifier assigned to the message by Microsoft Exchange Server. It stays with the message from its origination to delivery or transfer from the network. Messages from foreign systems include a message transfer system-ID (MTS-ID) that uniquely identifies the component that transported the message.
2	Event #	Represents the event type. For event details, see "Interpreting Events" later in this chapter.
3	Date/Time	Date and time of the event UTC.
4	Gateway name	Name of the gateway or connector that generated the event. If no gateway was involved, the field is blank.
5	Partner name	Name of the messaging service associated with the event. In Microsoft Exchange Server, the partner is the MTA or the information store.
6	Remote ID	Message ID used by the gateway.
7	Originator	Distinguished name of the originating mailbox, if known.
8	Priority	Priority set by the sender. 0 = Normal 1= High -1 = Low
9	Length	Message length in bytes.
10	Seconds	Transport time in seconds. Not used by Microsoft Exchange Server. The value in this field is 0 or blank.
11	Cost	Cost per second for message transfer. Not used by Microsoft Exchange Server. The value in this field is always 1.
12	Recipients	Number of recipients.
13	Recipient name	Distinguished name of the recipient of the message or a proxy address. This field is separated from the previous field by a line feed. This field is repeated for each recipient.
14	Recipient report status	A number representing the result of an attempt to deliver a report to the recipient. Delivered = 0 Not delivered = 1 This is used only for reports. On other events, it is blank. This field is repeated for each recipient.

Interpreting Events

The following table defines event numbers that appear in tracking logs.

Event # Event Type Description

0 Message transfer in The MTA completed transfer of responsibility for a message from a gateway, X.400 link, or MTA into the local MTA.

1 Probe transfer in The MTA completed transfer of responsibility for a probe from a gateway, X.400 link, or MTA into the local MTA.

2 Report transfer in The MTA completed transfer of responsibility for a report from a gateway, X.400 link, or MTA into the local MTA.

4 Message submission A message was submitted by a local e-mail client (usually through the information store).

5 Probe submission An X.400 probe was submitted by a local e-mail client (usually through the information store).

6 Probe transfer out The MTA completed transfer of responsibility for a probe from the local MTA to a gateway, X.400 link, or another MTA.

7 Message transfer out The MTA completed transfer of responsibility for a message from the local MTA to a gateway, X.400 link, or another MTA.

8 Report transfer out The MTA completed transfer of responsibility for a report from the local MTA to a gateway, X.400 link, or another MTA.

9 Message delivered The MTA completed delivery of a message to local recipients (usually through the information store).

10 Report delivered The MTA completed delivery of a receipt or NDR to local recipients (usually through the information store).

26 Distribution list expansion The MTA has expanded a distribution list to produce a new message that has recipients who are distribution list members.

28 Message redirected The MTA has redirected a message or probe to an alternate recipient because of incorrect configuration data for the original recipient, or failure to route the object or reassignment of data contained in the message.

29 Message rerouted The MTA has rerouted a message, report, or probe because of problems with next route X.400 link or MTA.

31 Downgrading The MTA has mapped a message, report, or probe into the 1984 X.400 protocol before transferring it to a remote 1984 MTA.

33 Report absorption The MTA has scheduled a report for deletion because the user did not request it. In X.400 protocol, NDRs are always routed back to the sending MTA even if the user did not request a report.

34 Report generation The MTA has created a delivery receipt or NDR.

43 Unroutable report discarded The MTA has discarded a report because the report cannot be routed to its destination.

50 Gateway deleted message The administrator deleted an X.400 message that was queued by the MTA for transfer to a gateway. No delivery report is generated.

51 Gateway deleted probe The administrator deleted an X.400 probe that was queued by the MTA for transfer to a gateway. No delivery report is generated.

52 Gateway deleted report The administrator deleted an X.400 report that was queued by the MTA for transfer to a gateway. No delivery report is generated.

1000 Local Delivery The sender and recipient are on the same server.

1001 Backbone transfer in Mail was received from another Messaging Application Programming Interface (MAPI) system across a connector or gateway.

