Message tracking event IDs in Exchange Server 2003
Posted by: John Bostock
Exchange Tracking Center, Exchange, Outlook, OWA, Microsoft Windows, Windows Computing, Mailboxes, Message logging, Message tracing
Here are some of the event IDs that are logged to message tracking log files. You can enable message tracking logs to track or to troubleshoot the flow or status of a message in Exchange Server 2003 as shown in previous blog. You can record information about the sender, the message, and the recipient. If you want to log more detailed information, you can also record the subject line of messages.
By default, the tracking logs are located in the C:\Program Files\Exchsrvr\YourServerName.log folder. Each daily log is named in the yyyymmdd.log format according to the date that the log was created. The file name date is in Coordinated Universal Time (UTC). Here is a list of event ID’s and there meaning. You can import this log file into Excel which makes it easier to read as opening the text file is too busy.
A few FAQ’s
Q1: When a message is generated in the system for the first time, what event is associated with that message in the tracking log?
A1: There are different events for different message submission paths to Exchange Server 2003. For example, for messages that are submitted through the SMTP component, the first event ID in the tracking log is 1019. For messages that are submitted through the Store component, the first event ID in the tracking log is 1027.
Q2: Is there one event ID that covers the creation of all messages and that only appears one time per message?
A2: There is no one event that covers the creation of all messages because messages can be created in various ways by various clients, remote servers, and pickup directory. It would make no sense to use the same event for all these code paths. Or, it would be impossible to use the same event for all these code paths. However, event 1019 is logged when any message enters Inetinfo-side transport processing. The tracking log may frequently contain multiple 1019 events that have the same message ID. For example, this may occur if the server is restarted multiple times during a period when the remote destination for the particular message is down. On each restart, the message is resubmitted, and event 1019 is logged. This is expected behavior.
Q3: Why are there multiple 1020 and 1031 events that are logged for the same message ID?
A3: This is expected behavior. The same message ID can be transferred out multiple times. When the same message ID is transferred out multiple times, events 1020 and 1031 are generated.
| Event Number | Event Type | Description |
| 0 | Message transfer in | The message was received from a server, a connector, or a gateway. |
| 1 | Probe transfer in | An X.400 probe was received from a gateway, a link, or a message transfer agent (MTA). |
| 2 | Report transfer in | A delivery receipt or a non-delivery report (NDR) was received from a server, a connector, or a gateway. |
| 4 | Message submission | The message was sent by the client. |
| 5 | Probe submission | An X.400 probe was received from a user. |
| 6 | Probe transfer out | An X.400 probe was sent to a gateway, a link, or an MTA. |
| 7 | Message transfer out | The message was sent to a server, a connector, or a gateway. |
| 8 | Report transfer out | A delivery receipt or an NDR was sent to a server, a connector, or a gateway. |
| 9 | Message delivered | The message was delivered to a mailbox or a public folder. |
| 10 | Report delivered | A delivery receipt or an NDR was delivered to a mailbox. |
| 18 | StartAssocByMTSUser | |
| 23 | ReleaseAssocByMTSUse | |
| 28 | Message redirected | The message was sent to mailboxes other than the mailboxes of the recipients. |
| 29 | Message rerouted | The message was routed to an alternative path. |
| 31 | Downgrading | An X.400 message was downgraded to 1984 format before relay. |
| 33 | Report absorption | The number of delivery receipts or of NDRs exceeded a threshold and the reports were deleted. |
| 34 | Report generation | A delivery receipt or an NDR was created. |
| 43 | Unroutable report discarded | A delivery receipt or an NDR could not be routed and was deleted from the queue. |
| 50 | Gateway deleted message | The administrator deleted an X.400 message that was queued for a gateway. |
| 51 | Gateway deleted probe | The administrator deleted an X.400 probe that was queued for a gateway. |
| 52 | Gateway deleted report | The administrator deleted an X.400 report that was queued for a gateway. |
| 1000 | Local delivery | The sender and the recipient are on the same server. |
| 1001 | Backbone transfer in | Mail was received from another MAPI system across a connector or across a gateway. |
| 1002 | Backbone transfer out | Mail was sent to another MAPI system across a connector or across a gateway. |
| 1003 | Gateway transfer out | The message was sent through a gateway. |
| 1004 | Gateway transfer in | The message was received from a gateway. |
| 1005 | Gateway report transfer in | A delivery receipt or an NDR was received from a gateway. |
| 1006 | Gateway report transfer out | A delivery receipt or an NDR was sent through a gateway. |
| 1007 | Gateway report generation | A gateway generated an NDR for a message. |
| 1010 | SMTP queued outbound | Outgoing mail was queued for delivery by the Internet Mail Service. |
| 1011 | SMTP transferred outbound | Outgoing mail was transferred to an Internet recipient. |
| 1012 | SMTP received inbound | Incoming mail was received from by the Internet Mail Service. |
| 1013 | SMTP transferred | Incoming mail that was received by the Internet Mail Service was transferred to the information store. |
| 1014 | SMTP message rerouted | An Internet message is being rerouted or forwarded to the correct location. |
| 1015 | SMTP report transferred In | A delivery receipt or an NDR was received by the Internet Mail Service |
| 1016 | SMTP report transferred out | A delivery receipt or an NDR was sent to the Internet Mail Service. |
| 1017 | SMTP report generated | A delivery receipt or an NDR was created. |
| 1018 | SMTP report absorbed | The receipt or the NDR could not be delivered and was absorbed. (You cannot send an NDR for an NDR.) |
| 1019 | SMTP submit message to AQ | A new message is submitted to Advanced Queuing. |
| 1020 | SMTP begin outbound transfer | A message is about to be sent over the wire by SMTP. |
| 1021 | SMTP bad mail | The message was transferred to the Badmail folder. |
| 1022 | SMTP AQ failure | A fatal Advanced Queuing error occurred. Information about the failure was written to the Event Manager. |
| 1023 | SMTP local delivery | A message was successfully delivered by a store drive (logged by Advanced Queue). |
| 1024 | SMTP submit message to cat | Advanced Queuing submitted a message to the categorizer. |
| 1025 | SMTP begin submit message | A new message was submitted to Advanced Queuing. |
| 1026 | SMTP AQ failed message | Advanced Queuing could not process the message. The message caused an NDR to be sent, or the message was put in the Badmail folder. |
| 1027 | SMTP submit message to SD | A message was submitted to the store driver by the MTA. |
| 1028 | SMTP SD local delivery | The store driver successfully delivered a message (logged by store driver). |
| 1029 | SMTP SD gateway delivery | The store driver transferred the message to the MTA. |
| 1030 | SMTP NDR all | All recipients were sent an NDR. |
| 1031 | SMTP end outbound transfer | The outgoing message was successfully transferred. |
| 1032 | SMTP message scheduled to retry categorization | |
| 1033 | SMTP message categorized and queued for routing | |
| 1034 | SMTP message routed and queued for remote delivery | |
| 1035 | SMTP message scheduled to retry routing | |
| 1036 | SMTP message queued for local delivery | |
| 1037 | SMTP message scheduled to retry local delivery | |
| 1038 | SMTP message routed and queued for gateway delivery | |
| 1039 | SMTP message deleted by Intelligent Message Filtering | |
| 1040 | SMTP message rejected by Intelligent Message Filtering | |
| 1041 | SMTP message archived by Intelligent Message Filtering | |
| 1042 | Message redirected to the alternate recipient |
Comment
RSS Feed
Email a friend
You must be logged-in to post a comment. Log-in/Register