Q

Decoding Outlook Web Access log entries

SearchExchange.com expert Richard Luckett gives advice on what to look for and how to read Outlook Web Access log entries

I read your expert answer Checking logs for OWA logon attempts. I was wondering if you could point me somewhere that would tell me how to read those logs. I am a little concerned after looking at some of them. For example, I see a lot of lines like this:

GET /exchange/ - 80 - xxx.xxx.x.x Mozilla/4.0 401 2 2148074254. (The x's are replacing an IP address.)

Are these lines normal, or is that someone trying to hack into our system?

It is perfectly normal to see a number of GET commands in the IIS World Wide Web Consortium (W3C) logs. Outlook Web Access is extremely log intensive. There will be an overwhelming amount of log entries -- as you've discovered.

The log format is based off of the W3C's extended log file format. For troubleshooting purposes, it is possible to have additional information logged.

In the following example, notice that, in addition to what you are logging, there is also a domain and username being logged:

2005-08-05 00:25:05 192.168.1.11 GKrich.luckett 192.168.1.250 80 GET /exchange - 404 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0;+DigExt)

Learn more about the format here.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Tip: Exchange Server diagnostics: An introduction to application and system logs
  • Tip: Exchange Server diagnostics: Digging into IIS logs
  • Resource Center: Monitoring and logging tips and resources
  • Free Download: Exchange Server Best Practices Analyzer Tool

  • This was first published in December 2005

    Dig deeper on Outlook Web Access

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close