I'm having difficulty interpreting IIS / OWA logs - specifically the cs-uri-stem and cs-uri-query fields. In this intrusion investigation, the same remote ip is using the same computer/browser config to successfully access various accounts. With most account access, the cs-uri-stem field is easy to understand; /Exchange/[Username]/Inbox. The cs-uri-query is also straight forward; Cmd=open.
However, when the same intruder logs in with a particular account, the cs-uri-stem only displays /owa/default.aspx and the cs-uri-query is a bit cryptic; ae=Folder&t=IPF.Note&id=[long character string].
I need help with 2 things
Can you point me to a reference for the cs-uri-query variables?
Why the logging change from one account to another?
Thanks in advance for your help.
Yes,I did check that blog, but the subject was a little different. Also checked several other resources. The different user issue seems solved - the CAS server redirects users to the appropriate backend exchange server (2003 and 2007 environment) depending on user. So now all I need is a decode for the (assuming newer 2007 owa uri-query) so I can match up which emails were viewed (no decode needed for 2003).
Ok, so here is the MSDN explanation (I guess I didn't look hard enough before!)
http//
Now, just need to figure out how to translate the id= field