邮件跟踪Message tracking

适用于: Exchange Server 2013Applies to: Exchange Server 2013

在 Microsoft Exchange Server 2013 中,邮件跟踪日志详细记录了邮件从邮箱服务器上的传输服务、邮箱服务器上的邮箱和边缘传输服务器来回传输产生的所有邮件活动。可以使用邮件跟踪日志进行邮件取证、邮件流分析、报告和故障排除。In Microsoft Exchange Server 2013, the message tracking log is a detailed record of all message activity as messages are transferred to and from the Transport service on Mailbox servers, mailboxes on Mailbox servers, and Edge Transport servers. You can use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.

在 Exchange 2013 中,可以使用 Set-TransportService cmdlet 或 Set-MailboxServer cmdlet 执行所有的邮件跟踪配置任务,因为 Exchange 2013 邮箱服务器会保留传输服务和邮箱。可以使用这两个 cmdlet 中的任何一个进行下列邮件跟踪配置更改:In Exchange 2013, you can use the Set-TransportService cmdlet or the Set-MailboxServer cmdlet for all message tracking configuration tasks, because the Exchange 2013 Mailbox server holds the Transport service and the mailboxes. You can use either of these cmdlets to make the following message tracking configuration changes:

  • 启用或禁用邮件跟踪。默认为启用。Enable or disable message tracking. The default is enabled.

  • 指定邮件跟踪日志文件的位置。Specify the location of the message tracking log files.

  • 指定个人邮件跟踪日志文件的最大大小。默认为 10 MB。Specify a maximum size for the individual message tracking log files. The default is 10 MB.

  • 指定包含邮件跟踪日志文件的目录的最大大小:默认为 1000 MB。Specify a maximum size for the directory that contains the message tracking log files: The default is 1000 MB.

  • 指定邮件跟踪日志文件的最长期限:默认为 30 天。Specify maximum age for the message tracking log files: The default is 30 days.

  • 启用或禁用邮件跟踪日志中的邮件主题日志记录。默认为启用。Enable or disable message subject logging in the message tracking logs. The default is enabled.

备注

您也可以使用 Exchange 管理中心 (EAC) 来启用或禁用邮件跟踪,并指定邮件跟踪日志文件的位置。You can also use the Exchange admin center (EAC) to enable or disable message tracking, and to specify the location of the message tracking log files.

默认情况下,Exchange 使用循环日志记录根据文件大小和文件期限对邮件跟踪日志进行限制,以帮助控制邮件跟踪日志文件所使用的硬盘空间。By default, Exchange uses circular logging to limit the message tracking logs based on file size and file age to help control the hard disk space used by the message tracking log files.

搜索邮件跟踪日志Search the message tracking log

邮件跟踪日志包含邮件在 Exchange 2013 邮箱服务器中移动时产生的大量数据。对于搜索邮件跟踪日志,有几个不同的选择。Message tracking logs contain vast amounts of data as messages move through an Exchange 2013 Mailbox server. When it comes to searching the message tracking logs, you have different options.

  • Get-MessageTrackingLog: 管理员可以使用此 cmdlet 搜索邮件跟踪日志,以查找有关使用各种筛选条件的邮件的信息。Get-MessageTrackingLog: Administrators can use this cmdlet to search the message tracking log for information about messages using a wide range of filter criteria. 有关详细信息,请参阅 搜索邮件跟踪日志For more information, see Search message tracking logs.

  • 管理员送达报告:管理员可以使用 Exchange 管理中心 (EAC) 中的"送达报告"选项卡或基础 Search-MessageTrackingReportGet-MesageTrackingReport cmdlet 搜索邮件跟踪日志,以查找有关组织中特定邮箱发送或接收的邮件的信息。Delivery reports for administrators: Administrators can use the Delivery reports tab in the Exchange admin center (EAC) or the underlying Search-MessageTrackingReport and Get-MesageTrackingReport cmdlets to search the message tracking logs for information about messages sent by or received by a specific mailbox in the organization. 有关详细信息,请参阅 管理员的送达报告For more information see Delivery reports for administrators.

邮件跟踪日志文件的结构Structure of the message tracking log files

默认情况下,邮件跟踪日志文件存在于 %ExchangeInstallPath%TransportRoles Logs \ \ MessageTracking 中。By default, the message tracking log files exist in %ExchangeInstallPath%TransportRoles\Logs\MessageTracking.

