We can generate OWA login report in Exchange servers using IIS logs, we need to use log parser to get the designred report.
For example, if you want to get report of OWA logins for 10 days for all users.
- Download and install log parser and log parser studio on a server and note down the path.
- On one of the servers where you have enough space create a folder in C: Drive named “OWALogs”
- Copy 10 days logs from C:\inetpub\logs\LogFiles\W3SVC1 from your Exchange servers to C:\OWAlogs
- Create a subdirectory under C:\OWAlogs called MergedOWALogs
- Open an elevated CMD on the server, where you had installed Log Parser.
- Now, Navigate to :- C:\Program Files (x86)\Log Parser 2.2>
Run the below command
- logparser.exe -i:iisw3c “select * into c:\OWAlogs\MergedOWALogs\merged.log from c:\OWaLogs\*” -o:csv”
- It will take time according to the size of logs and then create a file Merged.log inside C:\OWALogs\MergedOWALogs
- Now run below command.
LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\OWALog\MergedOWALogs\Merged.log TO C:\OWALogs\Output.csv WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’
- It will take time according to the size of logs.
- It will create a file C:\OWALogs\Output.csv
- You can ZIP this file and copy your to desktop, you can then apply desired filters on this file to get results you want.
If the above command doesn’t work in CMD you can run below commands in PowerShell.
$logparser = “c:\program files (x86)\Log Parser 2.2\logparser.exe”
$query = “SELECT * INTO C:\OWAlogs\MergedOWALog\merged.log FROM C:\OWALogs\*.log”
& $logparser -i:iisw3c -o:csv $query