IIS Logs on Exchange 2013

We have MAPI over HTTP on our Exchange 2013 and don't see any performance issues but we have a huge amount of recorded data from the same user.  For example:  

2015-06-01 19:18:20 192.168.1.11 POST /mapi/emsmdb/ MailboxId=634f7589-4dfd-46f3-b128-661eae8d7f34@SERVER.COM&FrontEnd=SERVER.DOMAIN.ABC&RequestId=e6d32438-adde-4f62-854d-d3cea602aaf2&ClientRequestInfo=R:{2A3430FC-C953-41FD-A938-74798D225E94}:6009439;CI:{AFA3F9EF-4C7C-4032-8D82-2C326BAF3A34}:27;RT:Execute&AuthInfo=IsAuthenticated:true;AuthenticationType:Negotiate;AuthenticatedUser:Anonymous;&ResponseInfo=XRC:0;SC:0;RC:0&Stage=BeginRequest:2015-06-01T19:18:21.0095880Z;PostAuthorizeRequest:2015-06-01T19:18:21.0105880Z;PreRequestHandlerExecute:2015-06-01T19:18:21.0105880Z;PostRequestHandlerExecute:2015-06-01T19:18:21.0155880Z;EndRequest:2015-06-01T19:18:21.0155880Z 444 Anonymous 192.168.1.11 Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4719;+Pro) - 200 0 0 6
2015-06-01 19:18:20 192.168.1.11 POST /mapi/emsmdb/ MailboxId=634f7589-4dfd-46f3-b128-661eae8d7f34@SERVER.COM&FrontEnd=SERVER.DOMAIN.ABC&RequestId=04f5e99c-c92d-4ac8-b0c0-69a609e98341&ClientRequestInfo=R:{2A3430FC-C953-41FD-A938-74798D225E94}:6009440;CI:{AFA3F9EF-4C7C-4032-8D82-2C326BAF3A34}:27;RT:Execute&AuthInfo=IsAuthenticated:true;AuthenticationType:Negotiate;AuthenticatedUser:Anonymous;&ResponseInfo=XRC:0;SC:0;RC:0&Stage=BeginRequest:2015-06-01T19:18:21.0225880Z;PostAuthorizeRequest:2015-06-01T19:18:21.0235880Z;PreRequestHandlerExecute:2015-06-01T19:18:21.0235880Z;PostRequestHandlerExecute:2015-06-01T19:18:21.0265880Z;EndRequest:2015-06-01T19:18:21.0265880Z 444 Anonymous 192.168.1.11 Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4719;+Pro) - 200 0 0 3
2015-06-01 19:18:20 192.168.1.11 POST /mapi/emsmdb/ MailboxId=634f7589-4dfd-46f3-b128-661eae8d7f34@SERVER.COM&FrontEnd=SERVER.DOMAIN.ABC&RequestId=15c9cadc-ae77-46b3-98f8-e73cd346a0a9&ClientRequestInfo=R:{2A3430FC-C953-41FD-A938-74798D225E94}:6009441;CI:{AFA3F9EF-4C7C-4032-8D82-2C326BAF3A34}:27;RT:Execute&AuthInfo=IsAuthenticated:true;AuthenticationType:Negotiate;AuthenticatedUser:Anonymous;&ResponseInfo=XRC:0;SC:0;RC:0&Stage=BeginRequest:2015-06-01T19:18:21.0395880Z;PostAuthorizeRequest:2015-06-01T19:18:21.0405880Z;PreRequestHandlerExecute:2015-06-01T19:18:21.0405880Z;PostRequestHandlerExecute:2015-06-01T19:18:21.0465880Z;EndRequest:2015-06-01T19:18:21.0465880Z 444 Anonymous 192.168.1.11 Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4719;+Pro) - 200 0 0 8
2015-06-01 19:18:20 192.168.1.11 POST /mapi/emsmdb/ MailboxId=634f7589-4dfd-46f3-b128-661eae8d7f34@SERVER.COM&FrontEnd=SERVER.DOMAIN.ABC&RequestId=799cbec5-fbb7-4ad5-97af-01586722273b&ClientRequestInfo=R:{2A3430FC-C953-41FD-A938-74798D225E94}:6009442;CI:{AFA3F9EF-4C7C-4032-8D82-2C326BAF3A34}:27;RT:Execute&AuthInfo=IsAuthenticated:true;AuthenticationType:Negotiate;AuthenticatedUser:Anonymous;&ResponseInfo=XRC:0;SC:0;RC:0&Stage=BeginRequest:2015-06-01T19:18:21.0545880Z;PostAuthorizeRequest:2015-06-01T19:18:21.0555880Z;PreRequestHandlerExecute:2015-06-01T19:18:21.0555880Z;PostRequestHandlerExecute:2015-06-01T19:18:21.0615880Z;EndRequest:2015-06-01T19:18:21.0615880Z 444 Anonymous 192.168.1.11 Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4719;+Pro) - 200 0 0 8
2015-06-01 19:18:20 192.168.1.11 POST /mapi/emsmdb/ MailboxId=634f7589-4dfd-46f3-b128-661eae8d7f34@SERVER.COM&FrontEnd=SERVER.DOMAIN.ABC&RequestId=e173b113-76b2-471d-86fa-1fd6d9744383&ClientRequestInfo=R:{2A3430FC-C953-41FD-A938-74798D225E94}:6009443;CI:{AFA3F9EF-4C7C-4032-8D82-2C326BAF3A34}:27;RT:Execute&AuthInfo=IsAuthenticated:true;AuthenticationType:Negotiate;AuthenticatedUser:Anonymous;&ResponseInfo=XRC:0;SC:0;RC:0&Stage=BeginRequest:2015-06-01T19:18:21.0685880Z;PostAuthorizeRequest:2015-06-01T19:18:21.0695880Z;PreRequestHandlerExecute:2015-06-01T19:18:21.0695880Z;PostRequestHandlerExecute:2015-06-01T19:18:21.0725880Z;EndRequest:2015-06-01T19:18:21.0725880Z 444 Anonymous 192.168.1.11 Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4719;+Pro) - 200 0 0 5
2015-06-01 19:18:20 192.168.1.11 POST /mapi/emsmdb/ MailboxId=634f7589-4dfd-46f3-b128-661eae8d7f34@SERVER.COM&FrontEnd=SERVER.DOMAIN.ABC&RequestId=55a0e8e1-7943-413c-a91f-0ff8e511c7b8&ClientRequestInfo=R:{2A3430FC-C953-41FD-A938-74798D225E94}:6009444;CI:{AFA3F9EF-4C7C-4032-8D82-2C326BAF3A34}:27;RT:Execute&AuthInfo=IsAuthenticated:true;AuthenticationType:Negotiate;AuthenticatedUser:Anonymous;&ResponseInfo=XRC:0;SC:0;RC:0&Stage=BeginRequest:2015-06-01T19:18:21.0845880Z;PostAuthorizeRequest:2015-06-01T19:18:21.0855880Z;PreRequestHandlerExecute:2015-06-01T19:18:21.0855880Z;PostRequestHandlerExecute:2015-06-01T19:18:21.0915880Z;EndRequest:2015-06-01T19:18:21.0915880Z 444 Anonymous 192.168.1.11 Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4719;+Pro) - 200 0 0 8

Open in new window


It seems like it is coming from the server but the agent seems to be Microsoft Outlook (which doesn't exist on the server).  I tried shutting the user down and one of the assistants down but it didn't have any effect on the logs.  

Any ideas?  Normally, I wouldn't worry but the logs from this user alone reaches about 1 GB a day which is a little insane.  

Thanks.
LVL 4
Edward ChoManaging Exciting Technology ThingsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
I think you are seeing the logs coming from the server because of the way Exchange proxies the data to the mailbox database from the CAS role. You need to look at the logs on the CAS role to see what is happening.

Anything special about the user? Large mailbox, lots of delegates, high volume of messages or anything?

Simon.
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
You are right -- I looked at the CAS logs and don't see anything special compared to the other users.  Just an iPhone and his outlook checking in every minute or so.  

Just 3 delegates, small mailbox, moderate volume of messages but i've seen plenty worse at other organizations.
Simon Butler (Sembee)ConsultantCommented:
Something is causing the traffic to loop.
If it is a small mailbox I would move it off to another database, see what happens then. A move mailbox resolves so many problems it is now the first thing I do.

Simon.
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
So indeed the Cisco ASA (translating the external IPs to internal IPs) was somehow causing the traffic to loop.  We only figured this out by accident after an outage and switched our DNS after the cisco stopped translating.  

Our logs are now 1/5-1/10 of what they were.  Thanks for the help though!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Edward ChoManaging Exciting Technology ThingsAuthor Commented:
Found out my own solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.