Exchange Server diagnostics: Digging into IIS logs

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

As you are no doubt aware, Exchange Server is dependent on Internet Information Server (IIS). IIS performs some fairly extensive logging, which can be particularly useful to anyone running Outlook Web Access. In this article, I explain how IIS logs work and how you can use them to monitor aspects of your Exchange environment.

How IIS logging works

IIS logging is enabled by default, and has six different log file formats you can use. The default logging type is the W3C Extended Log File Format, which is suitable for most situations.

Logging works differently in IIS 6 than it did in IIS 5. In IIS 5, logging was performed by a COM-based module called Inetinfo.exe. While this technique was effective, it had to be changed in IIS 6, because of the way the newer version uses application pools.

IIS 6 servers with multiple application pools, or multiple worker processes in a single application pool, would encounter synchronization or multiple instance issues if Inetnf.exe was used.

Instead, IIS 6 performs all logging within the HTTP protocol stack. A file named HTTP.sys performs the actual logging. Not only does this cue the multi-instance and synchronization problems I just mentioned, but all HTTP traffic passes through the HTTP protocol stack. This means that all HTTP requests are logged. There is no easy way for a hacker to bypass or disable the logging mechanism.

Although the IIS logging mechanism works at the HTTP level, logs are created on a per Web site basis. Depending on how your server is configured, this could be good or bad. On one hand, creating logs at the Web site level means that, if your server is hosting multiple sites, each site will have its own set of logs. On the other hand, when you install Exchange Server, Outlook Web Access (OWA) and Outlook Mobile Access (OMA) are implemented as a part of the default Web site.

The default Web site is already used for administrative purposes and may also be used by applications like SUS or WSUS. This means that OWA and OMA log entries are mixed with log entries pertaining to anything else the default Web site has been set up for.

Of course, Exchange should ideally be the only application running on a server, but in the real world, budgets are tight and servers sometimes need to perform multiple tasks.

The logs themselves are placed into the \Windows\System32\LogFiles folder. The default Web site's logs are stored in a subfolder named W3SVC1.

If the server is configured to host multiple Web sites, then the log files for the other sites will also be stored in subfolders beneath the \Windows\System32\LogFiles folder. The subfolder names will be random, but will start with W3SVC. W3SVC1 is always reserved for the default Web site though.

When you open the subfolder, you will see all the logs. By default, the logs are stored in plain ASCII text. There is a separate log file used for each day. Therefore, if you want to examine a specific day's activities, you can just reference the log file created that day. Keep in mind though that IIS won't actually create a log file until activity occurs. So if there are days when IIS doesn't receive any requests, then there won't be log files for those days.

How to access and customize IIS logs

Now that you know a little bit about how logging works and where the logs are stored, let's take a look at how the logs can be customized.

1. Begin by opening the Internet Information Services Manager (you can launch it from the Administrative Tools menu).

2. When the IIS Manager opens, navigate through the console tree to Internet Information Services -> your server -> Web Sites -> Default Web Site.

3. Right click on the default Web site and select Properties.

4. Go to the Web Site tab, and you will see an "Enable Logging" checkbox and a dropdown list that you can use to select the log file format. Logging should already be enabled and the W3C Extended Log File Format is fine for most purposes.

5. Click the Properties button and the IIS Manager will display the Logging Properties sheet. The first thing you'll notice is that you can change the logging schedule. By default, new log files are created on a daily basis, but you can create new log files at alternate intervals or when files reach a certain size.

   Just below the New Log Schedule section, you have the option of using the time for file naming and roll over. You can also specify an alternate location for storing log files.

   It's nice to have these options, but the really good options are on the Advanced tab. Here you can choose what types of information will be logged. For example, the host name of the machine making the request is not logged by default, but you can choose to log this information with the click of a mouse.

6. Now that I have shown you how to customize logging, there is one last thing I want to show you. As I mentioned earlier, the logs are stored in ASCII format. That's great if you are using an English version of Windows. Some foreign languages use characters that cannot be reproduced in ASCII though.

   If you find yourself logging requests that contain characters that take two bytes to produce, then you might want to encode the logs in UTF-8 format. You can enable UTF-8 encoding by right clicking on the server name in the IIS Manager and selecting Properties; here you'll find a checkbox that enables UTF-8 encoding. Keep in mind that UTF-8 encoding only applies to Web site logs. IIS 6 does not support UTF-8 encoding for FTP site logs.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

If someone logged into the network remotely via Outlook Web Access (OWA), can you get their IP address from the machine they used to access OWA?
—James B.

******************************************

I can't say for sure because I have never set up logging with that specific goal in mind, but I am almost positive that you can capture the IP addresses used in OWA sessions.
—Brien Posey, tip author

Related information from SearchExchange.com:

Reference Center: Exchange monitoring and logging

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Server Administration Tips Top 10 Microsoft Exchange Server tips of 2008 Database changes that enhance Exchange Server 2007 fault tolerance How continuous replication methods affect Exchange 2007 log shipping Analyzing Exchange ActiveSync data from .CSV report files How to run Exchange Management Shell cmdlets in Exchange Server 2007 Eliminate .PST file use for secure email retention in Exchange 2007 Exchange Server 2007 log shipping and continuous replication Benefits of backing up Exchange Server with Microsoft's DPM 2007 Exchange Server 2007 replication and database transaction basics Microsoft Exchange Server 2003 database recovery methods Microsoft Exchange Server Monitoring and Logging Analyzing Exchange ActiveSync data from .CSV report files Top Exchange Server performance monitoring and troubleshooting tools Extracting Exchange ActiveSync data from IIS log files How effective is tracking the IP address of an email hacker? Error message: 'ID no: 8004100e Exchange System Manager' How to generate HTML reports with the Exchange Management Shell (EMS) IMAP list command only returns a list of Exchange public folders A network connection problem or an offline server prevented delivery of the message Monitor and search Exchange mailboxes for music and video files How much bandwidth is required to send email in Exchange 2003? Internet Information Services (IIS) and Exchange Server Interoperability Analyzing Exchange ActiveSync data from .CSV report files Automated redirects to OWA directories may fail when SSL is enforced Monitoring Outlook Web Access usage via IIS log files Exchange Server and Microsoft Internet Information Services (IIS) IIS 6 file corruption flaw impairs OWA Symantec Mail Security for Microsoft Exchange crashes IIS Outlook Web Access only displays parent directories Recreating IIS virtual directories for OWA, OMA and Exchange ActiveSync Exchange Server domain name changes -- don't forget about IIS Forms-based authentication errors with OMA and ActiveSync Internet Information Services (IIS) and Exchange Server Interoperability Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.