邮件跟踪日志目录中日志文件的命名约定为 MSGTRK yyyymmdd-nnnn、yyyymmdd-nnnn、yyyymmdd-nnnn 和 .log MSGTRKMA .log MSGTRKMD .log MSGTRKMS yyyymmdd-nnnn .logThe naming convention for log files in the message tracking log directory is MSGTRKyyyymmdd-nnnn.log, MSGTRKMAyyyymmdd-nnnn.log, MSGTRKMDyyyymmdd-nnnn.log, and MSGTRKMSyyyymmdd-nnnn.log . 下列服务使用不同的日志:The different logs are used by the following services:

  • MSGTRK: 这些日志与传输服务关联。MSGTRK: These logs are associated with the Transport service.

  • MSGTRKMA: 这些日志与经过审核的传输所使用的批准和拒绝相关联。MSGTRKMA: These logs are associated with the approvals and rejections used by moderated transport. 有关详细信息,请参阅管理邮件审批For more information, see Manage message approval.

  • MSGTRKMD: 这些日志与邮箱传输传递服务传递到邮箱的邮件相关联。MSGTRKMD: These logs are associated with messages delivered to mailboxes by the Mailbox Transport Delivery service.

  • MSGTRKMS:这些日志与邮箱传输提交服务从邮箱发送的邮件相关联。MSGTRKMS: These logs are associated with messages sent from mailboxes by the Mailbox Transport Submission service.

日志文件名称中的占位符代表以下信息:The placeholders in the log file names represent the following information:

  • 占位符 yyyymmdd 是 UTC (创建) 协调世界时日志文件日期。The placeholder yyyymmdd is the coordinated universal time (UTC) date on which the log file was created. yyyy = 年 ,mm = 月 ,dd = 日。yyyy = year, mm = month, and dd = day.

  • 占位符 nnnn 是每个邮件跟踪和名称前缀的每天从值 1 日志文件实例编号。The placeholder nnnn is an instance number that starts at the value of 1 daily for each message tracking log file name prefix.

信息写入到每个日志文件中,直到文件大小达到其指定的最大值。然后打开具有递增实例编号的新日志文件。此过程在全天重复进行。当满足以下任一条件时,日志文件轮换功能将删除最旧的日志文件:Information is written to each log file until the file size reaches its maximum specified value for each log file. Then, a new log file that has an incremented instance number is opened. This process is repeated throughout the day. The log file rotation functionality deletes the oldest log files when either of the following conditions is true:

  • 日志文件达到其指定的最长期限。A log file reaches its maximum specified age.

  • 邮件跟踪日志目录达到其指定最大大小。The message tracking log directory reaches its maximum specified size.

    重要

    邮件跟踪日志目录的最大大小按以下方法计算:将具有相同名称前缀的所有日志文件的大小相加,求其总和。在计算总目录大小时,不会将其他未遵循名称前缀约定的文件计算在内。重命名旧日志文件或将其他文件复制到邮件跟踪日志目录可能会导致目录超出指定的最大大小。The maximum size of the message tracking log directory is calculated as the total size of all log files that have the same name prefix. Other files that do not follow the name prefix convention are not counted in the total directory size calculation. Renaming old log files or copying other files into the message tracking log directory could cause the directory to exceed its specified maximum size.
    在 Exchange 2013 邮箱服务器上,邮件跟踪日志目录的最大大小是指定值的三倍。On Exchange 2013 Mailbox servers, the maximum size of the message tracking log directory is three times the specified value. 虽然由这四个不同服务生成的邮件跟踪日志文件有四个不同的名称前缀,但是与另外三个日志文件前缀相比,写入 MSGTRKMA 日志文件的数据量和数据频率几乎可以忽略不计。Although the message tracking log files that are generated by the four different services have four different name prefixes, the amount and frequency of data written to the MSGTRKMA log files is negligible compared to the three other log file prefixes.

邮件跟踪日志文件是文本文件,其中包含逗号分隔值 (CSV) 格式的数据。每个邮件跟踪日志文件的文件头都包含下列信息:The message tracking log files are text files that contain data in the comma-separated value (CSV) format. Each message tracking log file has a header that contains the following information:

  • # 软件:: 创建邮件跟踪服务日志文件。#Software:: Name of the software that created the message tracking log file. 通常情况下,此值是 Microsoft Exchange Server。Typically, the value is Microsoft Exchange Server.

  • # 版本:: 创建邮件跟踪服务的软件日志文件。#Version:: Version number of the software that created the message tracking log file. 当前值为 15.0.0.0。Currently, the value is 15.0.0.0.

  • # Log-Type:: Log type value, which is Message Tracking Log.#Log-Type:: Log type value, which is Message Tracking Log.

  • # 日期:: 创建数据库的 UTC 日志文件时间。#Date:: The UTC date-time when the log file was created. UTC 日期-时间以 ISO 8601 日期-时间格式表示 :yyyy-mm-dd T hh:mm:ss.fff Z, 其中 yyyy = 年 ,mm = 月 ,dd = 天,T 表示时间部分的开始 ,hh = 小时 ,mm = 分钟 ,ss = 秒 ,fff = 秒的小数,Z 表示 Zulu,这是表示 UTC 的另一种方式。The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-dd T hh:mm:ss.fff Z, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • # 字段:: 邮件跟踪日志文件中使用的以逗号分隔的字段名称。#Fields:: Comma-delimited field names used in the message tracking log files.

邮件跟踪日志文件中的字段Fields in the message tracking log files

邮件跟踪日志将每个邮件事件存储在日志中的一行上。邮件事件信息由字段组织,这些字段由逗号分隔。通常,字段名是描述性的,足以确定其包含的信息的类型。但是,某些字段可能为空,或是存储在字段中的信息类型可能会随邮件事件类型和记录事件的邮件跟踪日志文件类型的变化而发生变化。下表对用于分类各邮件跟踪事件的字段进行了一般性说明。The message tracking log stores each message event on a single line in the log. The message event information is organized by fields, and these fields are separated by commas. The field name is generally descriptive enough to determine the type of information that it contains. However, some fields may be blank, or the type of information that is stored in the field may change based on the message event type and the type of message tracking log file where the event was recorded. General descriptions of the fields that are used to classify each message tracking event are explained in the following table.

字段名Field name 说明Description

date-timedate-time

邮件跟踪事件的 UTC 日期-时间。The UTC date-time of the message tracking event. UTC 日期-时间以 ISO 8601 日期-时间格式表示 :yyyy-mm-ddThh:mm:ss.fffZ, 其中 yyyy = 年 ,mm = 月 ,dd = 天,T 表示时间部分的开始 ,hh = 小时 ,mm = 分钟 ,ss = 秒 ,fff = 秒的小数,Z 表示 Zulu,这是表示 UTC 的另一种方式。The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

client-ipclient-ip

提交邮件的消息服务器或消息客户端的 IPv4 或 IPv6 地址。The IPv4 or IPv6 address of the messaging server or messaging client that submitted the message.

客户端主机名client-hostname

提交邮件的消息服务器或消息客户端的主机名或 FQDN。The host name or FQDN of the messaging server or messaging client that submitted the message.

server-ipserver-ip

源或目标 Exchange 服务器的 IPv4 或 IPv6 地址。The IPv4 or IPv6 address of the source or destination Exchange server.

server-hostnameserver-hostname

目标服务器的主机名或 FQDN。The host name or FQDN of the destination server.

source-contextsource-context

source 字段相关联的额外信息。例如,传输代理信息。 Extra information associated with the source field. For example, transport agent information.

connector-idconnector-id

源发送连接器或接收连接器或者目标发送连接器或接收连接器的名称。The name of the source or destination Send connector or Receive connector. 例如,ServerName \ ConnectorNameConnectorNameFor example, ServerName\ConnectorName or ConnectorName.

来源source

负责邮件跟踪事件的 Exchange 传输组件。The Exchange transport component responsible for the message tracking event. 本主题后面的邮件跟踪日志中的源值部分会对该字段中的值进行介绍。The values found in this field are described in the Source values in the message tracking log section later in this topic.

event-idevent-id

邮件事件类型。The message event type. 本主题后面的邮件跟踪日志中的事件类型部分会对事件类型进行介绍。The event types are described in the Event types in the message tracking log section later in this topic.

internal-message-idinternal-message-id

由当前正在处理邮件的 Exchange 服务器所分配的邮件标识符。A message identifier assigned by the Exchange server currently processing the message.

