locked
Audit failed login attempts in Exchange OWA 2013 RRS feed

  • Question

  • Hello Dears

    I'm trying to find out the failed login attempt over my OWA in Exchange 2013

    After some research I found it should be on IIS Virtual Directory logs (C:\inetpub\logs\LogFiles\W3SVC1), and I should use Log Parser 2.2 to export the needed results. (I used this article http://myriadofthings.com/outlook-web-access-owa-and-activesync-reporting-using-iis-logs/)

    But when i parsed the logs, i wasn't able to find my failed attempts that i just did now as a test.

    I should fond them in the results. But I only find results for past 9 hours and earlier. not sure why my last attempts were logged as expected.

    Could you please advise what I'm missing here? Is this the right way to get the failed login attempts for 2013 OWA, and why its not updates by last failed attempts.

    Thanks in advance


    Islam Zorina System Engineer | MCITP | MCSA | MCSE eslamzorinaa@hotmail.com

    Friday, August 19, 2016 10:16 AM

Answers

  • Make sure if you are trying to login from external network or internal network?

    If that is external please check on TMG of any reverse proxy logs if the login attempt was failed on reverse proxy gateway.

    It its internal- you can check the event Id's and try to find the log entry for event ID 4625 that should show the failed attempt.

    Please make sure to point the OWA url to any of the particular CAS server if its behind the LB and parse the log from that particular cas server.

    you can also filter the IIS logs by using the below command..

    dir .\logfileforcurrentdate*.LOG | sls "domain\username" | Select-Object -Last 4

    It should filter and find the result for particular user name.

    Let me know if that help you something?

    • Proposed as answer by Niko.Cheng Monday, August 22, 2016 2:07 AM
    • Marked as answer by Niko.Cheng Friday, September 2, 2016 6:12 AM
    Friday, August 19, 2016 11:18 AM

All replies

  • Make sure if you are trying to login from external network or internal network?

    If that is external please check on TMG of any reverse proxy logs if the login attempt was failed on reverse proxy gateway.

    It its internal- you can check the event Id's and try to find the log entry for event ID 4625 that should show the failed attempt.

    Please make sure to point the OWA url to any of the particular CAS server if its behind the LB and parse the log from that particular cas server.

    you can also filter the IIS logs by using the below command..

    dir .\logfileforcurrentdate*.LOG | sls "domain\username" | Select-Object -Last 4

    It should filter and find the result for particular user name.

    Let me know if that help you something?

    • Proposed as answer by Niko.Cheng Monday, August 22, 2016 2:07 AM
    • Marked as answer by Niko.Cheng Friday, September 2, 2016 6:12 AM
    Friday, August 19, 2016 11:18 AM
  • Hi IsIam,

    Is there any update on this thread?

    If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. 

    Thanks for your understanding.

    Best regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 1:03 AM