Category: LogParser

LogParser Commands for Identifying EAS Traffic and 401’s

 

Perform a count based on CS-URI-STEM=ActiveSync  and SC-Status=401 and Timestamp

LOGPARSER “SELECT count(*) as hits, sc-status, cs-uri-stem  from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190301.log’ where sc-status=401 and cs-uri-stem=’/Microsoft-Server-ActiveSync/default.eas’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’) GROUP BY cs-uri-stem, sc-status order by hits desc” -i:IISW3C -q:off

OR perform it on a CMD loop
FOR /L %N IN () DO LOGPARSER “SELECT count(*) as hits, sc-status, cs-uri-stem  from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190301.log’ where sc-status=401 and cs-uri-stem=’/Microsoft-Server-ActiveSync/default.eas’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’) GROUP BY cs-uri-stem, sc-status order by hits desc” -i:IISW3C -q:off

Perform a line item pull of CS-URI-STEM=EAS and SC-Status=401 and Timestamp
logparser “Select * from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190301.log’   Where sc-status=401 and cs-uri-stem=’/Microsoft-Server-ActiveSync/default.eas’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’)” -i:IISW3C -q:on >>c:tempeas.txt

#Perform a search based on CS-User and timeTimeStamp
logparser “Select * from ‘\ExServer1c$inetpublogsLogFilesW3SVC1U_ex190214.log’   Where cs-uri-query LIKE ‘%steve1%’ and time between timestamp(’15:00:00′,’hh:mm:ss’) and timestamp(’20:30:00′,’hh:mm:ss’)” -i:IISW3C -q:on >>c:tempsteve.txt

Search IIS logs for ActiveSync data for specific user accounts.

Scenario: You want to find ActiveSync activity for specific users that is stored in IIS logs on the Exchange Servers.

 
Using LogParser you can edit and run the following command:
 
logparser “Select * from ‘servernamec$inetpublogslogfilesw3svc1*.log’ Where cs-uri-stem LIKE ‘%Microsoft-Server-ActiveSync%’ AND (cs-uri-query LIKE ‘%username1%’ OR cs-uri-query LIKE ‘%username2%’)” -i:IISW3C -q:on >FilePathfilename.txt