在涉及邮件传输的每个 Exchange 服务器的邮件跟踪日志中,特定邮件的 internal-message-id 值是各不相同的。A specific message's value of internal-message-id is different in the message tracking log of every Exchange server that's involved in the transmission of the message. 示例值为 73014444033An example value is 73014444033.

message-idmessage-id

邮件头中 Message-Id: 头字段的值。The value of the Message-Id: header field found in the message header. 如果 Message-Id: 头字段不存在或为空,则为其分配一个任意值。If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. 该值在邮件生存期内是常量。This value is constant for the lifetime of the message. 对于在 Exchange 中创建的邮件,该值的格式为 ,包括尖括号 <GUID@ServerFQDN> < > () 。For messages created in Exchange, the value is in the format <GUID@ServerFQDN>, including the angle brackets (< >). 例如,<4867a3d78a50438bad95c0f6d072fca5@mailbox01.contoso.com>For example, <4867a3d78a50438bad95c0f6d072fca5@mailbox01.contoso.com>. 其他邮件系统可能使用不同的语法或值。Other messaging systems may use different syntax or values.

network-message-idnetwork-message-id

唯一的邮件 ID 值,因拆分或通讯组扩展而创建,且在各邮件副本中均保持有效。A unique message ID value that persists across copies of the message that may be created due to bifurcation or distribution group expansion. 示例值为 1341ac7b13fb42ab4d4408cf7f55890fAn example value is 1341ac7b13fb42ab4d4408cf7f55890f.

recipient-addressrecipient-address

邮件收件人的电子邮件地址。多个电子邮件地址通过分号字符 (;) 分隔。The email addresses of the message's recipients. Multiple email addresses are separated by the semicolon character (;).

recipient-statusrecipient-status

该字段包含由分号字符 (;) 分隔的各收件人状态。This field contains the recipient status for each recipient separated by the semicolon character (;). 收件人状态值的显示顺序与 recipient-address 字段中的值相同。The status values are presented for the recipients in the same order as the values in the recipient-address field. 示例状态值包括 250 2.1.5 Recipient OK550 4.4.7 QUEUE.Expired;<ErrorText>Example status values include 250 2.1.5 Recipient OK or 550 4.4.7 QUEUE.Expired;<ErrorText>.

total-bytestotal-bytes

包括附件的邮件的大小,以字节为单位。The size of the message that includes attachments, in bytes.

recipient-countrecipient-count

邮件中的收件人数。The number of recipients in the message.

related-recipient-addressrelated-recipient-address

该字段与 EXPANDREDIRECTRESOLVE 事件一起使用来显示与邮件相关联的其他收件人电子邮件地址。This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient email addresses associated with the message.

referencereference

该字段包含特定类型事件的其他信息。例如: This field contains additional information for specific types of events. For example:

DSN 包含报告链接,如果 DSN 是在此事件之后生成的, (DSN) ,则此链接是关联的传递状态通知的 Message-Id 值。DSN Contains the report link, which is the Message-Id value of the associated delivery status notification (DSN) if a DSN is generated subsequent to this event. 如果这是 DSN 邮件, Reference 字段则包含生成该 DSN 的原始邮件的 Message-Id 值。If this is a DSN message, the Reference field contains the Message-Id value of the original message for which this DNS was generated.

EXPAND Reference 字段包含 相关邮件的 related-recipient-address 值。EXPAND The Reference field contains the related-recipient-address value of the related messages.

RECEIVE 如果邮件由其他进程(例如日记或收件箱规则)生成,则 Reference 字段可能包含相关邮件的 Message-Id 值。RECEIVE The Reference field may contain the Message-Id value of the related message if the message was generated by other processes, for example, journaling or Inbox rules.

SEND "参考"字段包含任何 DSN 邮件的 Internal-Message-Id 值。SEND The Reference field contains the Internal-Message-Id value of any DSN messages.

THROTTLE Reference 字段包含邮件被限制的原因。THROTTLE The Reference field contains the reason why the message was throttled.

TRANSFER "参考"字段包含要分叉的邮件的 Internal-Message-Id。TRANSFER The Reference field contains the Internal-Message-Id of the message that is being forked.

对于由收件箱规则生成的邮件, Reference 字段包含使收件箱规则生成出站邮件的入站邮件的 Internal-Message-Id 值。For messages generated by inbox rules, the Reference field contains the Internal-Message-Id value of the inbound message that caused the inbox rule to generate the outbound message.

对于其他类型的事件, Reference 字段可能包含分支邮件的 Internal-Message-Id 值。For other types of events, the Reference field may contain the Internal-Message-Id value for forked messages.

对于其他类型的事件, Reference 字段通常为空。For other types of events, the Reference field is usually blank.

message-subjectmessage-subject

在头字段中找到邮件 Subject: 的主题。The message's subject found in the Subject: header field. 邮件主题的跟踪由Set-TransportServiceSet-MailboxServer cmdlet 中的MessageTrackingLogSubjectLoggingEnabled参数控制。The tracking of message subjects is controlled by the MessageTrackingLogSubjectLoggingEnabled parameter in the Set-TransportService or Set-MailboxServer cmdlets. 默认情况下,启用邮件主题跟踪。By default, message subject tracking is enabled.

sender-addresssender-address

头字段中指定的电子邮件地址 Sender: ,如果 From: 不存在,则指定头 Sender: 字段。The email address specified in the Sender: header field, or the From: header field if Sender: is not present.

return-pathreturn-path

邮件信封中指定的 MAIL FROM: 返回电子邮件地址。The return email address specified by MAIL FROM: in the message envelope. 尽管此字段从不为空,但它可以将空发件人地址值表示为 <>Although this field is never empty, it can have the null sender address value represented as <>.

message-infomessage-info

有关该邮件的其他信息。例如: Additional information about the message. For example:

  • DELIVERSEND 事件的邮件起始 UTC 日期-时间。The message origination UTC date-time for DELIVER and SEND events. 起始日期-时间是邮件第一次传入 Exchange 组织的时间。The origination date-time is the time when the message first entered the Exchange organization. UTC 日期-时间以 ISO 8601 日期-时间格式表示 :yyyy-mm-ddThh:mm:ss.fffZ, 其中 yyyy = 年 ,mm = 月 ,dd = 天,T 表示时间部分的开始 ,hh = 小时 ,mm = 分钟 ,ss = 秒 ,fff = 秒的小数,Z 表示 Zulu,这是表示 UTC 的另一种方式。The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • 身份验证错误。Authentication errors. 例如,你可能会看到身份验证 11a 出错时所使用的值和身份验证类型。For example you may see the value 11a and the type of authentication used when authentication errors occur.

方向性directionality

邮件的方向。The direction of the message. 示例值包括 IncomingUndefinedOriginatingExample values include Incoming, Undefined, and Originating.

tenant-idtenant-id

该字段不可用于内部部署 Exchange 2013 组织。This field isn't used in on-premises Exchange 2013 organizations.

original-client-iporiginal-client-ip

原始客户端的 IPv4 或 IPv6 地址。The IPv4 or IPv6 address of the original client.

original-server-iporiginal-server-ip

原始服务器的 IPv4 或 IPv6 地址。The IPv4 or IPv6 address of the original server.

custom-datacustom-data

该字段包含与特定事件类型相关的数据。This field contains data related to a specific event types. 例如,传输规则代理使用该字段对在邮件上执行的传输规则或 DLP 策略的 GUID 进行记录。For example, the Transport Rule agent uses this field to record the GUID of the transport rule or DLP policy that acted on the message. 有关这些传输规则代理值的详细信息,请参阅查看 DLP 策略检测报告主题中的"数据日志记录 " " " 部分。For more information about these Transport Rule agent values, see the "Data logging" section in the View DLP policy detection reports topic,

邮件跟踪日志中的事件类型Event types in the message tracking log

event-id 字段中的各种事件类型可用来对邮件跟踪日志中的邮件事件进行分类。一些邮件事件只出现在一种类型的邮件跟踪日志文件中,还有一些邮件事件存在于所有类型的邮件跟踪日志文件中。下表介绍了用于对各邮件事件进行分类的事件类型。Various event types in the event-id field are used to classify the message events in the message tracking log. Some message events appear in only one type of message tracking log file, and some message events appear in all types of message tracking log files. The events types that are used to classify each message event are explained in the following table.

事件名称Event name 说明Description

AGENTINFOAGENTINFO

传输代理使用该事件记录自定义数据。This event is used by transport agents to log custom data.

BADMAILBADMAIL

分拣目录或重播目录提交的邮件无法传递或返回。A message submitted by the Pickup directory or the Replay directory that can't be delivered or returned.

DEFERDEFER

邮件传递延迟。Message delivery was delayed.

DELIVERDELIVER

邮件已传递至本地邮箱。A message was delivered to a local mailbox.

DROPDROP

在不提供传递状态通知(亦称为 DSN、退回邮件、未送达报告或 NDR)的情况下删除了一条消息。例如:A message was dropped without a delivery status notification (also known as a DSN, bounce message, non-delivery report, or NDR). For example:

  • 已完成裁决审批请求邮件。Completed moderation approval request messages.

  • 在不提供 NDR 的情况下悄悄丢弃的垃圾邮件。Spam messages that were silently dropped without an NDR.

