Query in Log Parser for URI

Joe Guancial 1 Reputation point

Hi everyone. I think I need to run a simple query? I don't know 'how to' query for URI in Log Parser. I have log parser but i never write a query. I only use the defaults which work great.

I think I want to query the entire set of logs in Exchange/IIS for the URI below. And I want to know was this uri queried? How many times? When?

| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "/mapi/nspi/"

The reason I want to do this is that there may have been a compromise in Exchange. This query would help us to discover if an attempt was made.

Here is a url which explains the risk.


Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
996 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Boran Duzgun 1 Reputation point


    you may use the following query to get the result.

    C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip,cs-uri-stem, count(c-ip) as hits from \server1\l$\LogFiles\W3SVC1\u_ex2109* to c:\scripts\autojson.csv where cs-uri-stem like '%autodiscover/autodiscover.json%' and cs-uri-query like '%mapi/nspi%' group by c-ip,cs-uri-stem order by hits desc" -o:csv -i:w3c


    0 comments No comments