I am researching on finding the exact entry in the IIS logs when user logs in to on-prem exchange using OWA/Active Sync/Outlook client for monitoring purpose.
Can somebody help OR point me to the right source to get this information?
For example, for OWA, should I be looking for /owa in the URI but what else I should be looking to get the successful login entry?
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2018-10-24 00:19:19
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken x-forwarded-for
2018-10-26 00:13:46 10.0.0.1 GET /owa/ layout=mouse&CorrelationID=<empty>;&ClientId=YQLYPNOFKSDKWPEHODWG&cafeReqId=d74215fd-b921-4e6b-9826-3af8bf29e4ba; 443 john.doe#example.com 8.8.8.8 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36 - 200 0 0 62 114.41.44.77
2018-10-26 00:13:47 0.0.0.1 POST /Microsoft-Server-ActiveSync/default.eas User=john.doe#example.com&DeviceId=PATM1AFVF52GBCM8U028IBAGNK&DeviceType=iPhone&Cmd=Sync&CorrelationID=<empty>;&ClientId=0DWZQBEIPKLJLMMGW&cafeReqId=9dcd908d-6404-4bbb-ae07-0ea969dd6fc6; 443 john.doe#example.com 8.8.8.8 Apple-iPhone9C4/1601.404 - 200 0 0 62 114.41.44.77
You don't say if this is O365 or On-Prem or whether you configured EAS endpoints to be located by Autodiscover, or whether you have other EAS controls / attributes in place, like, DeviceID, MDM, etc...
As Lex Li, points out, start with Fiddler. It is like Wireshark for web apps. Even if you do not know the initial item you are after, the results from the fiddler trace are filterable by strings.
Meaning, you can just search for your OWA URL or a username/alias, device identity (if you are using that), EAS session information, etc. From there you take a look at the IIS logs and App logs for correlation data for what Fiddler gives you.
You can turn on EAS mailbox logging as well.
Set-CASMailbox alias -ActiveSyncDebugLogging:$true
Exchange ActiveSync (EAS) mailbox logs are protocol-level logs that
show the traffic between Exchange and the EAS device. This is
assuming of course, that the device actually connects, gets past IIS,
and into Exchange code. When troubleshooting EAS issues, this is
often the most useful piece of information. Gathering these logs can
be quick if you use PowerShell to do so, versus gathering them via
ECP.
See also:
Export-ActiveSyncLog
This cmdlet is available only in on-premises Exchange.
Use the Export-ActiveSyncLog cmdlet to parse the Internet Information
Services (IIS) logs and return information about Microsoft Exchange
ActiveSync usage, either on the screen or in an output file.
Update per the OP's response
OK, I missed your On-prem statement.
As for the URL, it's whatever, you published. the default is /owa, but of course that can be changed. So, look for the DNS or Exchange entry for your OWA internal/external URL. From your reverse proxy you should be able to get attempts to hit the OWA URL by users.
If you lean toward the logging approach (Exchange version and where these can be set is important), then you can turn on logging for the Directory Service (DS) and Information Store (IS) services, then look for the kinds of events OWA generates. you'll see six or seven events logged each time an OWA user logs on. You'll typically see event IDs 1170, 1136, 1137, 1007, and 1009, and you might see more than one of each. These events will tell you who logged on and when.
You can automate a user simulated user OWA logon, use this script...
PowerShell Script to Simulate Outlook Web Access URL User Logon
… monitoring that execution real time.
Similar approaches exist for EAS as well. Beyond that you need a 3rdP solution and there are several of those out there, for example Exoprise or manageengine..
remember anything that requires a logon, will show up in the Security event logs as success / failure events.
Related
I'm using Squid 3.5 on windows 2012 server and I want to know how many DNS requests my server makes.
Some more details:
I suspect it makes a dns query on every request and produces a slightly added latency that could be avoided.
Is there any means of finding out this info? I have tried squidclient mgr:5min and it shows how long dns requests take on average, but doesn't show the count.
My dns.median_svc_time reads 0.025624 seconds, and it's fine as long as it caches those responses, but if it's 25 msec added to every request, then this is totally unacceptable.
Yes, squid should be able to give you the info you want via cache manager. It provides FQDN stats and a full IP Cache summary (Which I suspect is more what your looking for)
Have a look at the docs here for the fqdn info and here for the full ipcache details, it gives details of what they both mean/provide.
You access these via;
http://localhost/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=fqdncache&auth=
http://localhost/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=ipcache&auth=
Suppose that my computer is not compromised. If somebody is listening somewhere between my computer and the server (my ISP for example), what can they see of my HTTPS connection?
I assume they can see the domain (e.g. google.com).
But what about the specific site I'm browsing (e.g. /wiki/Privacy in https://en.wikipedia.org/wiki/Privacy)?
What about the subdomain (e.g. en in https://en.wikipedia.org/wiki/Privacy)?
What about GET parameters, everything after the '?' (e.g. https://www.google.com/search?q=privacy). Can they see what I search on google?
Please feel free to add more info in case I've missed to ask something relevant.
Example: https://www.google.com/search?q=privacy
They can see
The full domain (domain or subdomain, here "www.google.com")
The ip of the contacted domain
The approximate size of the exchanged data
The duration of the exchange(s)
They cannot see:
The path (the part of the url after the domain, here "/search")*
The GET or POST parameters (here "?q=privacy")
The content of the answer
The cookies
*After a bug in proxy discovery, the path and GET parameters may be transmitted in plain text (http://www.securitynewspaper.com/2016/08/01/proxy-pac-hack-allows-intercept-https-urls/).
And with the approximate size of the exchanged data, it may be possible to infer witch pages were visited.
I need some assistance with these type of scanners, there seem to be many of them on the web but I can't seem to find specific details of what they are meant to achieve.
I understand that they are communicating on the SMTP port, but I am not certain of what type of information they are trying to get.
The reason I ask this is because I am currently investigating a SMTP VRFY Scanner. I have made the scanner to connect to a windows xp system but it states
Waiting for SMTP banner
220 testing221 Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Sun, 27 Sep 2015 19:04:44 +0100
testing221 corresponds to the domain on the SMTP virtual server, on the xp system.
The SMTP VRFY command is intended to allow a sender to verify the correctness of an email address without actually sending an email.
This feature was abused by spammers very early on. As a result, most SMTP servers are configured to ignore the command.
They are effectively useless for the public internet these days. You will find very few, if any, domains configured to support the command.
I have the following setup:
A server with CentOS 6
XMPP server (used ejabber)
A browser client (used Candy-chat)
Chat is working, users have permissions, etc.
What I need to do is to create a room when user X wants to. If the user uses a stand alone client (like Pidgin) everything is ok but I need to create a room using a browser based client.
The question is how do I do that?
Note: Tried to find a client that supports the feature - failed.
Note 2: It is ok if I can do it from server command line (shell script) since I can send an ajax request to a php script that runs the line. - I tried to use ejabberdctl for this but I couldn't find any functions that do that (found 9999 functions about users, server, etc. but nothing regarding rooms. I guess I must edit the mod_muc options then restart the server but I'm not sure and is not right for all users to restart server).
Thank you for your time.
See http://xmpp.org/extensions/xep-0045.html#createroom
XEP-0045 define the Multi-User Chat protocol in XMPP. You don't need to use the command line or any other out-of-band communication, the protocol is already defined and works in-band in the user XMPP session. This is what any Jabber client that supports chat rooms implements.
Note that the protocol itself is long, complex and has many options and alternatives (to configure the room parameters, affiliations, do administration work, etc), but you don't have to use all of them, see Example 153, just
<presence from='crone1#shakespeare.lit/desktop'to='coven#chat.shakespeare.lit/firstwitch'>
<x xmlns='http://jabber.org/protocol/muc'/>
</presence>
will be enough to create room "coven". After that user "crone1" will be the owner of that room, and will be logged in the room with nick "firstwitch".
I am trying to make sense of the Chrome Developer Tools when I run performence tests on my websites. If you select Network on the tools meny it will look like this:
Then if I select the performance file I will have this information:
My question is this:
What is the meaning of DNS Lookup, Connecting, Sending, Waiting and Receving? What is happening between the server, network and browser at each stage?
On the first image, the red line reads "Load event fired" and the blue one reads "DOMContent event fired". What is the meaning of this and why is it the DOMContent event is fired after all the content has been loaded?
Answering part II:
The Blue line (DOM content loaded event): It happens when the browser finished parsing the main document.
The Red line (Load event): It happens when the browser finished retrieving all the resources required by the main document.
After the red line: Here you will see loading of asynchronous and cached resources required by the main document and by other resources.
I'm not sure if this is a good fit for SO as this is a network question more than a programming question but I'll answer the parts I can...
DNS Lookup
When you connect to a website, it has to look up the IP from the DNS. For example, your computer will contact a DNS asking if it knows where "google.com" is. If it does, it'll give you an IP. If it doesn't, it'll either give you the IP of another DNS or it will contact that DNS itself (I'm not sure which implementation applies where) until eventually you end up with the IP of the host you're looking for.
Connecting
Time it takes to connect with that IP. I'm not sure of the details here.
Sending
After connecting, you send the request to the server. It can be a request to view a page or submit data or anything.
Waiting
After sending your request, you wait for the server to respond to it. It can be busy or might take a while to process whatever you requested.
Receiving
Once the server has processed your request, it'll send data back to you.
Here is a description by Google:
https://developers.google.com/web/tools/chrome-devtools/network/reference