In the first article, we provide a basic introduction to the Get-MessageTrace PowerShell command, and to her “sister” the Get-HistoricalSearch PowerShell command.
Another important concept that we review is the concept of “Date range” that considers as an essential component when using the Get-MessageTrace PowerShell
cmdlet.
In the next article, we provide various types of example to the user of Get-MessageTrace with different parameters and filters such – sender, recipient, subject, IP address and so on.
How to get information stored in Exchange Online log files?
In Exchange Online (Office 365) based environment, every incoming and outgoing mail transaction is “registered” in the Exchange Online log file.
The ways that are available for us, looking at the content of the Exchange Online log file is via the web base interface of Exchange Online admin center or by using PowerShell commands.
When using PowerShell in Exchange Online (Office 365) based environment for query and export information that’s stored in Exchange Online log files, there are two major PowerShell commands that we can use Get-MessageTrace and Get-HistoricalSearch.
Get-MessageTrace Advantages and Disadvantages
Advantages
- We can use the Get-MessageTrace PowerShell command for view + export information to file “in real time” (in the next section, I will explain the way I use the term “real time”).
Disadvantages
- The maximum time frame that is available for us when using the Get-MessageTrace PowerShell command is 30 days. In other words, we cannot use the Get-MessageTrace PowerShell command for “fetching” information that is stored in the Exchange Online server log that is age is over 30 days, even though Exchange Online saves mail transaction log information for a period of 90 days.
- The information that we can display on the PowerShell console or export to a file can be considered as very basic information that doesn’t include a detailed information about the specific mail transaction. Note – we can add the PowerShell command
Get-MessageTraceDetail for getting additional information, but the information that we can get is still basic versus the information that we get from the PowerShell command – Get-HistoricalSearch
Get-HistoricalSearch Advantages and Disadvantages
Advantages
- Using the Get-HistoricalSearch, we can get a very detailed information about each mail transaction that was registered in Exchange Online server log files.
- When using the Get-HistoricalSearch PowerShell command, Exchange Online provides us an extended time frame of 90 days. In other words, we can look for mail transaction information for a period of 90 days (versus the 30-day limitation when using the PowerShell command
Get-MessageTrace).
Disadvantages
- When using the PowerShell command Get-HistoricalSearch, the “request for information” is registered as a “task” in Exchange Online, and executed Only after several hours.
- The information that we get from the PowerShell command Get-HistoricalSearch can be overwhelming (TMI – too much information), and it’s not easy to read and understand the large chunk of information.
Recap
The main advantage of the PowerShell command Get-MessageTrace is its ability to quickly and Effectively help us to get a “high level” information about the mail transaction that registered in the Exchange Online log file.
In case that we need to perform deeper level investigation about a specific mail transaction that was registered in the Exchange Online log file, or gets information about mail transaction older than 30 days, we will need to use the PowerShell command – Get-HistoricalSearch.
Note – At the current time, there is no way for getting the detailed information that appears in the exported file when using the PowerShell command Get-HistoricalSearch by using the Exchange Online web based interface.
You can get more information about how to read the exported information that we get from the PowerShell command Get-HistoricalSearch in the following article – Performing an Extended Message Trace in Office 365
Working with the Get-MessageTrace PowerShell command | Basic concepts
The MessageTrace PowerShell command serves a “viewer” that we can use for “picking” in the Exchange Online mail transaction log file.
The most fundamental building block is the “time range.”
In case that we don’t use a PowerShell parameter that defines the time range, the
Get-MessageTrace default is to get only the data from the last 48 hours.
The required “time range” is defined by the PowerShell parameters: StartDate + EndDate
After we provide the information about the required time range, we can add additional “blocks” that help us to filter or narrow the search results.
For example,
- We can ask to get information about mail transactions that related to E-mails, sent from a specific sender or, sent to a specific recipient.
- We can ask to get information about mail transactions that related to E-mails, with a specific subject or a specific status.
In case that you want to get information about all the available PowerShell parameter when using the PowerShell command – Get-MessageTrace, you can use the Get-Member PowerShell command:
PowerShell command example
1 | Get-MessageTrace | Get-Member |
PowerShell console output example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | PS C:\script> Get-MessageTrace | Get-Member TypeName: Deserialized.Microsoft.Exchange.Management.FfoReporting.MessageTrace Name MemberType Definition ---- ---------- ---------- GetType Method type GetType() formatProvider) PSComputerName NoteProperty string PSComputerName=outlook.office365.com PSShowComputerName NoteProperty bool PSShowComputerName=False RunspaceId NoteProperty guid RunspaceId=9b812ad0-4ca5-404e-85fd-ad4cd78d495d EndDate Property System.DateTime {get;set;} FromIP Property System.String {get;set;} Index Property System.Int32 {get;set;} MessageId Property System.String {get;set;} MessageTraceId Property System.Guid {get;set;} Organization Property System.String {get;set;} Received Property System.DateTime {get;set;} RecipientAddress Property System.String {get;set;} SenderAddress Property System.String {get;set;} |
Define the specific “time\date” range of the information that we want to get from Exchange log files
As mentioned, the most basic building block when using the Get-MessageTrace command is the definition of the required time frame or time range.
The time range is defined by providing the start date and the end date. The time range is the “space” between these two “borders.”
Exchange Online is willing to “expose” the information by using a limitation of maximum 30 days.
In case that we write a time range that is Greater than 30 days, the following error appears:
+ CategoryInfo : InvalidArgument: (:) [Get-MessageTrace], InvalidExpressionException
When using the Get-MessageTrace command, there are two major syntax methods, that we can use for defining the time range
Option 1 – by “manually writing” the specific dates (the start date and the End date) in the format of month, day and a year (described as <mm/dd/yyyy>).
Option 2 – by using the PowerShell function
The other method which I prefer to use is a method in which we use the PowerShell function – Get-Date.
As the name implies, the Get-Date PowerShell function “fetch” the information about the current time. The information includes the current second, minutes, hour, day, month and a year.
When using the Get-MessageTrace command, the Get-Date PowerShell function is used for defining the “End-Date”.
The “Start-Date” defined by using “time units” such as “AddHours” or “Adddays”, and subtracting this time unit from the current date.
In the following example, we define a time range of “30 days” by using the time unit “Adddays” and using the value “-30”.
This syntax is “telling” PowerShell that we want to define a date that is calculated by subtracting 30 days from the current time (the current time that we get from the Get-Date PowerShell function).
Get information about sent\received Emails in a specific time range | Specifying dates using “basic syntax”.
PowerShell command syntax
1 | Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> |
PowerShell command example
1 | Get-MessageTrace -StartDate 01/01/2017 -EndDate 01/30/2017 |
In the following section, I would like to review a couple of examples if defending time range by using the “other method” in which we use the Get-Date
PowerShell function as a baseline + additional PowerShell time unites the functions such as – AddHours, Adddays etc.
Get information about sent\received Emails in a specific time range | Last X minutes.
Display all Exchange E-mail messages, that were sent and receive in the last 30 minutes.
PowerShell command example
1 | Get-MessageTrace -StartDate (Get-Date).Addminutes(-30) -EndDate (Get-Date) |
Get information about sent\received Emails in a specific time range | Last X Hours.
Display all Exchange E-mail messages, that were sent and receive in the last 30 hours.
PowerShell command example
1 | Get-MessageTrace -StartDate (Get-Date).AddHours(-30) -EndDate (Get-Date) |
Get information about sent\received Emails in a specific time range | Last X Days.
Display all Exchange E-mail messages, that were sent and receive in the last 30 days.
PowerShell command example
1 | Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) |
Get information about sent\received Emails in a specific time range | Last X Mounts.
Display all Exchange E-mail messages, that were sent and receive in the last 1 Mount.
PowerShell command example
1 | Get-MessageTrace -StartDate (Get-Date).AddMonths(-1) -EndDate (Get-Date) |
Define a time range using variable
In case that you want to avoid from typing long and complex date values, you can use the method, in which the time range will be defined using variables.
The variables that we define, will “contain” the required date range.
The Get-MessageTrace command that we use, define the time range by using the variables that were defined in the “former step.”
PowerShell command example
1 2 3 4 | $DateEnd = Get-Date $DateStart = $DateEnd.AddHours(-30) Get-MessageTrace -StartDate $DateStart -EndDate $DateEnd |
“Clean” the displayed results from unnecessary information
When we use the MessageTrace PowerShell command in an Exchange Online environment without a very specific filter, the “output” includes unnecessary information (white noise) about “systems” and internal Exchange Online mail messages.
In the following example, we can see information about “system emails”, that is not relevant to our search.
In case that we want to “clean” the search result by removing the information about the “system emails”, we add filters that will instruct PowerShell to “ignore” specific emails such as the system emails.
PowerShell console output example
1 2 3 4 5 6 7 8 9 10 | PS C:\script> Get-MessageTrace -StartDate (Get-Date).Adddays(-3) -EndDate (Get-Date) Received Sender Address Recipient Address Subject -------- -------------- ----------------- ------- 01/06/2017 5:47:16 AM Root@o365info2.onmicrosoft.com publicfoldermailboxes.849adb9d4ce04c84bf663a41b011c05e@o365info2.onmicrosoft.com HierarchySync_Ping_4715_a1712e75-0ed6-4a37-a8a1-96d2337c017e 01/06/2017 5:37:15 AM Root@o365info2.onmicrosoft.com publicfoldermailboxes.849adb9d4ce04c84bf663a41b011c05e@o365info2.onmicrosoft.com HierarchySync_IncrementalSync_4714_a1712e75-0ed6-4a37-a8a1-96d2337c017e 01/06/2017 5:37:15 AM Root@o365info2.onmicrosoft.com root@o365info2.onmicrosoft.com HierarchySync_IncrementalSync_4714_a1712e75-0ed6-4a37-a8a1-96d2337c017e 01/06/2017 5:33:57 AM wordpress@o365info.com John@o365info.com [o365info.com] Please moderate: "Manage Distribution Groups by using Power... 01/06/2017 5:32:19 AM [email protected] [email protected] [o365info.com] Please moderate: "Manage Distribution Groups by using Power... 01/06/2017 5:27:15 AM Root@o365info2.onmicrosoft.com publicfoldermailboxes.@o365info2.onmicrosoft.com HierarchySync_Ping_4713_a1712e75-0ed6-4a37-a8a1-96d2337c017e |
“Clean” the displayed results from unnecessary information
PowerShell command example
1 | Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Where {$_.SenderAddress -notlike '*micro*' -or $_.SenderAddress -notlike '*root*' } |
PowerShell console output example
1 2 3 4 5 6 7 8 9 10 11 12 13 | PS C:\script> Get-MessageTrace -StartDate (Get-Date).Adddays(-30) -EndDate (Get-Date) | Where {$_.SenderAddress -notlike ‘*micro*’ -or $_.SenderAddress -notlike ‘*root*’ } Received Sender Address Recipient Address Subject Status -------- -------------- ----------------- ------- ------ 01/06/2017 11:07:36 PM info@twitter.com info@o365info.com beauty tips Tweeted: Please RT #beauty #makeup ##skincare MAC Studio Fix Additions Expanded 01/06/2017 7:58:22 PM ilan.caner@gmail.com John@o365info.com Re: Delivered 01/06/2017 6:00:36 PM info@hyperfish.com John@o365info.com Webinar: Leveraging People Data in SharePoint Intranets Presented by Bonzai Intranet & Hyperfish Delivered 01/06/2017 4:13:15 PM joanna@getriverteam.com John@o365info.com Easybellezza - 4 things people say about River Delivered 01/06/2017 4:13:15 PM joanna@getriverteam.com info@o365info.com Easybellezza - 4 things people say about River Expanded 01/06/2017 12:34:59 PM omsingh.om@outlook.com john@o365info.com SEO Service Proposal Delivered 01/06/2017 12:33:01 PM seo.devender.raviya@... info@o365info.com Create an IPhone & Android App for your business Delivered 01/06/2017 10:13:52 AM noreply-dmarc-suppor... 1u8pjtbx@ag.dmarcian... Report domain: o365info.com Submitter: google.com Report-ID: 9662862343435806656 Delivered 01/06/2017 10:13:52 AM noreply-dmarc-suppor... dmarc-report@o365inf... Report domain: o365info.com Submitter: google.com Report-ID: 9662862343435806656 Resolved |
The next article in the current article series
It is important for us to know your opinion on this article
In my testing get-messagetrace is now limited to 10 days. It used to be 7 days so unless there is some magic setting I cannot go back more than 10 days.
really helpful………
Very helpful. One thing to mention is that what is reported back from Microsoft will be in UTC time and not your time. For example, and email that was sent at 8:00 AM eastern time will show up as 13:00 since at the time of this reply the eastern time zone is -5 hours different than UTC.