Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange...
or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.
As you are no doubt aware, Exchange Server is dependent on Internet Information Server (IIS). IIS performs some fairly extensive logging, which can be particularly useful to anyone running Outlook Web Access. In this article, I explain how IIS logs work and how you can use them to monitor aspects of your Exchange environment.
How IIS logging works
IIS logging is enabled by default, and has six different log file formats you can use. The default logging type is the W3C Extended Log File Format, which is suitable for most situations.
Logging works differently in IIS 6 than it did in IIS 5. In IIS 5, logging was performed by a COM-based module called Inetinfo.exe. While this technique was effective, it had to be changed in IIS 6, because of the way the newer version uses application pools.
IIS 6 servers with multiple application pools, or multiple worker processes in a single application pool, would encounter synchronization or multiple instance issues if Inetnf.exe was used.
Instead, IIS 6 performs all logging within the HTTP protocol stack. A file named HTTP.sys performs the actual logging. Not only does this cue the multi-instance and synchronization problems I just mentioned, but all HTTP traffic passes through the HTTP protocol stack. This means that all HTTP requests are logged. There is no easy way for a hacker to bypass or disable the logging mechanism.
Although the IIS logging mechanism works at the HTTP level, logs are created on a per Web site basis. Depending on how your server is configured, this could be good or bad. On one hand, creating logs at the Web site level means that, if your server is hosting multiple sites, each site will have its own set of logs. On the other hand, when you install Exchange Server, Outlook Web Access (OWA) and Outlook Mobile Access (OMA) are implemented as a part of the default Web site.
The default Web site is already used for administrative purposes and may also be used by applications like SUS or WSUS. This means that OWA and OMA log entries are mixed with log entries pertaining to anything else the default Web site has been set up for.
Of course, Exchange should ideally be the only application running on a server, but in the real world, budgets are tight and servers sometimes need to perform multiple tasks.
The logs themselves are placed into the \Windows\System32\LogFiles folder. The default Web site's logs are stored in a subfolder named W3SVC1.
If the server is configured to host multiple Web sites, then the log files for the other sites will also be stored in subfolders beneath the \Windows\System32\LogFiles folder. The subfolder names will be random, but will start with W3SVC. W3SVC1 is always reserved for the default Web site though.
When you open the subfolder, you will see all the logs. By default, the logs are stored in plain ASCII text. There is a separate log file used for each day. Therefore, if you want to examine a specific day's activities, you can just reference the log file created that day. Keep in mind though that IIS won't actually create a log file until activity occurs. So if there are days when IIS doesn't receive any requests, then there won't be log files for those days.
How to access and customize IIS logs
Now that you know a little bit about how logging works and where the logs are stored, let's take a look at how the logs can be customized.
- Begin by opening the Internet Information Services Manager (you can launch it from the Administrative Tools menu).
- When the IIS Manager opens, navigate through the console tree to Internet Information Services -> your server -> Web Sites -> Default Web Site.
- Right click on the default Web site and select Properties.
- Go to the Web Site tab, and you will see an "Enable Logging" checkbox and a dropdown list that you can use to select the log file format. Logging should already be enabled and the W3C Extended Log File Format is fine for most purposes.
- Click the Properties button and the IIS Manager will display the Logging Properties sheet. The first thing you'll notice is that you can change the logging schedule. By default, new log files are created on a daily basis, but you can create new log files at alternate intervals or when files reach a certain size.
Just below the New Log Schedule section, you have the option of using the time for file naming and roll over. You can also specify an alternate location for storing log files.
It's nice to have these options, but the really good options are on the Advanced tab. Here you can choose what types of information will be logged. For example, the host name of the machine making the request is not logged by default, but you can choose to log this information with the click of a mouse.
- Now that I have shown you how to customize logging, there is one last thing I want to show you. As I mentioned earlier, the logs are stored in ASCII format. That's great if you are using an English version of Windows. Some foreign languages use characters that cannot be reproduced in ASCII though.
If you find yourself logging requests that contain characters that take two bytes to produce, then you might want to encode the logs in UTF-8 format. You can enable UTF-8 encoding by right clicking on the server name in the IIS Manager and selecting Properties; here you'll find a checkbox that enables UTF-8 encoding. Keep in mind that UTF-8 encoding only applies to Web site logs. IIS 6 does not support UTF-8 encoding for FTP site logs.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
If someone logged into the network remotely via Outlook Web Access (OWA), can you get their IP address from the machine they used to access OWA?
I can't say for sure because I have never set up logging with that specific goal in mind, but I am almost positive that you can capture the IP addresses used in OWA sessions.
—Brien Posey, tip author
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com: