Exchange Server OWA Login success and failure log parameter

Question

Hello,

How do we identify which exchange owa indicate successful login and failure?

Actually needs to integrate with SIEM solutions and cannot able to identify which exchange owa url indicate success login and failure.

If there is any documentation from microsoft or suggest please help.

Answer 1

Hi @ Binod Maharjan,

Yes. I carefully compared the success and failure entries in IIS logs. As you said, the identifier indicating success is not as clear as failure.

So I checked some other login logs and found a more suitable identifier for the trigger in the httpproxy logs.

You can find the httpproxy logs related to OWA at this location: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa

Failed entry:

2023-06-16T05:38:27.264Z,14e1b06a-1fa2-47ee-afc8-95142913eeab,15,1,2507,6,,Owa,e16a,/owa/auth.owa,,FBA,false,,,,Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML  like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.100,192.168.2.52,E16A,302,,,POST,,,,,,,,,132,,,,,,,,,,,,,,,28,,,,,,,,,,,,,,28,,28,28,,,,ClientId=B89D36EBF04F4812AB9456267F870051;BeginRequest=2023-06-16T05:38:27.236Z;CorrelationID=<empty>;SharedCacheGuard=0;NoCookies=302 - GET/E14AuthPost;EndRequest=2023-06-16T05:38:27.264Z;,,,,,,

Success Entry:

2023-06-16T05:35:41.342Z,d2eae339-b0e7-4f72-ae5f-de9e74e21f1b,15,1,2507,6,,Owa,e16a,/owa/auth.owa,,FBA,true,DOMAIN1\Administrator,,Sid~S-1-5-21-960715358-4216514951-3559177506-500,Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML  like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.100,192.168.2.52,E16A,302,,,POST,,,,,WindowsIdentity,Database~67a251b9-031b-4160-8d98-86bbef4165da~~

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

 

Hi@ Binod Maharjan,

In Exchange Server, you can check the IIS logs(C:\inetpub\logs\LogFiles\W3SVC1) for entries that succeeded or failed the OWA response.

The sc-status field should contain 200, which indicates a successful HTTP response.

The sc-status field should contain a value other than 200 to indicate that an error occurred in the HTTP response.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

When a user clicks login in the login and password form, a POST request is sent to https://<owa_server_name>/owa/auth.owa in response, the server sends a 302 redirect and a location header that contains the link.

The link has a reason parameter that can take the value reason=2, indicating that the login/password was unsuccessful. By default, iis does not log this header, so you need to add this logging. This can be done through:

And further:

Then in splunk this can be found using the following SPL:
index=your_iis_index cs_uri_stem="/owa/auth.owa" response_location_h="reason=2"*

SPL will return all attempted failed inputs.*
To get successful inputs, combine:
index=your_iis_index cs_uri_stem="/owa/auth.owa" response_location_h!="reason=2"