Exchange Server diagnostics: Digging into IIS logs

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

As you are no doubt aware, Exchange Server is dependent on Internet Information Server (IIS). IIS performs some fairly extensive logging, which can be particularly useful to anyone running Outlook Web Access. In this article, I explain how IIS logs work and how you can use them to monitor aspects of your Exchange environment.

How IIS logging works

IIS logging is enabled by default, and has six different log file formats you can use. The default logging type is the W3C Extended Log File Format, which is suitable for most situations.

Logging works differently in IIS 6 than it did in IIS 5. In IIS 5, logging was performed by a COM-based module called Inetinfo.exe. While this technique was effective, it had to be changed in IIS 6, because of the way the newer version uses application pools.

IIS 6 servers with multiple application pools, or multiple worker processes in a single application pool, would encounter synchronization or multiple instance issues if Inetnf.exe was used.

Instead, IIS 6 performs all logging within the HTTP protocol stack. A file named HTTP.sys performs the actual logging. Not only does this cue the multi-instance and synchronization problems I just mentioned, but all HTTP traffic passes through the HTTP protocol stack. This means that all HTTP requests are logged. There is no easy way for a hacker to bypass or disable the logging mechanism.

Although the IIS logging mechanism works at the HTTP level, logs are created on a per Web site basis. Depending on how your server is configured, this could be good or bad. On one hand, creating logs at the Web site level means that, if your server is hosting multiple sites, each site will ha

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Server Administration Tips Using Mobile Device Manager 2008 server roles in Exchange 2007 An introduction to the DSAccess service in Exchange Server 2007 Exchange Performance Monitor tracks domain controller communication Exchange Server 2007 SP2 reinstates built-in backup capabilities Three Performance Monitors counters to use in Exchange Server 2007 Scheduling multiple Performance Monitor alerts in Exchange Server 2007 Which ActiveSync authentication method is best for your mobile device? Configure Performance Monitor alerts for Exchange Server 2007 Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Microsoft Exchange Server Monitoring and Logging Analyzing Exchange ActiveSync data from .CSV report files Top Exchange Server performance monitoring and troubleshooting tools Extracting Exchange ActiveSync data from IIS log files How effective is tracking the IP address of an email hacker? Error message: 'ID no: 8004100e Exchange System Manager' How to generate HTML reports with the Exchange Management Shell (EMS) IMAP list command only returns a list of Exchange public folders A network connection problem or an offline server prevented delivery of the message Monitor and search Exchange mailboxes for music and video files How much bandwidth is required to send email in Exchange 2003? Internet Information Services (IIS) and Exchange Server Interoperability Analyzing Exchange ActiveSync data from .CSV report files Automated redirects to OWA directories may fail when SSL is enforced Monitoring Outlook Web Access usage via IIS log files Exchange Server and Microsoft Internet Information Services (IIS) IIS 6 file corruption flaw impairs OWA Symantec Mail Security for Microsoft Exchange crashes IIS Outlook Web Access only displays parent directories Recreating IIS virtual directories for OWA, OMA and Exchange ActiveSync Exchange Server domain name changes -- don't forget about IIS Forms-based authentication errors with OMA and ActiveSync Internet Information Services (IIS) and Exchange Server Interoperability Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ve its own set of logs. On the other hand, when you install Exchange Server, Outlook Web Access (OWA) and Outlook Mobile Access (OMA) are implemented as a part of the default Web site.

The default Web site is already used for administrative purposes and may also be used by applications like SUS or WSUS. This means that OWA and OMA log entries are mixed with log entries pertaining to anything else the default Web site has been set up for.

Of course, Exchange should ideally be the only application running on a server, but in the real world, budgets are tight and servers sometimes need to perform multiple tasks.

The logs themselves are placed into the \Windows\System32\LogFiles folder. The default Web site's logs are stored in a subfolder named W3SVC1.

If the server is configured to host multiple Web sites, then the log files for the other sites will also be stored in subfolders beneath the \Windows\System32\LogFiles folder. The subfolder names will be random, but will start with W3SVC. W3SVC1 is always reserved for the default Web site though.

When you open the subfolder, you will see all the logs. By default, the logs are stored in plain ASCII text. There is a separate log file used for each day. Therefore, if you want to examine a specific day's activities, you can just reference the log file created that day. Keep in mind though that IIS won't actually create a log file until activity occurs. So if there are days when IIS doesn't receive any requests, then there won't be log files for those days.

How to access and customize IIS logs

Now that you know a little bit about how logging works and where the logs are stored, let's take a look at how the logs can be customized.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

If someone logged into the network remotely via Outlook Web Access (OWA), can you get their IP address from the machine they used to access OWA?
—James B.

******************************************

I can't say for sure because I have never set up logging with that specific goal in mind, but I am almost positive that you can capture the IP addresses used in OWA sessions.
—Brien Posey, tip author

Related information from SearchExchange.com:

Reference Center: Exchange monitoring and logging

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.