65
Frontend
backend
C:\inetpub\logs\LogFiles\W3SVC1
C:\inetpub\logs\LogFiles\W3SVC2
Log type : w3clog
SELECT *
FROM '[LOGFILEPATH]'
WHERE cs-username LIKE '%kozlova%'Mapi trouble
C:\Program Files\Microsoft\Exchange Server\V15\Logging\MapiHttp\Mailbox
Log type : csvlog
SELECT *
FROM '[LOGFILEPATH]'
WHERE AuthenticatedUserEmail LIKE '%kozlova%'SELECT *
FROM '[LOGFILEPATH]'
WHERE AuthenticatedUserEmail LIKE '%kozlova%'
AND (httpstatuscode NOT LIKE '2%' OR httpstatuscode IS NULL)Check mobile sync
[PS] C:\Windows\system32>Get-ActiveSyncDeviceStatistics -Mailbox olga.kozlova | ft DeviceType, DeviceUserAgent, LastSuccessSync, LastSyncAttemptTime
WARNING: The Get-ActiveSyncDeviceStatistics cmdlet will be removed in a future version of Exchange. Use the Get-MobileDeviceStatistics cmdlet instead. If you have any scripts that use
the Get-ActiveSyncDeviceStatistics cmdlet, update them to use the Get-MobileDeviceStatistics cmdlet. For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.
DeviceType DeviceUserAgent LastSuccessSync LastSyncAttemptTime
---------- --------------- --------------- -------------------
Outlook Outlook-iOS-Android/1.0 3/25/2026 11:24:26 AM 3/25/2026 11:24:26 AMC:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi
log type : csvlog
SELECT *
FROM '[LOGFILEPATH]'
WHERE AuthenticatedUser LIKE '%kozlova%'
AND (httpstatus NOT LIKE '2%' OR backendstatus IS NULL)Проверить bad логон в owa
$today = Get-Date -Format "yyMMdd"
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\u_ex$today.log" -Pattern "lukas" |
Where-Object {
$_.Line -notmatch " 200 " -and
$_.Line -notmatch "/OAB/"
}Попытки входа
$start = (Get-Date).Date
$end = $start.AddDays(1)
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = $start
EndTime = $end
} |
Where-Object { $_.Message -match "kozl" } |
ForEach-Object {
$msg = $_.Message
[PSCustomObject]@{
Time = $_.TimeCreated
User = "kozl"
IP = if ($msg -match "Source Network Address:\s+([^\r\n]+)") { $matches[1] } else { "-" }
Reason = if ($msg -match "Failure Reason:\s+([^\r\n]+)") { $matches[1] } else { "-" }
LogonType = if ($msg -match "Logon Type:\s+(\d+)") { $matches[1] } else { "-" }
}
}