Generate some advanced ActiveSync Server usage stats using IIS Logs
Published Mar 28 2005 03:57 PM 3,774 Views

As you all would expect, Exchange Server ActiveSync (EAS) requests get recorded in the IIS logs by default at “%windows%\system32\LogFiles\W3SVC1”.  What you may not know is that EAS does extend the standard log by adding some custom fields.  These fields are provided with the goal of enabling usage analysis.

These statistics include a per-folder count of each add/change/delete/fetch generated by the client, and a companion count for each add/change/delete generated by the server.

The format of the appended data is as follows:

  &Log=V[Protocol Version]T[Folder DataType]S[Sync Type]C:#A#C#D#FS:#A#C#DP:#C#I#S#R

Let’s see what this mean in plain English.

The parameter V indicates the protocol version of the request.  It can be one of three values {1, 2, 3, NA}:

  • 1 indicates v1.0
  • 2 indicates v2.0
  • 3 indicates v2.1
  • NA if unknown/invalid.

T indicates the Type of the data being synchronized:

  • Em for E-mail
  • Co for Contacts
  • Ca for Calendar
  • NA for none

S indicates the type of sync operation being performed: normal sync, recovery sync, or first sync.  Note that this field only applies to the Sync command. All other commands will set this field to N:

  • N indicates this is not a sync command
  • S indicates that this is a normal sync
  • R indicates that this is a recovery sync
  • F indicates that this is a first sync

You may wonder what normal sync, recovery sync and first sync mean…this is really another topic altogether but in a nutshell.

  • First sync:  This is the first time you synchronize your device with Exchange.
  • Normal sync:  This is the standard sync operation that happens every time you manually sync from your device or when schedule synchronization kicks in.
  • Recover sync:  This is when a request from a client or a response from the server gets lost (yes…there are still some unreliable networks!).

C indicates that the following statistics are from the client.

  • A is number of client adds
  • C is number of client changes
  • D is number of client deletes
  • F is number of client fetches

S indicates that the following statistics are from the server

  • A is number of server adds
  • C is number of server changes
  • D is number of server deletes
  • S is number of server soft deletes

P indicates that the next few parameters are all related to performance. Note that in the event that no operations are performed, the count will read 0.

  • C is number of connections initiated to Exchange
  • I is number of I/Os to Exchange
  • S is number of bytes sent to Exchange
  • R is number of bytes received from Exchange
  • Now that we understand how the log string can be parsed, let’s look at a real scenario.

    Here is an example of an entry in the IIS log:

    2005-03-08 09:00:08 157.54.6.21 POST /Microsoft-Server-ActiveSync
    User=johndoe&DeviceId=09310B008B41CF1128000050BF3F5173&DeviceType=
    PocketPC&Cmd=Sync&&Log=V2TCoSSC:0A0C0D0FS:1A0C0D0SP:1C2I105992S109982R 200 1122 438 657 Microsoft-AirSync/3.0

  • The part that provides usage statistics comes after &Log:

    &Log=V2TCoSSC:0A0C0D0FS:1A0C0D0SP:1C2I105992S109982R

    This indicates that the protocol version was “2.0” (V=2); the syncType was “normal sync” (S=S); and we were syncing a contact folder (T=Co).  Next, we start reading what the client was sending to the server: 0 Client Adds, 0 Client Changes, 0 Deletes, and 0 Fetches.  This seems to indicate that the client was just doing a regular scheduled sync or the user was manually synchronizing with the server.

    If we look at the server side than we can see the following: 1 Server Add, 0 Server Changes, 0 Server Deletes and 0 Server Soft Deletes.  This means that the user just got a new email!

    Finally let’s look at the performance data: there was 1 connection initiated to the Exchange server, 2 I/O operations to the Exchange back-end, 105992 bytes sent to the client and 109982 bytes received from the Exchange back-end server.

    If you write your own script to parse the Log data make sure that you keep the parsing logic flexible because we may add new fields in the next version. The parsing logic should look for and parse out only the fields that it understands. If you take such approach, new fields will get ignored and won’t break the parser.

    As we move forward we are looking at adding some great ways to generate better reporting on how devices are synchronizing with your Exchange servers.  Please let us know what you’d like to see in the next release!

    Cheers!

    - Max Ciccotosto and Selva Nalliah

  • Version history
    Last update:
    ‎Mar 28 2005 03:57 PM
    Updated by: