As you all would expect, Exchange Server ActiveSync (EAS) requests get recorded in the IIS logs by default at “%windows%\system32\LogFiles\W3SVC1”. What you may not know is that EAS does extend the standard log by adding some custom fields. These fields are provided with the goal of enabling usage analysis.
These statistics include a per-folder count of each add/change/delete/fetch generated by the client, and a companion count for each add/change/delete generated by the server.
The format of the appended data is as follows:
&Log=V[Protocol Version]T[Folder DataType]S[Sync Type]C:#A#C#D#FS:#A#C#DP:#C#I#S#R
Let’s see what this mean in plain English.
The parameter V indicates the protocol version of the request. It can be one of three values {1, 2, 3, NA}:
T indicates the Type of the data being synchronized:
S indicates the type of sync operation being performed: normal sync, recovery sync, or first sync. Note that this field only applies to the Sync command. All other commands will set this field to N:
You may wonder what normal sync, recovery sync and first sync mean…this is really another topic altogether but in a nutshell.
C indicates that the following statistics are from the client.
S indicates that the following statistics are from the server
P indicates that the next few parameters are all related to performance. Note that in the event that no operations are performed, the count will read 0.
Now that we understand how the log string can be parsed, let’s look at a real scenario.
Here is an example of an entry in the IIS log:
2005-03-08 09:00:08 157.54.6.21 POST /Microsoft-Server-ActiveSync
User=johndoe&DeviceId=09310B008B41CF1128000050BF3F5173&DeviceType=
PocketPC&Cmd=Sync&&Log=V2TCoSSC:0A0C0D0FS:1A0C0D0SP:1C2I105992S109982R 200 1122 438 657 Microsoft-AirSync/3.0
The part that provides usage statistics comes after &Log:
&Log=V2TCoSSC:0A0C0D0FS:1A0C0D0SP:1C2I105992S109982R
This indicates that the protocol version was “2.0” (V=2); the syncType was “normal sync” (S=S); and we were syncing a contact folder (T=Co). Next, we start reading what the client was sending to the server: 0 Client Adds, 0 Client Changes, 0 Deletes, and 0 Fetches. This seems to indicate that the client was just doing a regular scheduled sync or the user was manually synchronizing with the server.
If we look at the server side than we can see the following: 1 Server Add, 0 Server Changes, 0 Server Deletes and 0 Server Soft Deletes. This means that the user just got a new email!
Finally let’s look at the performance data: there was 1 connection initiated to the Exchange server, 2 I/O operations to the Exchange back-end, 105992 bytes sent to the client and 109982 bytes received from the Exchange back-end server.
If you write your own script to parse the Log data make sure that you keep the parsing logic flexible because we may add new fields in the next version. The parsing logic should look for and parse out only the fields that it understands. If you take such approach, new fields will get ignored and won’t break the parser.
As we move forward we are looking at adding some great ways to generate better reporting on how devices are synchronizing with your Exchange servers. Please let us know what you’d like to see in the next release!
Cheers!
- Max Ciccotosto and Selva Nalliah
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.