• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

OWA monitoring

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> OWA monitoring Page: [1]
Login
Message << Older Topic   Newer Topic >>
OWA monitoring - 9.Mar.2011 9:27:40 AM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
Forgive me if this topic has been covered elsewhere on these forums, and also please forgive me for being somewhat of a tech noob - I am IT admin for a small company and have had this role thrust upon me reluctantly.

I only know enough to 'get by' and rely on expert advice from others like yourselves quite often!

My query relates to OWA on Exchange 2007 (running in SBS 2008 environment) - all our users are allowed OWA to their email accounts, however I wondered if it is possible to create or view a log that shows which users are remotely logging in to look at their emails, and when?

I hope someone can help - kind regards,
Lee.
Post #: 1
RE: OWA monitoring - 9.Mar.2011 10:04:03 AM   
leederbyshire

 

Posts: 1356
Joined: 4.Jan.2006
Status: offline
There is only the IIS log file, which on SBS2008, you will find in C:\Inetpub\Logs\LogFiles\W3SVC1. Double-click one, and it'll open in Notepad. The times on the left-hand side are in GMT. Wherever you see a request for GET /owa , that is someone doing something in OWA. After the first request in a block (which will be an unauthenticated request, since the browser tries that first), you will see a username written within the line. It's not a fun task, by any means, but you'll get some idea of who is using it. If this is something you want to do every day, then we'll have to some up with something else. But it will probably involve adding some program code to your OWA server files, which will then make them non-standard. Which might be something you prefer to avoid. Another possibility, which will make it less tedious, is this;
http://msexchangeteam.com/archive/2007/09/12/446982.aspx

_____________________________

Lee.
___________________________________

Outlook Web Access for PDA and WAP:
www.leederbyshire.com
___________________________________

(in reply to Lee Kendall)
Post #: 2
RE: OWA monitoring - 9.Mar.2011 10:58:39 AM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
Lee- Many thanks for your post.

I had a look through the W3SV1 folder as you suggested, and see what you mean about the lack of 'fun' in searching through the logs. However, I actually only found one GET /owa reference in the last 10 days or so worth of logs, which is strange because I have myself remotely logged on more times than this during the last 10 days. Also, the one GET /owa reference that I did find did not seem to give any indication who the user was either.

I also tried the logparser solution referred to in your link (by copying/pasting the ActiveSync script into logparser and replacing the folder path from that script with "C:\Inetpub\Logs\LogFiles\W3SVC1\u_ex*.log" instead), however it didn't give me the sample output I had hoped for - see below:-
     

C:\Program Files (x86)\Log Parser 2.2>logparser "SELECT cs-username AS UserID, cs(User-Agent) AS DeviceType, count (*) FROM c:\Inetpub\logs\logfiles\w3svc1\u_ex*.log WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' AND cs-username IS NOT NULL GROUP BY UserID, DeviceType ORDER BY UserID" -rtp:-1

Statistics:
-----------
Elements processed: 64882
Elements output:    0
Execution time:     13.38 seconds


C:\Program Files (x86)\Log Parser 2.2>


Like I said I'm a total noob but am I looking in the wrong place for the output or something? Or is my amended script wrong in some way (more likely)? I do like your suggested idea of using logparser, I think it would probably be a much neater solution if I could get it to work.

Thanks again and regards, Lee

(in reply to leederbyshire)
Post #: 3
RE: OWA monitoring - 9.Mar.2011 11:09:17 AM   
leederbyshire

 

Posts: 1356
Joined: 4.Jan.2006
Status: offline
If you can't see anything in Notepad, then logparser won't find anything, either. It is possible to disable logging for a web site, and if there's nothing there, I'd first check to make sure that it is still enabled. First, have a look at the properties of your default web site in IIS manager, and make sure that logging is enabled, and that the file path is pointing to the place we are looking for them. Then look at the properties of the owa virtual directory, and make sure that logging has not been disabled at that level (logging configuration is what they once liked to call 'granular').

_____________________________

Lee.
___________________________________

Outlook Web Access for PDA and WAP:
www.leederbyshire.com
___________________________________

(in reply to Lee Kendall)
Post #: 4
RE: OWA monitoring - 9.Mar.2011 12:08:06 PM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
Lee - thanks again.

Ok I looked at the properties of my default FTP site in IIS 6.0 manager- logging is enabled but is writing to the C:\Windows\system32\LogFiles folder. I looked in there and found a few "IN1*.log" files which showed all the instances of users connecting to to our VPN (no owa logs however).

The second part of your post started to (embarrassingly) push the limits of my knowledge and ability - how exactly do I check if logging is enabled in the properties of the owa virtual directory? I opened Exchange Management Console> Server Config> Client Access> Outlook Web Access> right click on owa, and looked through all the tabs but couldn't find anything that looked like 'enable logging'. Please can you point me in the right direction?

Cheers, Lee

(in reply to leederbyshire)
Post #: 5
RE: OWA monitoring - 9.Mar.2011 1:23:38 PM   
leederbyshire

 

Posts: 1356
Joined: 4.Jan.2006
Status: offline
I assume you mean Default Web Site? FTP is quite different. In SBS2008, I don't think the IIS6 Manager is any good for this kind of thing. You have IIS7, and I think the IIS6 Manager is only there for some odd compatibility reasons, since you can only see a few things in it. Look for the other IIS Manager on the server, and look at the properties of the Default Web Site. You should see an icon for logging properties in the right-hand pane. Double-click it, and if it is disabled, you will see 'enable' in the far-right column. Click Enable, and Apply.

