Parsing IIS Log ActiveSync Traffic for Information about Iphone IOS Versions Exchange 2003,2007,2010
Last month i posted a script for getting the Iphone IOS version information for all users on a server using the Get-ActiveSyncDeviceStatistics cmdlet which worked okay but had one major flaw in that it doesn't pick up the updates to the O/S as pointed out in http://www.hedonists.ca/2010/07/22/blocking-the-iphone-part-i. So the only 100% way would be to parse the IIS logs where you can grab the same information about the devices as long as the cs-useragent is being include in the logs (if not you need to change this). This script is still useful for somethings and hopefully i should be able to re-purpose this to do something useful.
There are good and bad things about parsing logs, the good is that this technique should work on any version of Exchange including 2003 the bad is that if your log files are large then there are much better ways then using Powershell to parse them (such as logparser). But using PS does have a number of advantages and if your whiling to wait while the script runs then this one if for you. As i don't have a lot of access to Production Exchange servers at the moment the testing this script has had is very little but seems to work okay on a few old logs i had lying around if you have any problems please let me know. The base of this parser if from one of my other post which is a pretty reliable parser I've used all the time. Its been adapted to only look at specific ActiveSync traffic which should contain the useragent information. The rest of the script is from my first ActiveSync script along with a little custom object code to get all the information compiled into a report. This script also reports on Non-Iphone as well (although doesn't give you the IOS details for these).
I've included two different versions in the download the first script offers a little file selection gui to let you browse and select the log file your want this to run it against the second can be run unattended and would look for last file modified in the last 6 hours in the log directory you configured it to look in eg
get-childitem c:\inetpub\logs\logfiles\w3svc1\*.* | where-object{$_.LastWriteTime -gt (get-date).addhours(-6)} | foreach-object{
$fname = $_.FullName
}
* Note it will only run on one log file in the above example if you want to batch process a number of files then the rest of the code needs to be functionized.
I've put a download of this code here the code itself looks like.
[System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms")
$exFileName = new-object System.Windows.Forms.openFileDialog
$exFileName.ShowHelp = $true
$exFileName.ShowDialog()
$sendAlertTo = "mailbox@example.com"
$sendAlertFrom = "mailbox@example.com"
$SMTPServer = "smtp.example.com"
$appleCollection = @()
$appleverhash = @{ }
$hndSethash = @{ }
function addtoIOShash($inputvar){
$inparray = $inputvar.Split(',')
$v1 = $inparray[1].Substring(0,1)
$v2 = $inparray[1].Substring(1,1)
$v3 = $inparray[1].Substring(2,($inparray[1].Length-2))
$useragent = "{0:D2}" -f (([int][char]$v2)-64)
$apverobj = "" | select IOSVersion,IOSReleaseDate,ActiveSyncUserAgent,AppleBuildCode
$apverobj.IOSVersion = $inparray[0]
$apverobj.IOSReleaseDate = $inparray[2]
$apverobj.AppleBuildCode = $inparray[1]
$apverobj.ActiveSyncUserAgent = $v1 + $useragent + "." + $v3
$appleverhash.add($apverobj.ActiveSyncUserAgent,$apverobj)
}
#IOSVersion,Deviceid,ReleaseDate
addtoIOShash("1,1A543,Jun-07")
addtoIOShash("1.0.1,1C25,Jul-07")
addtoIOShash("1.0.2,1C28,Aug-07")
addtoIOShash("1.1,3A100,Sep-07")
addtoIOShash("1.1,3A101,Sep-07")
addtoIOShash("1.1.1,3A109,Sep-07")
addtoIOShash("1.1.1,3A110,Sep-07")
addtoIOShash("1.1.2 ,3B48,Nov-07")
addtoIOShash("1.1.3,4A93,Jan-08")
addtoIOShash("1.1.4,4A102,Feb-08")
addtoIOShash("1.1.5,4B1,Jul-08")
addtoIOShash("2,5A347,Jul-08")
addtoIOShash("2.0.1,5B108,Aug-08")
addtoIOShash("2.0.2,5C1,Aug-08")
addtoIOShash("2.1,5F136,Sep-08")
addtoIOShash("2.1,5F137,Sep-08")
addtoIOShash("2.1,5F138,Sep-08")
addtoIOShash("2.2,5G77,Nov-08")
addtoIOShash("2.2.1,5H11,Jan-09")
addtoIOShash("3,7A341,Jun-09")
addtoIOShash("3.0.1,7A400,Jul-09")
addtoIOShash("3.1,7C144,Sep-09")
addtoIOShash("3.1,7C145,Sep-09")
addtoIOShash("3.1,7C146,Sep-09")
addtoIOShash("3.1.2,7D11,Oct-09")
addtoIOShash("3.1.3,7E18,Feb-09")
addtoIOShash("3.2,7B367,Apr-10")
addtoIOShash("3.2.1,7B405,Jul-10")
addtoIOShash("4.0,8A293,Jun-10")
addtoIOShash("4.0.1,8A306,Jul-10")
$hndSethash.add("Apple-iPhone","IPhone")
$hndSethash.add("Apple-iPhone1C2","IPhone 3G")
$hndSethash.add("Apple-iPhone2C1","IPhone 3GS")
$hndSethash.add("Apple-iPhone3C1","IPhone 4")
$hndSethash.add("Apple-iPad","IPad")
$hndSethash.add("Apple-iPod","IPod Touch")
$CurrentDate = Get-Date
$fname = $exFileName.FileName
$mbcombCollection = @()
$FldHash = @{}
$usHash = @{}
$fieldsline = (Get-Content $fname)[3]
$fldarray = $fieldsline.Split(" ")
$fnum = -1
foreach ($fld in $fldarray){
$FldHash.add($fld,$fnum)
$fnum++
}
get-content $fname | Where-Object -FilterScript { $_ -ilike “*&DeviceType=*” } | %{
$lnum ++
write-progress "Scanning Line" $lnum
if ($lnum -eq $rnma){ Write-Progress -Activity "Read Lines" -Status $lnum
$rnma = $rnma + 1000
}
$linarr = $_.split(" ")
$uid = $linarr[$FldHash["cs-username"]] + $linarr[$FldHash["cs(User-Agent)"]]
if ($linarr[$FldHash["cs-username"]].length -gt 2){
if ($usHash.Containskey($uid) -eq $false){
$usrobj = "" | select UserName,UserAgent,Iphone,IphoneType,IOSVersion,IOSReleaseDate,AppleBuildCode
$usrobj.UserName = $linarr[$FldHash["cs-username"]]
$usrobj.UserAgent = $linarr[$FldHash["cs(User-Agent)"]]
if ($usrobj.UserAgent -match "apple"){
$apcodearray = $usrobj.UserAgent.split("/")
$usrobj.Iphone = "Yes"
$usrobj.IphoneType = $hndSethash[$apcodearray[0]]
$usrobj.IOSVersion = $appleverhash[$apcodearray[1]].IOSVersion
$usrobj.IOSReleaseDate = $appleverhash[$apcodearray[1]].IOSReleaseDate
$usrobj.AppleBuildCode = $appleverhash[$apcodearray[1]].AppleBuildCode
}
else{
$usrobj.Iphone = "No"
}
$usHash.add($uid,$usrobj)
$mbcombCollection += $usrobj
}
}
}
$tableStyle = @"
<style>
BODY{background-color:white;}
TABLE{border-width: 1px;
border-style: solid;
border-color: black;
border-collapse: collapse;
}
TH{border-width: 1px;
padding: 10px;
border-style: solid;
border-color: black;
background-color:#66CCCC
}
TD{border-width: 1px;
padding: 2px;
border-style: solid;
border-color: black;
background-color:white
}
</style>
"@
$body = @"
<p style="font-size:25px;family:calibri;color:#ff9100">
$TableHeader
</p>
"@
$SmtpClient = new-object system.net.mail.smtpClient
$SmtpClient.host = $SMTPServer
$MailMessage = new-object System.Net.Mail.MailMessage
$MailMessage.To.Add($sendAlertTo)
$MailMessage.From = $sendAlertFrom
$MailMessage.Subject = "iPhone Registrration Report"
$MailMessage.IsBodyHtml = $TRUE
$MailMessage.body = $mbcombCollection | ConvertTo-HTML -head $tableStyle –body $body
$SMTPClient.Send($MailMessage)
There are good and bad things about parsing logs, the good is that this technique should work on any version of Exchange including 2003 the bad is that if your log files are large then there are much better ways then using Powershell to parse them (such as logparser). But using PS does have a number of advantages and if your whiling to wait while the script runs then this one if for you. As i don't have a lot of access to Production Exchange servers at the moment the testing this script has had is very little but seems to work okay on a few old logs i had lying around if you have any problems please let me know. The base of this parser if from one of my other post which is a pretty reliable parser I've used all the time. Its been adapted to only look at specific ActiveSync traffic which should contain the useragent information. The rest of the script is from my first ActiveSync script along with a little custom object code to get all the information compiled into a report. This script also reports on Non-Iphone as well (although doesn't give you the IOS details for these).
I've included two different versions in the download the first script offers a little file selection gui to let you browse and select the log file your want this to run it against the second can be run unattended and would look for last file modified in the last 6 hours in the log directory you configured it to look in eg
get-childitem c:\inetpub\logs\logfiles\w3svc1\*.* | where-object{$_.LastWriteTime -gt (get-date).addhours(-6)} | foreach-object{
$fname = $_.FullName
}
* Note it will only run on one log file in the above example if you want to batch process a number of files then the rest of the code needs to be functionized.
I've put a download of this code here the code itself looks like.
[System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms")
$exFileName = new-object System.Windows.Forms.openFileDialog
$exFileName.ShowHelp = $true
$exFileName.ShowDialog()
$sendAlertTo = "mailbox@example.com"
$sendAlertFrom = "mailbox@example.com"
$SMTPServer = "smtp.example.com"
$appleCollection = @()
$appleverhash = @{ }
$hndSethash = @{ }
function addtoIOShash($inputvar){
$inparray = $inputvar.Split(',')
$v1 = $inparray[1].Substring(0,1)
$v2 = $inparray[1].Substring(1,1)
$v3 = $inparray[1].Substring(2,($inparray[1].Length-2))
$useragent = "{0:D2}" -f (([int][char]$v2)-64)
$apverobj = "" | select IOSVersion,IOSReleaseDate,ActiveSyncUserAgent,AppleBuildCode
$apverobj.IOSVersion = $inparray[0]
$apverobj.IOSReleaseDate = $inparray[2]
$apverobj.AppleBuildCode = $inparray[1]
$apverobj.ActiveSyncUserAgent = $v1 + $useragent + "." + $v3
$appleverhash.add($apverobj.ActiveSyncUserAgent,$apverobj)
}
#IOSVersion,Deviceid,ReleaseDate
addtoIOShash("1,1A543,Jun-07")
addtoIOShash("1.0.1,1C25,Jul-07")
addtoIOShash("1.0.2,1C28,Aug-07")
addtoIOShash("1.1,3A100,Sep-07")
addtoIOShash("1.1,3A101,Sep-07")
addtoIOShash("1.1.1,3A109,Sep-07")
addtoIOShash("1.1.1,3A110,Sep-07")
addtoIOShash("1.1.2 ,3B48,Nov-07")
addtoIOShash("1.1.3,4A93,Jan-08")
addtoIOShash("1.1.4,4A102,Feb-08")
addtoIOShash("1.1.5,4B1,Jul-08")
addtoIOShash("2,5A347,Jul-08")
addtoIOShash("2.0.1,5B108,Aug-08")
addtoIOShash("2.0.2,5C1,Aug-08")
addtoIOShash("2.1,5F136,Sep-08")
addtoIOShash("2.1,5F137,Sep-08")
addtoIOShash("2.1,5F138,Sep-08")
addtoIOShash("2.2,5G77,Nov-08")
addtoIOShash("2.2.1,5H11,Jan-09")
addtoIOShash("3,7A341,Jun-09")
addtoIOShash("3.0.1,7A400,Jul-09")
addtoIOShash("3.1,7C144,Sep-09")
addtoIOShash("3.1,7C145,Sep-09")
addtoIOShash("3.1,7C146,Sep-09")
addtoIOShash("3.1.2,7D11,Oct-09")
addtoIOShash("3.1.3,7E18,Feb-09")
addtoIOShash("3.2,7B367,Apr-10")
addtoIOShash("3.2.1,7B405,Jul-10")
addtoIOShash("4.0,8A293,Jun-10")
addtoIOShash("4.0.1,8A306,Jul-10")
$hndSethash.add("Apple-iPhone","IPhone")
$hndSethash.add("Apple-iPhone1C2","IPhone 3G")
$hndSethash.add("Apple-iPhone2C1","IPhone 3GS")
$hndSethash.add("Apple-iPhone3C1","IPhone 4")
$hndSethash.add("Apple-iPad","IPad")
$hndSethash.add("Apple-iPod","IPod Touch")
$CurrentDate = Get-Date
$fname = $exFileName.FileName
$mbcombCollection = @()
$FldHash = @{}
$usHash = @{}
$fieldsline = (Get-Content $fname)[3]
$fldarray = $fieldsline.Split(" ")
$fnum = -1
foreach ($fld in $fldarray){
$FldHash.add($fld,$fnum)
$fnum++
}
get-content $fname | Where-Object -FilterScript { $_ -ilike “*&DeviceType=*” } | %{
$lnum ++
write-progress "Scanning Line" $lnum
if ($lnum -eq $rnma){ Write-Progress -Activity "Read Lines" -Status $lnum
$rnma = $rnma + 1000
}
$linarr = $_.split(" ")
$uid = $linarr[$FldHash["cs-username"]] + $linarr[$FldHash["cs(User-Agent)"]]
if ($linarr[$FldHash["cs-username"]].length -gt 2){
if ($usHash.Containskey($uid) -eq $false){
$usrobj = "" | select UserName,UserAgent,Iphone,IphoneType,IOSVersion,IOSReleaseDate,AppleBuildCode
$usrobj.UserName = $linarr[$FldHash["cs-username"]]
$usrobj.UserAgent = $linarr[$FldHash["cs(User-Agent)"]]
if ($usrobj.UserAgent -match "apple"){
$apcodearray = $usrobj.UserAgent.split("/")
$usrobj.Iphone = "Yes"
$usrobj.IphoneType = $hndSethash[$apcodearray[0]]
$usrobj.IOSVersion = $appleverhash[$apcodearray[1]].IOSVersion
$usrobj.IOSReleaseDate = $appleverhash[$apcodearray[1]].IOSReleaseDate
$usrobj.AppleBuildCode = $appleverhash[$apcodearray[1]].AppleBuildCode
}
else{
$usrobj.Iphone = "No"
}
$usHash.add($uid,$usrobj)
$mbcombCollection += $usrobj
}
}
}
$tableStyle = @"
<style>
BODY{background-color:white;}
TABLE{border-width: 1px;
border-style: solid;
border-color: black;
border-collapse: collapse;
}
TH{border-width: 1px;
padding: 10px;
border-style: solid;
border-color: black;
background-color:#66CCCC
}
TD{border-width: 1px;
padding: 2px;
border-style: solid;
border-color: black;
background-color:white
}
</style>
"@
$body = @"
<p style="font-size:25px;family:calibri;color:#ff9100">
$TableHeader
</p>
"@
$SmtpClient = new-object system.net.mail.smtpClient
$SmtpClient.host = $SMTPServer
$MailMessage = new-object System.Net.Mail.MailMessage
$MailMessage.To.Add($sendAlertTo)
$MailMessage.From = $sendAlertFrom
$MailMessage.Subject = "iPhone Registrration Report"
$MailMessage.IsBodyHtml = $TRUE
$MailMessage.body = $mbcombCollection | ConvertTo-HTML -head $tableStyle –body $body
$SMTPClient.Send($MailMessage)