Outlook Web Access (OWA) and ActiveSync reporting using IIS logs

From: http://myriadofthings.com/outlook-web-access-owa-and-activesync-reporting-using-iis-logs/

http://www.msexchange.org/articles-tutorials/exchange-server-2003/tools/Using-Logparser-Utility-Analyze-ExchangeIIS-Logs.html

I was asked to report on how many people were still accessing a legacy Exchange server via Outlook Web Access for the purposes of retiring it permanently.  Here is a step by step walk through. Pasted commands may not work.  Please type directly into the cmd window!

1. Locate your IIS logs on your exchange server.  Mine were stored in C:\inetpub\logs\LogFiles\W3SVC1.  For more help refer to this article.
2. For this example we will be copying the logs we need locally to the C:\log directory.  This method could easily be adapted to use UNC paths but was not needed for my purposes.  IIS should create one log per day so copy the number of days you would like to report on to c:\log on your local machine.
3. Download Log Parser 2.2 from the Microsoft website and install it to the default directory.
4. Next we will use log parser to combine all of these logs into a single file.  Create a subdirectory under c:\log called mergedlog.  From the command line navigate to the log parser directory “C:\Program Files (x86)\Log Parser 2.2” and run the following command “logparser.exe -i:iisw3c “select * into c:\log\mergedlog\merge.log from c:\log\*” -o:csv”  This will create a single log file named merge.log and convert the data from iisw3c to csv format.
5. Next we will need to run a command that will pull the information we are looking for out of the log.  Here are three examples that list User Name, Date, Time, IP, page accessed, and user agent. Each will output the results into a file named output.csv in the c:\log directory.

The first command looks for OWA access

LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’

This next command lists ActiveSync users

LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%post%’ and cs-uri-stem LIKE ‘%Microsoft-Server-ActiveSync%’

Finally as a Bonus This one looks for Mac Office Users

LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%post%’ and cs(user-agent) LIKE ’%Macoutlook%’

There is a good book you can get on Amazon called Microsoft Log Parser Toolkit that has a goldmine of knowledge on how to use this tool.