(in reply to Lee Kendall)
Post #: 6
RE: OWA monitoring - 9.Mar.2011 1:43:06 PM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
Hi - followed your instructions and noticed logging was already enabled in the IIS7 default web site setting, and is writing logs to the folder path you specified earlier, i.e. C\inetpub\logs\LogFiles.

Looking again at this folder, there are 4 other folders in it besides the W3SVC1 folder such as W3SVC3 and similar - is this relevant at all?

Thanks

(in reply to leederbyshire)
Post #: 7
RE: OWA monitoring - 9.Mar.2011 2:24:51 PM   
leederbyshire

 

Posts: 1356
Joined: 4.Jan.2006
Status: offline
It could be relevant, yes. You have other folders there because there is one for each web site. If you find the /owa requests in another folder, then it means that they are going to the wrong web site on the server. They should be in the W3SVC1 folder if your OWA is in the Default Web Site. Which it usually is.

(in reply to Lee Kendall)
Post #: 8
RE: OWA monitoring - 10.Mar.2011 5:37:32 AM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
OK - I found all the GET /owa logs in the daily log files in the W3SVC3 folder, not W3SVC1. I assume from the tone of your last post that really they shouldn't be in W3SVC3, however given that everything seems to 'work' and that I am very unfamiliar with IIS, I am inclined to leave everything alone and willingly accept that unless you think it is a problem  I need to fix.

Anyway, now that I know where the logs are, can you think of a logparser script similar to the one I posted yesterday that would quickly disseminate the information I was looking for, i.e. which users are logging in to owa and when?

The script I copied from your link now works but obviously gives me different information than what I was looking for (this gives user / device type / activity). I simply cant write scripts or code but kind of get the gist of it.

Thanks again, Lee

(in reply to leederbyshire)
Post #: 9
RE: OWA monitoring - 10.Mar.2011 8:32:08 AM   
leederbyshire

 

Posts: 1356
Joined: 4.Jan.2006
Status: offline
Since this is SBS, I guess the default web site is used for something else, which is why your OWA is in a different web site. I don't know much about SBS, except in that in most aspects it's the same as a normal windows server with the same applications.

The thing to note about the logparser command is that the field names match the headers in the iis log file. The fourth line in my iis log file looks like this:

#Fields: date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status

and you will see that some of these field names appear in the logparser command line. You need to add the ones you need, and omit the ones you don't. Within the logparser command (i.e. the parameter passed to it) is a fairly standard looking SQL query, which is why it starts with SELECT followed by field names (you can omit the word AS, since this is just used for display purposes in the output), then the WHERE clause and finally GROUP and ORDER BY. If you know SQL, it will help. If not, then just add the field names you need to the list.

_____________________________

Lee.
___________________________________

Outlook Web Access for PDA and WAP:
www.leederbyshire.com
___________________________________

(in reply to Lee Kendall)
Post #: 10
RE: OWA monitoring - 10.Mar.2011 10:44:47 AM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
After much messing about and experimentation, I've come up with the following script for logparser which seems to work quite well:

logparser "SELECT date AS DATE, time AS TIME, cs-username AS USER, c-ip, count (*) FROM c:\Inetpub\logs\logfiles\w3svc3\u_ex1103*.log WHERE cs-method LIKE '%GET%' AND cs-uri-stem LIKE '%owa%' GROUP BY DATE, TIME, c-ip, USER ORDER BY USER" -rtp:-1

I have narrowed it down to only check logs file generated this month by adding the 1103 digits into the FROM clause - this is because the sheer amount of output I get back otherwise exceeds the readable / scrollable area within logparser. From the results I've found a few naughty things that other people shouldn't be doing ;) - time to change passwords methinks.

Anyhow, I know nothing about SQL and simply developed the script from other examples by breaking it down into its constituent parts, running it, looking at your advice, looking at the errors and amending as appropriate etc. Do you know if there is there a clause you can insert which will limit the date criteria to certain specified dates, rather than the '1103' solution I've come up with?

By the way Lee you're a legend for helping me with this and I'd buy you a pint if I could.

(in reply to leederbyshire)
Post #: 11
RE: OWA monitoring - 10.Mar.2011 10:57:41 AM   
leederbyshire

 

Posts: 1356
Joined: 4.Jan.2006
Status: offline
Instead of using
LIKE '%GET%'
you can probably just use
= 'GET'
which I expect is more efficient (a simpler comparison). For the dates, you can compare the date field. If you want a single date, add
AND date = '2011-03-01'
for a range of dates, try
AND date >= '2011-03-01' AND date <= '2011-03-03'
I expect you can send the output to a file if it makes it easier to handle, by sticking
> C:\test.txt
on the end.

_____________________________

Lee.
___________________________________

Outlook Web Access for PDA and WAP:
www.leederbyshire.com
___________________________________

(in reply to Lee Kendall)
Post #: 12
RE: OWA monitoring - 10.Mar.2011 11:40:05 AM   
Lee Kendall

 

Posts: 7
Joined: 9.Mar.2011
Status: offline
Brilliant. For the benefit of anyone else I have settled on the following script:

logparser "SELECT date, time, cs-username AS USER, c-ip, count (*) FROM c:\[YOUR OUTPUT LOG FILE]u_ex*.log WHERE cs-method LIKE '%GET%' AND cs-uri-stem LIKE '%owa%' AND date >= '[YOUR LOWER DATE RANGE]' AND date <= '[YOUR UPPER DATE RANGE]' GROUP BY DATE, TIME, c-ip, USER ORDER BY c-ip" -rtp:-1 > C:\Users\[YOUR USERNAME]\Desktop\LOGPARSER_RESULTS.txt

Thanks again for all your help.

(in reply to leederbyshire)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> OWA monitoring Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter