Analyzie MS Exchange log

Sometime happens to receive some interesting requests from the business like “Hey man, take a look if there are some strange access to our web mail”. This tool it’s really useful for this kind of task: Log Parser Studio

It requires (in this case) a IISW3CLOG and a simple query like that:

SELECT TOP 20 cs-username AS UserID, 
	cs(User-Agent) AS Application, 
	cs-uri-stem AS Vdir,
	c-ip AS CLIENT,
	cs-method,
	COUNT(*)
FROM '[LOGFILEPATH]'
WHERE cs-uri-stem LIKE '%OWA%'
GROUP BY UserID, Application, Vdir, Client, cs-method
ORDER BY COUNT(*) DESC

That’s all!

Tagged ,

Leave a Reply