DSNDSN

已生成发送状态通知 (DSN)。A delivery status notification (DSN) was generated.

DUPLICATEDELIVERDUPLICATEDELIVER

向收件人传递重复邮件。如果收件人是多个嵌套通讯组的成员,则可能会发生复制邮件情况。信息存储将检测并删除重复邮件。A duplicate message was delivered to the recipient. Duplication may occur if a recipient is a member of multiple nested distribution groups. Duplicate messages are detected and removed by the information store.

DUPLICATEEXPANDDUPLICATEEXPAND

在通讯组扩展期间,检测到一个重复收件人。During the expansion of the distribution group, a duplicate recipient was detected.

DUPLICATEREDIRECTDUPLICATEREDIRECT

邮件的备用收件人已成为收件人。An alternate recipient for the message was already a recipient.

EXPANDEXPAND

已扩展通讯组。A distribution group was expanded.

FAILFAIL

邮件传递失败。源包括 SMTPDNSQUEUEROUTINGMessage delivery failed. Sources include SMTP, DNS, QUEUE, and ROUTING.

HADISCARDHADISCARD

在主副本传递至下一跃点之后丢弃影子邮件。有关详细信息,请参阅卷影冗余A shadow message was discarded after the primary copy was delivered to the next hop. For more information, see Shadow redundancy.

HARECEIVEHARECEIVE

影子邮件由本地数据库可用性组 (DAG) 或 Active Directory 站点中的服务器接收。A shadow message was received by the server in the local database availability group (DAG) or Active Directory site.

HAREDIRECTHAREDIRECT

创建了影子邮件。A shadow message was created.

HAREDIRECTFAILHAREDIRECTFAIL

影子邮件创建失败。详细信息存储于 source-context 字段中。 A shadow message failed to be created. The details are stored in the source-context field.

INITMESSAGECREATEDINITMESSAGECREATED

邮件已发送至仲裁收件人,因此该邮件已发送至仲裁邮箱进行审批。有关详细信息,请参阅管理邮件审批A message was sent to a moderated recipient, so the message was sent to the arbitration mailbox for approval. For more information, see Manage message approval.

LOADLOAD

启动时已成功加载邮件。A message was successfully loaded at boot.

MODERATIONEXPIREMODERATIONEXPIRE

仲裁收件人的仲裁人从不批准或拒绝邮件,进而导致该邮件到期。有关仲裁收件人的更多信息,请参阅管理邮件审批A moderator for a moderated recipient never approved or rejected the message, so the message expired. For more information about moderated recipients, see Manage message approval.

MODERATORAPPROVEMODERATORAPPROVE

仲裁收件人的仲裁人批准了邮件,从而使该邮件传递至仲裁收件人。A moderator for a moderated recipient approved the message, so the message was delivered to the moderated recipient.

MODERATORREJECTMODERATORREJECT

仲裁收件人的仲裁人拒绝了邮件,从而使该邮件未传递至仲裁收件人。A moderator for a moderated recipient rejected the message, so the message wasn't delivered to the moderated recipient.

MODERATORSALLNDRMODERATORSALLNDR

发送至仲裁收件人的所有仲裁人的所有批准请求都不可传递,从而导致产生未送达报告 (NDR)。All approval requests sent to all moderators of a moderated recipient were undeliverable, and resulted in non-delivery reports (NDRs).

NOTIFYMAPINOTIFYMAPI

在本地服务器上的邮箱发件箱内检测到一封邮件。A message was detected in the Outbox of a mailbox on the local server.

NOTIFYSHADOWNOTIFYSHADOW

在本地服务器上的邮箱发件箱内检测到一封邮件,并且需要创建该邮件的影子副本。A message was detected in the Outbox of a mailbox on the local server, and a shadow copy of the message needs to be created.

POISONMESSAGEPOISONMESSAGE

邮件被放入带毒邮件队列中或从带毒邮件队列中删除。A message was put in the poison message queue or removed from the poison message queue.

PROCESSPROCESS

已成功处理邮件。The message was successfully processed.

PROCESSMEETINGMESSAGEPROCESSMEETINGMESSAGE

会议邮件已由邮箱传输传递服务处理。A meeting message was processed by the Mailbox Transport Delivery service.

