Dissecting ActiveSync logs in Exchange Server 2010

ActiveSync logging information is valuable to Exchange 2010 admins for several reasons. We explore how to find and decipher the data.

Exchange Server 2010 compiles rich logging information, which can be invaluable for troubleshooting ActiveSync problems. It can also be used to audit mobile device access to messaging servers. Before you can take advantage of this logging information, however, you need to know where to find it and how to read it.

Much like in Exchange Server 2007, ActiveSync logging in Exchange 2010 is a function of Internet Information Services (IIS). Technically, you can get all ActiveSync logging information from the IIS logs, but doing so lumps together various types of logging data into IIS.

Microsoft organizes this data, but the method to do so requires the full path and file name of the log file you want to analyze. By default, IIS logs are stored in the C:\inetpub\logs\logfiles\w3svc1 folder.

After selecting a log file you want to analyze, open the Exchange Management Shell (EMS) and enter the Export-ActiveSyncLog cmdlet. Exchange will prompt you to enter a file name -- the full path and file name of the log file you want to parse. After you enter this information, Exchange creates six separate log files (Figure 1).

Use the Export-ActiveSyncLog cmdlet to create new log files.
Figure 1. Entering the Export-ActiveSyncLog cmdlet into EMS creates new log files.

Figure 1 shows the results of the search, which appear in .csv format. This allows you to open them in a text editor such as Notepad or Microsoft Excel. Individual .csv files are placed in the C:\Windows\System32\inetsrv folder. Each individual .csv file contains a specific type of logging data, as shown in Table 1.

Log file name Function
Users.csv Allows you to see which users access mobile messaging. You can also use this report to track the volume of ActiveSync-related traffic a user sends and receives.
Servers.csv Organizes synchronization requests according to server. This file also displays the average number of unique devices connecting to each server, as well as the volume of traffic those devices send and receive.
Hourly.csv Displays the number of synchronization requests per hour and the number of devices making those requests.
StatusCodes.csv Contains a series of HTTP status codes that mobile users have encountered. Use this report to troubleshoot communications errors.
PolicyCompliance.csv Exchange classifies mobile devices as fully compliant, partially compliant or non-compliant. A fully compliant device to which you can fully apply an ActiveSync policy. A partially compliant device may accept some, but not all elements of an ActiveSync policy. A non-compliant device ignores ActiveSync policies. This file details the level of compliance for each logged device.
UserAgents.csv Lists the total number of unique users who were logged, organized by mobile operating systems.

Although these reports are handy, they may not meet the needs of every Exchange organization. You can create your own parser to extract ActiveSync information from the IIS logs and display information that will be useful to you.

Making sense of ActiveSync raw log files
IIS logs contain a variety of logging data; a single log file might contain data from both ActiveSync and Outlook Web App. And each log entry appears on a separate line within the file. ActiveSync logs may appear cryptic, but spotting them is easy since they all begin with &Log=.

Once you have located the &Log= string, you’ll notice a series of code following it. The actual code depends on the type of ActiveSync event that is being logged. In most situations, the code will begin with the letter V, followed by either a two- or three-digit number. This number reflects the ActiveSync protocol version number that the requestor is using. The version number is always displayed as a whole number; for example, the code V120 actually refers to version 12.0.

A synchronization request typically includes the code TY, which refers to the type of folder being synchronized. These letters are followed by a colon and an abbreviation for the folder type. For example, TY:CA refers to a calendar synchronization. Other abbreviations include EM (email), CO (contacts) and TA (tasks).

An underscore is used to separate individual codes, marking where one code ends and the next begins. For example, the first part of a logged synchronization request might be &Log=V120_TY:CA. This code conveys the client’s protocol version and synchronization type.

ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.

This was first published in December 2010

Dig deeper on Mobile Devices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close