Ask the Expert

Decoding Outlook Web Access log entries

I read your expert answer Checking logs for OWA logon attempts. I was wondering if you could point me somewhere that would tell me how to read those logs. I am a little concerned after looking at some of them. For example, I see a lot of lines like this:

GET /exchange/ - 80 - xxx.xxx.x.x Mozilla/4.0 401 2 2148074254. (The x's are replacing an IP address.)

Are these lines normal, or is that someone trying to hack into our system?

    Requires Free Membership to View

It is perfectly normal to see a number of GET commands in the IIS World Wide Web Consortium (W3C) logs. Outlook Web Access is extremely log intensive. There will be an overwhelming amount of log entries -- as you've discovered.

The log format is based off of the W3C's extended log file format. For troubleshooting purposes, it is possible to have additional information logged.

In the following example, notice that, in addition to what you are logging, there is also a domain and username being logged:

2005-08-05 00:25:05 192.168.1.11 GKrich.luckett 192.168.1.250 80 GET /exchange - 404 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0;+DigExt)

Learn more about the format here.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Tip: Exchange Server diagnostics: An introduction to application and system logs
  • Tip: Exchange Server diagnostics: Digging into IIS logs
  • Resource Center: Monitoring and logging tips and resources
  • Free Download: Exchange Server Best Practices Analyzer Tool

  • This was first published in December 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: