We help IT Professionals succeed at work.

OWA logging monitoring

Medium Priority
737 Views
Last Modified: 2012-05-06
Is it possible to monitor (through logs, real time) users checking their mails using OWA in Exchange 2007. Idea is to know from which public ip address they're checking their emails. In Exchange 2003, it was possible to see it in logs of IIS.
Comment
Watch Question

Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Same thing with Exchange 2007. IIS logs will show you some information. You will probably have to adjust the logging levels. Can't be done realtime though, but a good IIS logging tool would show you what is happening once the logs have been written to disk.

-M

Author

Commented:
I can't find anything in IIS to adjust. All options to show client IP, and other options are already selected, but nothing shows client IP address connecting from.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
You should have a line in the log similar to this:

2008-11-06 13:18:47 W3SVC1 192.168.11.3 GET /owa - 443 - 123.456.789.000 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+Tablet+PC+2.0;+InfoPath.2;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322) 301 0 0

That is an actual log from my Tablet connecting to OWA from an external host.
192.168.11.3 is my Exchange server, and 123.456.789.000 is the external IP address I was connecting from. I have mangled it as it was a client site.  

The log settings are on the root of the Default Web Site.

-M

Author

Commented:
In my logs as the external IP address, it shows internal IP of firewall, in my case ISA 2006. I'm not sure whether I can do something in ISA server to show real client IP.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Ah.
Should have mentioned the ISA.
The log on the Exchange server itself only applies if the traffic is going direct to the Exchange server.
The external IP address isn't seen by Exchange because it sees the traffic as originating on the ISA server. You will need to use the logs on the ISA server to track the external IP addresses.

-M

Author

Commented:
I checked, and tested ISA Firewall log, it shows a lot, but not username of the client, and it is domain member so should be able to resolve.
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
That probably means you need to change the logging settings on the ISA server. My knowledge of ISA is not great, so I don't know if it has its own logs or uses IIS logs.

-M

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Mestha,

Thank you for help.
I had to enable logging for Web Proxy Logging, and everything is there.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.