LogParser Commands for Identifying EAS Traffic and 401’s

 

Perform a count based on CS-URI-STEM=ActiveSync  and SC-Status=401 and Timestamp

LOGPARSER “SELECT count(*) as hits, sc-status, cs-uri-stem  from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190301.log’ where sc-status=401 and cs-uri-stem=’/Microsoft-Server-ActiveSync/default.eas’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’) GROUP BY cs-uri-stem, sc-status order by hits desc” -i:IISW3C -q:off

OR perform it on a CMD loop
FOR /L %N IN () DO LOGPARSER “SELECT count(*) as hits, sc-status, cs-uri-stem  from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190301.log’ where sc-status=401 and cs-uri-stem=’/Microsoft-Server-ActiveSync/default.eas’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’) GROUP BY cs-uri-stem, sc-status order by hits desc” -i:IISW3C -q:off

Perform a line item pull of CS-URI-STEM=EAS and SC-Status=401 and Timestamp
logparser “Select * from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190301.log’   Where sc-status=401 and cs-uri-stem=’/Microsoft-Server-ActiveSync/default.eas’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’)” -i:IISW3C -q:on >>c:tempeas.txt

#Perform a search based on CS-User and timeTimeStamp
logparser “Select * from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190214.log’   Where cs-uri-query LIKE ‘%steve1%’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’)” -i:IISW3C -q:on >>c:tempsteve.txt

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: