tsteines
asked on
Our Exchange server 2003 log files are very large - Likely iPad/iPhone related.
Our log files on our Microsoft Exchange Server 2003 have jumped from about 50,000 k to 500,000 k per day at some point in the past month. Looking at the log files, they seem to be communicating with a couple specific users' apple devices extremely frequently (having as many as 50 search's and get's per second). I had one of the users delete her account on her iPad and her connections disappeared as expected (along with about half of the log file size). The next day, another user began showing up despite having no changes made to their account or connections. This user's iPhone comes up as the device.
We have at least 40 different users that get mail on their iPhones and about 10 or so that do it on their iPads. The devices are a mix of models, with some being iPhone 4S or iPad 2 and others being previous generations. We can't seem to figure out what's causing this to happen for these three specific users. We need this fixed as it fills up the C drive partition of the server and prevents it from delivering mail.
I understand that we can turn off logging but my boss wants to keep the records for I/T security reasons.
Ex.
2011-12-22 00:00:01 W3SVC1 192.168.0.15 SEARCH /exchange-oma/<user@company.com>/ - 80 - 192.168.0.15 Microsoft-Server-ActiveSyn
2011-12-22 00:00:01 W3SVC1 192.168.0.15 SEARCH /exchange-oma/<user@company.com>/ - 80 <DOMAIN>\<username> 192.168.0.15 Microsoft-Server-ActiveSyn
2011-12-22 00:00:01 W3SVC1 192.168.0.15 GET /exchange-oma/<user@company.com>/NON_IPM_SUBTREE/Microsoft
We have at least 40 different users that get mail on their iPhones and about 10 or so that do it on their iPads. The devices are a mix of models, with some being iPhone 4S or iPad 2 and others being previous generations. We can't seem to figure out what's causing this to happen for these three specific users. We need this fixed as it fills up the C drive partition of the server and prevents it from delivering mail.
I understand that we can turn off logging but my boss wants to keep the records for I/T security reasons.
Ex.
2011-12-22 00:00:01 W3SVC1 192.168.0.15 SEARCH /exchange-oma/<user@company.com>/ - 80 - 192.168.0.15 Microsoft-Server-ActiveSyn
2011-12-22 00:00:01 W3SVC1 192.168.0.15 SEARCH /exchange-oma/<user@company.com>/ - 80 <DOMAIN>\<username> 192.168.0.15 Microsoft-Server-ActiveSyn
2011-12-22 00:00:01 W3SVC1 192.168.0.15 GET /exchange-oma/<user@company.com>/NON_IPM_SUBTREE/Microsoft
ASKER
I don't believe so, though it is possible. The fact that this issue only showed up recently (I want to say about a month after the iOS 5 update) leads me to believe that an iOS 4.x device wouldn't be affecting it since everybody would have had iOS 4.x before then.
If it makes a difference, both of the user accounts in the log began showing up about the same time as they were began accessing the emails while the third one that just started showing up was set up much earlier than those two.
If it makes a difference, both of the user accounts in the log began showing up about the same time as they were began accessing the emails while the third one that just started showing up was set up much earlier than those two.
ASKER
UPDATE: Both iPhones are at 5.0.1. No word on the iPad.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you running Windows Backup to 'roll up' the logs? Even if you have another backup, the Windows one clears the logs. It might help to run it once a day until you figure out the problem.
ASKER
@alanhardisty I had one of the users remove her account from her device (the iPad that shows up frequently) and now another two users are popping up in the log (both using iPhones, I believe). Luckily the files HAVE been smaller but they are still about 5 or 6 times the usual size.
@lscabor we are not. As of right now, we just clean them up as necessary but thanks for the advice.
@lscabor we are not. As of right now, we just clean them up as necessary but thanks for the advice.
Does the iPad user still show up with lots of entries now?
Odd about the new accounts. When did you last reboot the server or run iisreset?
If a long time ago - I would try one or the other.
Odd about the new accounts. When did you last reboot the server or run iisreset?
If a long time ago - I would try one or the other.
ASKER
Ok, here's what's happened. The user who's iPad was giving us trouble deleted her mail account from her iPad and it stopped filling up the log file. At the same time, another user's iPhone began showing up with the same problem, despite having made no changes in that time. I tried putting the user's account back on her iPad and it started filling up the log again but the user whos iPhone appeared in the log has again disappeared.
I haven't rebooted the server yet, I'm a bit hesitant about bouncing the mail server while my boss is on vacation.
I haven't rebooted the server yet, I'm a bit hesitant about bouncing the mail server while my boss is on vacation.
You might want to get the users to backup their devices, factory reset them and then add the email accounts again, then check the logs.
A bit drastic, but quite often works.
A bit drastic, but quite often works.
I know that in Microsoft Mobile 6.0 you could initiate a log on mobile devices that will log the EAS communication between the device and the Exchange 2003 Server. We had to do that to troubleshoot some Sync issues with users in our environment. I have been looking for something like that with Andriod devices since we have moved from Microsoft Mobile, but have not found one yet. This logging would show the "hearbeat" communication in EAS. Very useful in troubleshooting mobile client connections. If you can find something like that for your iPhone/iPad users that can certainly help you with your troubleshooting. The IIS logs are just logging of access to the Virtual Directories. The EAS 'heartbeat" log would show what initiated the "PUSH" in EAS either the server or the device. Do you have anyother mobile devices in your environment other that iOS devices? Are they experiencing the same issue?
Have you looked at this? Several log file fix links in the answer column. Might help.
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/9145aa71-af0d-4ec4-84f0-8f63204384ee
I found the problem in permissions in the IIS virtual directories. Nearly all the info on the internet was wrong, and I found that making the permissions 'creator/owner' instead of 'read' stopped the disconnects and the log files.
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/9145aa71-af0d-4ec4-84f0-8f63204384ee
I found the problem in permissions in the IIS virtual directories. Nearly all the info on the internet was wrong, and I found that making the permissions 'creator/owner' instead of 'read' stopped the disconnects and the log files.
We are seeing the giant log file issue also. And I agree there is a lot of misinformation about IIS out there. Could you please provide a link to a reputable source that explains what permissions on what objects need to be changed? Thank you.
You will find lots of varying information about Activesync, but my article seems to be the best source for reference that can be found (at least the fact that it has been plagiarised numerous times by people across the globe would suggest it is a good reference):
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Resetting the accounts seemed to help but ultimately it was the "Push" function being turned off that fixed it. Still not sure why it was happening in the first place but turning off push on the devices causing it fixed the massive log file size.
http://alanhardisty.wordpress.com/2010/07/02/apple-ios4-issues-with-iphone-4-3gs-3g-and-exchange/