Problem solve Get help with specific problems with your technologies, process and projects.

Extracting Exchange ActiveSync data from IIS log files

Mobile messaging is one of the few Exchange Server features that can have a direct effect on a company's bottom line. Unfortunately, Microsoft Exchange Server lacks native reporting capabilities. Even so, it's possible to extract Exchange ActiveSync data to analyze mobile device usage. In this tip, find out how to extract Exchange ActiveSync data from IIS log files using a simple Exchange Management Shell (EMS) command.

Unless a company has an unlimited data plan for all Exchange Server mobile users, the volume of mobile messaging...

activity can directly affect its bottom line. Despite Exchange Server's lack of native reporting capabilities, it's possible to extract and analyze Exchange ActiveSync data. In this tip, Microsoft Exchange expert Brien Posey explains how to extract ActiveSync data from Internet Information Services (IIS) log files using a simple Exchange Management Shell (EMS) command.

While the Exchange Management Console (EMC) does not have a report generator to provide data on each user's wireless activity, there is an easy way to create your own report. The key to doing so lies in the fact that mobile messaging uses Exchange ActiveSync, which is facilitated by the client access server.

A client access server is an IIS server that hosts Exchange-related Web pages. This is important because it means that, like any other IIS server, a client access server creates a daily log of activity in the \Windows\system32\Logfiles\W3SVC1 folder. To use this information, you must separate ActiveSync-related log entries from the Outlook Web Access (OWA)-related entries (assuming that the client access server is being used for both purposes). You must then parse the log file entries so the log file data becomes meaningful.

More on this topic

Fortunately, we get some help from the folks in Redmond on this one. You can actually use the Exchange Management Shell to extract and parse the ActiveSync data from the logs. The only catch is that IIS creates a new log file each day, so you need to know for which date you want to examine Exchange ActiveSync data. You must also create a folder in which you can deposit the extracted data.

Suppose, for instance, that I want to analyze ActiveSync data for Sept. 23, 2008, and I have created a folder named C:\Reports to use as a repository for the extracted data. To extract Exchange ActiveSync data from the September 28, 2008 log file and put it into the C:\Reports folder, I would enter the following command:

Export-ActiveSyncLog –Filename: 'C:\Windows\System32\Logfiles\W3SVC1\080923.log' –UseGMT:$True –OutputPath 'C:\Reports\'

Exchange Management Shell commands are made up of noun-verb combinations. In this case, we are using Export as the verb and ActiveSyncLog as the noun to tell the Exchange Management Shell what to export.

We must supply three parameters in conjunction with the Export-ActiveSyncLog command. First is the –Filename: parameter. Notice that I have enclosed the path and the filename with single quotes.

You should also note that the filename contains 080923, which corresponds to the year, month and day. This is the standard log file naming convention that IIS uses.

The second parameter is –UseGMT:$True, which directs Exchange to use Greenwich Mean Time (GMT) or Zulu time within the logs. This is useful if you are collecting log file data from Exchange servers that are spread across multiple time zones. You can set this parameter to False if you want to use the server's local time instead.

The third parameter, –OutputPath, lets you specify the destination path for the extracted data.

One thing to note about the destination path: Exchange Server 2007 always uses the same names for reports it generates -- regardless of what the original name of the IIS log file was. This means that if you want to extract data from multiple log files, you will have to specify a different destination path for each report. Otherwise, the report will be overwritten. You also have the option to rename the report files prior to performing a secondary extraction.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Outlook management