Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received | Exchange Online | Part 1#2 4.5/5 (2) 10 min read

In the current two-article series, we review the Exchange Online PowerShell command Get-MessageTrace, that is used to view and export information about incoming and outgoing mail transaction that are saved in the Exchange Online Logfiles.

In the first article, we provide a basic introduction to the Get-MessageTrace PowerShell command, and to her “sister” the Get-HistoricalSearch PowerShell command.
Another important concept that we review is the concept of “Date range” that considers as an essential component when using the Get-MessageTrace PowerShell
cmdlet.
In the next article, we provide various types of example to the user of Get-MessageTrace with different parameters and filters such – sender, recipient, subject, IP address and so on.

How to get information stored in Exchange Online log files?

In Exchange Online (Office 365) based environment, every incoming and outgoing mail transaction is “registered” in the Exchange Online log file.

The ways that are available for us, looking at the content of the Exchange Online log file is via the web base interface of Exchange Online admin center or by using PowerShell commands.

When using PowerShell in Exchange Online (Office 365) based environment for query and export information that’s stored in Exchange Online log files, there are two major PowerShell commands that we can use Get-MessageTrace and Get-HistoricalSearch.

Get-MessageTrace Advantages and Disadvantages

Advantages

  • We can use the Get-MessageTrace PowerShell command for view + export information to file “in real time” (in the next section, I will explain the way I use the term “real time”).

Disadvantages

  • The maximum time frame that is available for us when using the Get-MessageTrace PowerShell command is 30 days. In other words, we cannot use the Get-MessageTrace PowerShell command for “fetching” information that is stored in the Exchange Online server log that is age is over 30 days, even though Exchange Online saves mail transaction log information for a period of 90 days.
  • The information that we can display on the PowerShell console or export to a file can be considered as very basic information that doesn’t include a detailed information about the specific mail transaction. Note – we can add the PowerShell command
    Get-MessageTraceDetail for getting additional information, but the information that we can get is still basic versus the information that we get from the PowerShell command – Get-HistoricalSearch

Get-HistoricalSearch Advantages and Disadvantages

Advantages

  • Using the Get-HistoricalSearch, we can get a very detailed information about each mail transaction that was registered in Exchange Online server log files.
  • When using the Get-HistoricalSearch PowerShell command, Exchange Online provides us an extended time frame of 90 days. In other words, we can look for mail transaction information for a period of 90 days (versus the 30-day limitation when using the PowerShell command
    Get-MessageTrace).

Disadvantages

  • When using the PowerShell command Get-HistoricalSearch, the “request for information” is registered as a “task” in Exchange Online, and executed Only after several hours.
  • The information that we get from the PowerShell command Get-HistoricalSearch can be overwhelming (TMI – too much information), and it’s not easy to read and understand the large chunk of information.

Recap

The main advantage of the PowerShell command Get-MessageTrace is its ability to quickly and Effectively help us to get a “high level” information about the mail transaction that registered in the Exchange Online log file.

In case that we need to perform deeper level investigation about a specific mail transaction that was registered in the Exchange Online log file, or gets information about mail transaction older than 30 days, we will need to use the PowerShell command – Get-HistoricalSearch.

Note – At the current time, there is no way for getting the detailed information that appears in the exported file when using the PowerShell command Get-HistoricalSearch by using the Exchange Online web based interface.

You can get more information about how to read the exported information that we get from the PowerShell command Get-HistoricalSearch in the following articlePerforming an Extended Message Trace in Office 365

Working with the Get-MessageTrace PowerShell command | Basic concepts

The MessageTrace PowerShell command serves a “viewer” that we can use for “picking” in the Exchange Online mail transaction log file.

The most fundamental building block is the “time range.”

In case that we don’t use a PowerShell parameter that defines the time range, the
Get-MessageTrace default is to get only the data from the last 48 hours.

The required “time range” is defined by the PowerShell parameters: StartDate + EndDate

After we provide the information about the required time range, we can add additional “blocks” that help us to filter or narrow the search results.

For example,

  • We can ask to get information about mail transactions that related to E-mails, sent from a specific sender or, sent to a specific recipient.
  • We can ask to get information about mail transactions that related to E-mails, with a specific subject or a specific status.

The Get-MessageTrace command building blocks-01

In case that you want to get information about all the available PowerShell parameter when using the PowerShell command – Get-MessageTrace, you can use the Get-Member PowerShell command:

PowerShell command example

PowerShell console output example

Define the specific “time\date” range of the information that we want to get from Exchange log files

As mentioned, the most basic building block when using the Get-MessageTrace command is the definition of the required time frame or time range.

The time range is defined by providing the start date and the end date. The time range is the “space” between these two “borders.”

The Get-MessageTrace command - time unites -02

Exchange Online is willing to “expose” the information by using a limitation of maximum 30 days.

Get-MessageTrace the 30 days limit -04

In case that we write a time range that is Greater than 30 days, the following error appears:

Invalid StartDate value. The StartDate can’t be greater than 30 days from today.
+ CategoryInfo : InvalidArgument: (:) [Get-MessageTrace], InvalidExpressionException

When using the Get-MessageTrace command, there are two major syntax methods, that we can use for defining the time range

Option 1 – by “manually writing” the specific dates (the start date and the End date) in the format of month, day and a year (described as <mm/dd/yyyy>).

The Get-MessageTrace command - time unites -03

Option 2 – by using the PowerShell function

The other method which I prefer to use is a method in which we use the PowerShell function – Get-Date.

As the name implies, the Get-Date PowerShell function “fetch” the information about the current time. The information includes the current second, minutes, hour, day, month and a year.

When using the Get-MessageTrace command, the Get-Date PowerShell function is used for defining the “End-Date”.

The “Start-Date” defined by using “time units” such as “AddHours” or “Adddays”, and subtracting this time unit from the current date.

In the following example, we define a time range of “30 days” by using the time unit “Adddays” and using the value “-30”.

This syntax is “telling” PowerShell that we want to define a date that is calculated by subtracting 30 days from the current time (the current time that we get from the Get-Date PowerShell function).

The Get-MessageTrace command - time unites -

Get information about sent\received Emails in a specific time range | Specifying dates using “basic syntax”.

PowerShell command syntax

PowerShell command example

In the following section, I would like to review a couple of examples if defending time range by using the “other method” in which we use the Get-Date
PowerShell function as a baseline + additional PowerShell time unites the functions such as – AddHours, Adddays etc.

Get information about sent\received Emails in a specific time range | Last X minutes.

Display all Exchange E-mail messages, that were sent and receive in the last 30 minutes.

PowerShell command example

Get information about sent\received Emails in a specific time range | Last X Hours.

Display all Exchange E-mail messages, that were sent and receive in the last 30 hours.

PowerShell command example

Get information about sent\received Emails in a specific time range | Last X Days.

Display all Exchange E-mail messages, that were sent and receive in the last 30 days.

PowerShell command example

Get information about sent\received Emails in a specific time range | Last X Mounts.

Display all Exchange E-mail messages, that were sent and receive in the last 1 Mount.

PowerShell command example

Define a time range using variable

In case that you want to avoid from typing long and complex date values, you can use the method, in which the time range will be defined using variables.

The variables that we define, will “contain” the required date range.

The Get-MessageTrace command that we use, define the time range by using the variables that were defined in the “former step.”

PowerShell command example

“Clean” the displayed results from unnecessary information

When we use the MessageTrace PowerShell command in an Exchange Online environment without a very specific filter, the “output” includes unnecessary information (white noise) about “systems” and internal Exchange Online mail messages.

In the following example, we can see information about “system emails”, that is not relevant to our search.

In case that we want to “clean” the search result by removing the information about the “system emails”, we add filters that will instruct PowerShell to “ignore” specific emails such as the system emails.

PowerShell console output example

“Clean” the displayed results from unnecessary information

PowerShell command example

PowerShell console output example



Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received

The PowerShell menu script, use the PowerShell cmdlet – Get-MessageTrace to access, search and Export Exchange Online LOG file, that includes a documentation of every inbound and outbound mail transaction. The script menus enable you to define a “Search filter”, looking for information about specific mail flow, such as – email that was sent by specific sender or received at a specific recipient, mail that was sent from a sender with a specific domain name suffix, mail that was sent in a specific date range and more.

Using Get-MessageTrace PowerShell command- Exchange Online 1#2


Now it’s Your Turn!
It is important for us to know your opinion on this article

Summary
Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received | Exchange Online | Part 1#2
Article Name
Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received | Exchange Online | Part 1#2
Description
In the current two-article series, we review the Exchange Online PowerShell command Get-MessageTrace, that is used to view and export information about incoming and outgoing mail transaction that are saved in the Exchange Online Logfiles.
Author
Publisher Name
o365info.com
Publisher Logo

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron

Share your knowledge.

It’s a way to achieve immortality.

Dalai Lama


Leave a Reply

Your email address will not be published. Required fields are marked *