1002 Backbone transfer out Mail was sent to another MAPI system across a connector or gateway.

1003 Gateway transfer out The message was sent through a gateway.

1004 Gateway transfer in The message was received from a gateway.

1005 Gateway report transfer in A delivery receipt or NDR was received from a gateway.

1006 Gateway report transfer out A delivery receipt or NDR was sent through
a gateway.

1007 Gateway report generation A gateway generated an NDR for a message.

1010 SMTP Queued Outbound Outbound mail was queued for delivery by the Internet Mail Service.

1011 SMTP Transferred Outbound Outbound mail was transferred to an Internet recipient.

1012 SMTP Received Inbound Inbound mail was received from by the Internet Mail Service.

1013 SMTP Transferred Inbound Mail received by the Internet Mail Service was transferred to the Information Store.

1014 SMTP Message Rerouted An Internet message is being rerouted or forwarded to the proper location.

1015 SMTP Report Transferred In A delivery receipt or NDR was received by the Internet Mail Service.

1016 SMTP Report Transferred Out A delivery receipt or NDR was sent to the Internet Mail Service.

1017 SMTP Report Generated A delivery receipt or NDR was created.

1018 SMTP Report Absorbed The receipt or NDR could not be delivered.

Event #	Event Type	Description
0	Message transfer in	The MTA completed transfer of responsibility for a message from a gateway, X.400 link, or MTA into the local MTA.
1	Probe transfer in	The MTA completed transfer of responsibility for a probe from a gateway, X.400 link, or MTA into the local MTA.
2	Report transfer in	The MTA completed transfer of responsibility for a report from a gateway, X.400 link, or MTA into the local MTA.
4	Message submission	A message was submitted by a local e-mail client (usually through the information store).
5	Probe submission	An X.400 probe was submitted by a local e-mail client (usually through the information store).
6	Probe transfer out	The MTA completed transfer of responsibility for a probe from the local MTA to a gateway, X.400 link, or another MTA.
7	Message transfer out	The MTA completed transfer of responsibility for a message from the local MTA to a gateway, X.400 link, or another MTA.
8	Report transfer out	The MTA completed transfer of responsibility for a report from the local MTA to a gateway, X.400 link, or another MTA.
9	Message delivered	The MTA completed delivery of a message to local recipients (usually through the information store).
10	Report delivered	The MTA completed delivery of a receipt or NDR to local recipients (usually through the information store).
26	Distribution list expansion	The MTA has expanded a distribution list to produce a new message that has recipients who are distribution list members.
28	Message redirected	The MTA has redirected a message or probe to an alternate recipient because of incorrect configuration data for the original recipient, or failure to route the object or reassignment of data contained in the message.
29	Message rerouted	The MTA has rerouted a message, report, or probe because of problems with next route X.400 link or MTA.
31	Downgrading	The MTA has mapped a message, report, or probe into the 1984 X.400 protocol before transferring it to a remote 1984 MTA.
33	Report absorption	The MTA has scheduled a report for deletion because the user did not request it. In X.400 protocol, NDRs are always routed back to the sending MTA even if the user did not request a report.
34	Report generation	The MTA has created a delivery receipt or NDR.
43	Unroutable report discarded	The MTA has discarded a report because the report cannot be routed to its destination.
50	Gateway deleted message	The administrator deleted an X.400 message that was queued by the MTA for transfer to a gateway. No delivery report is generated.
51	Gateway deleted probe	The administrator deleted an X.400 probe that was queued by the MTA for transfer to a gateway. No delivery report is generated.
52	Gateway deleted report	The administrator deleted an X.400 report that was queued by the MTA for transfer to a gateway. No delivery report is generated.
1000	Local Delivery	The sender and recipient are on the same server.
1001	Backbone transfer in	Mail was received from another Messaging Application Programming Interface (MAPI) system across a connector or gateway.
1002	Backbone transfer out	Mail was sent to another MAPI system across a connector or gateway.
1003	Gateway transfer out	The message was sent through a gateway.
1004	Gateway transfer in	The message was received from a gateway.
1005	Gateway report transfer in	A delivery receipt or NDR was received from a gateway.
1006	Gateway report transfer out	A delivery receipt or NDR was sent through a gateway.
1007	Gateway report generation	A gateway generated an NDR for a message.
1010	SMTP Queued Outbound	Outbound mail was queued for delivery by the Internet Mail Service.
1011	SMTP Transferred Outbound	Outbound mail was transferred to an Internet recipient.
1012	SMTP Received Inbound	Inbound mail was received from by the Internet Mail Service.
1013	SMTP Transferred Inbound	Mail received by the Internet Mail Service was transferred to the Information Store.
1014	SMTP Message Rerouted	An Internet message is being rerouted or forwarded to the proper location.
1015	SMTP Report Transferred In	A delivery receipt or NDR was received by the Internet Mail Service.
1016	SMTP Report Transferred Out	A delivery receipt or NDR was sent to the Internet Mail Service.
1017	SMTP Report Generated	A delivery receipt or NDR was created.
1018	SMTP Report Absorbed	The receipt or NDR could not be delivered.