RECEIVERECEIVE

邮件由传输服务的 SMTP 接收组件接收,或者从分拣目录或重播目录 (源:) 接收,或者邮件从邮箱提交到邮箱传输提交服务 SMTP (源 STOREDRIVER :) 。A message was received by the SMTP receive component of the transport service or from the Pickup or Replay directories (source: SMTP), or a message was submitted from a mailbox to the Mailbox Transport Submission service (source: STOREDRIVER).

REDIRECTREDIRECT

在 Active Directory 查找后,邮件被重定向至一个备用收件人。A message was redirected to an alternative recipient after an Active Directory lookup.

RESOLVERESOLVE

在 Active Directory 查找后,邮件收件人被解析为一个不同的电子邮件地址。A message's recipients were resolved to a different email address after an Active Directory lookup.

RESUBMITRESUBMIT

已从安全网络自动重新提交邮件。有关详细信息,请参阅Safety NetA message was automatically resubmitted from Safety Net. For more information, see Safety Net.

RESUBMITDEFERRESUBMITDEFER

已延迟从安全网络重新提交的邮件。A message resubmitted from Safety Net was deferred.

RESUBMITFAILRESUBMITFAIL

从安全网络重新提交的邮件失败。A message resubmitted from Safety Net failed.

SENDSEND

邮件由传输服务间的 SMTP 发送。A message was sent by SMTP between transport services.

SUBMITSUBMIT

邮箱传输提交服务已成功将邮件传输至传输服务。对于 SUBMIT 事件, source-context 属性包含下列详细信息: The Mailbox Transport Submission service successfully transmitted the message to the Transport service. For SUBMIT events, the source-context property contains the following details:

  • MDB 邮箱数据库 GUID。MDB The mailbox database GUID.

  • 邮箱 邮箱 GUID。Mailbox The mailbox GUID.

  • 事件 事件序列号。Event The event sequence number.

  • MessageClass 邮件类型。MessageClass The type of message. 例如,IPM.NoteFor example, IPM.Note.

  • CreationTime 邮件提交的日期-时间。CreationTime Date-time of the message submission.

  • ClientType 例如, User OWA 、 或 ActiveSyncClientType For example, User, OWA ,or ActiveSync.

SUBMITDEFERSUBMITDEFER

已延迟将邮件从邮箱传输提交服务传输至传输服务。The message transmission from the Mailbox Transport Submission service to the Transport service was deferred.

SUBMITFAILSUBMITFAIL

将邮件从邮箱传输提交服务传输至传输服务的操作失败。The message transmission from the Mailbox Transport Submission service to the Transport service failed.

SUPPRESSEDSUPPRESSED

邮件传输被抑制。The message transmission was suppressed.

THROTTLETHROTTLE

邮件被限制。The message was throttled.

TRANSFERTRANSFER

由于内容转换、邮件收件人限制或代理原因,收件人被移动到分支的邮件。源包括 ROUTINGQUEUERecipients were moved to a forked message because of content conversion, message recipient limits, or agents. Sources include ROUTING or QUEUE.

邮件跟踪日志中的源值Source values in the message tracking log

邮件跟踪日志中 source 字段的值指示负责邮件跟踪事件的传输组件。下表描述 source 字段的值。The values in the source field in the message tracking log indicate the transport component that's responsible for the message tracking event. The following table describes the values of the source field.

源值Source value 说明Description

ADMINADMIN

事件源是人工干预。例如,管理员使用队列查看器删除邮件或使用重播目录提交邮件文件。The event source was human intervention. For example, an administrator used Queue Viewer to delete a message, or submitted message files using the Replay directory.

AGENTAGENT

事件源是传输代理。The event source was a transport agent.

APPROVALAPPROVAL

事件源是仲裁收件人使用的审批框架。有关详细信息,请参阅管理邮件审批The event source was the approval framework that's used with moderated recipients. For more information, see Manage message approval.

BOOTLOADERBOOTLOADER

事件源是在启动时存在于服务器上的未处理的消息。这与 LOAD 事件类型有关。 The event source was unprocessed messages that exist on the server at boot time. This is related to the LOAD event type.

DNSDNS

事件源是 DNS。The event source was DNS.

DSNDSN

事件源是传递状态通知 (DSN)。例如,未送达报告 (NDR)。The event source was a delivery status notification (DSN). For example, a non-delivery report (NDR).

GATEWAYGATEWAY

事件源是外部连接器。有关详细信息,请参阅外部连接器The event source was a Foreign connector. For more information, see Foreign connectors.

MAILBOXRULEMAILBOXRULE

事件源是收件箱规则。有关更多信息,请参阅收件箱规则The event source was an Inbox rule. For more information, see Inbox rules.

MEETINGMESSAGEPROCESSORMEETINGMESSAGEPROCESSOR

事件源是会议邮件处理器,它会随会议更新而更新日历。The event source was the meeting message processor, which updates calendars based on meeting updates.

ORARORAR

事件源是发信请求备用收件人 (ORAR)。The event source was an Originator Requested Alternate Recipient (ORAR). 可以使用New-ReceiveConnector 或 Set-ReceiveConnector cmdlet 上的OrarEnabled 参数启用或禁用对接收连接器上的 ORAR 的支持。You can enable or disable support for ORAR on Receive connectors using the OrarEnabled parameter on the New-ReceiveConnector or Set-ReceiveConnector cmdlets.

PICKUPPICKUP

事件源是分拣目录。有关详细信息,请参阅拾取目录和重播目录The event source was the Pickup directory. For more information, see Pickup directory and Replay directory.

POISONMESSAGEPOISONMESSAGE

事件源是病毒邮件标识符。有关病毒邮件和病毒邮件队列的更多信息,请参阅队列The event source was the poison message identifier. For more information about poison messages and the poison message queue, see Queues

PUBLICFOLDERPUBLICFOLDER

事件源是启用邮件的公用文件夹。The event source was a mail-enabled public folder.

QUEUEQUEUE

事件源是队列。The event source was a queue.

REDUNDANCYREDUNDANCY

事件源是卷影冗余。有关详细信息,请参阅卷影冗余The event source was Shadow Redundancy. For more information, see Shadow redundancy.

ROUTINGROUTING

事件源是传输服务中分类程序的路由解析组件。The event source was the routing resolution component of the categorizer in the Transport service.

SAFETYNETSAFETYNET

事件源是安全网络。有关详细信息,请参阅Safety NetThe event source was Safety Net. For more information, see Safety Net.

SMTPSMTP

邮件已由传输服务的 SMTP 发送或 SMTP 接收组件提交。The message was submitted by the SMTP send or SMTP receive component of the transport service.

STOREDRIVERSTOREDRIVER

事件源是来自本地服务器上邮箱的 MAPI 提交。The event source was a MAPI submission from a mailbox on the local server.

邮件跟踪日志中的示例条目Example entries in the message tracking log

在两个用户间发送的无事件邮件可在邮件跟踪日志中生成若干条目。您可以使用 Get-MessageTrackingLog cmdlet 查看结果。有关详细信息,请参阅 搜索邮件跟踪日志An uneventful message sent between two users generates several entries in the message tracking log. You can see the results using the Get-MessageTrackingLog cmdlet. For more information, see Search message tracking logs.

在此简化示例中,当用户 chris@contoso.com 将测试邮件成功发送至用户 michelle@contoso.com 时,创建了邮件跟踪日志条目。两个用户的邮箱位于同一服务器上。This is a condensed example of the message tracking log entries created when the user chris@contoso.com successfully sends a test message to the user michelle@contoso.com. Both users have mailboxes on the same server.

EventId    Source      Sender            Recipients             MessageSubject
-------    ------      ------            ----------             --------------
NOTIFYMAPI STOREDRIVER                   {}
RECEIVE    STOREDRIVER chris@contoso.com {michelle@contoso.com} test
SUBMIT     STOREDRIVER chris@contoso.com {michelle@contoso.com} test
HAREDIRECT SMTP        chris@contoso.com {michelle@contoso.com} test
RECEIVE    SMTP        chris@contoso.com {michelle@contoso.com} test
AGENTINFO  AGENT       chris@contoso.com {michelle@contoso.com} test
SEND       SMTP        chris@contoso.com {michelle@contoso.com} test
DELIVER    STOREDRIVER chris@contoso.com {michelle@contoso.com} test

邮件跟踪日志的安全注意事项Security concerns for the message tracking log

邮件跟踪日志中不存储任何邮件内容。默认情况下,电子邮件的主题行存储在邮件跟踪日志中。但可能需要禁用邮件主题日志记录,以满足更高的安全或隐私要求。在启用或禁用邮件主题日志记录之前,请确保已验证有关显示主题行信息的组织策略。有关详细信息,请参阅配置邮件跟踪No message content is stored in the message tracking log. By default, the subject line of an email message is stored in the message tracking log. You may want to disable message subject logging to comply with increased security or privacy requirements. Before you enable or disable message subject logging, make sure that you verify your organization's policy about revealing subject line information. For more information, see Configure message tracking.