From: http://myriadofthings.com/outlook-web-access-owa-and-activesync-reporting-using-iis-logs/
I was asked to report on how many people were still accessing a legacy Exchange server via Outlook Web Access for the purposes of retiring it permanently. Here is a step by step walk through. Pasted commands may not work. Please type directly into the cmd window!
- Locate your IIS logs on your exchange server. Mine were stored in C:\inetpub\logs\LogFiles\W3SVC1. For more help refer to this article.
- For this example we will be copying the logs we need locally to the C:\log directory. This method could easily be adapted to use UNC paths but was not needed for my purposes. IIS should create one log per day so copy the number of days you would like to report on to c:\log on your local machine.
- Download Log Parser 2.2 from the Microsoft website and install it to the default directory.
- Next we will use log parser to combine all of these logs into a single file. Create a subdirectory under c:\log called mergedlog. From the command line navigate to the log parser directory “C:\Program Files (x86)\Log Parser 2.2” and run the following command “logparser.exe -i:iisw3c “select * into c:\log\mergedlog\merge.log from c:\log\*” -o:csv” This will create a single log file named merge.log and convert the data from iisw3c to csv format.
- Next we will need to run a command that will pull the information we are looking for out of the log. Here are three examples that list User Name, Date, Time, IP, page accessed, and user agent. Each will output the results into a file named output.csv in the c:\log directory.
The first command looks for OWA access
LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’
This next command lists ActiveSync users
LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%post%’ and cs-uri-stem LIKE ‘%Microsoft-Server-ActiveSync%’
Finally as a Bonus This one looks for Mac Office Users
LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%post%’ and cs(user-agent) LIKE ’%Macoutlook%’
There is a good book you can get on Amazon called Microsoft Log Parser Toolkit that has a goldmine of knowledge on how to use this tool.
Error: Syntax Error: : no valid LIKE mask when running the OWA or active sync queries
ReplyDeleteTo avoid this problem, use double %% wildcard characters when writing a command-line batch file so command looks like
ReplyDeleteLogParser.exe -i:csv "SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE '%%GET%%' and cs-uri-stem LIKE '%%owa%%'"