Link to home
Start Free TrialLog in
Avatar of llarava
llaravaFlag for Afghanistan

asked on

Need to search OWA logs to identify the users that access OWA externally

Hello Experts,

We need to search the OWA logs to identify the users that are accessing OWA externally ( internet). I was wondering if someone has done this before and can please share the steps, script or procedure on how to get this done.
We are running Exchange 2016 On premise.

Thank you
Avatar of Kimputer

There included in one of the IIS logs and includes the IP address in each line. You'd have to filter all the internal IP addresses out (from the correct column, as the source server's IP is also always there). So it will take a heavy computer to do this job.
Here is the apth, where you find the logs...

User generated image

Avatar of llarava


Thanks. I know where the logs are placed, I also understand the information is there, I am trying to find some way to parse them to get only external/internet connections.
Avatar of Bembi
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
A simple solution to your problem is to use Manage Engine Exchange Reporter Plus, it will give you lot of reports you may be interested in.

2nd thing you can do is configure x-forwarder in IIS or Advance logging and do the source NAT on your firewall, but you have to extract public IP information from IIS logs against each user.

You need to do source Nat at your firewall or you have to enable x-forwarding from your load balancer, in my case i m using F5 as load balancer and enabled allow x-forwarding on Exchange Server Pool Virtual Server at F5. Same option is available in KEMP LB i believe. Here is X-forwarder option in KEMP.

User generated image
Here is the article where you can see the steps to configure X-forwarder in IIS in your CAS Servers. 

3rd you can deploy some SIEM solution which gets logs and make a good report for you against each user login from which public IP and what is the location of that IP.

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: 'Bembi' (https:#a43307126)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer