techthroway443

Q: IIS Logs Flooded With EWS Requests from iMac

Hello,

 

We are running Exchange 2010 in our environment and noticed the IIS logs are growing into GB+ sizes. For comparison our average daily log sizes are about 10-15 MB.

 

Using log parser studio we managed to isolate the requests to a single machine on our network, our iMac computer.

 

From the logs we see millions of hits to the URL "/EWS/Exchange.asmx"

 

For the device type we see it coming from both:

 

"Mac+OS+X/10.11.3+(15D21)+CalendarAgent/361.1"

 

and

 

"Mac+OS+X/10.11.3+(15D21);+ExchangeWebServices/6.0+(243);+AddressBookSourceSync/ 9.0+(1679.4)"

 

In addition to this we found the logs are filled with millions of 401.1 HTTP status codes which presumably are from the same computer.

 

Only thing that has recently changed is Office for Mac 2011 was updated to the latest version.

 

Any idea how to go about troubleshooting this?

 

Thanks!

iMac, OS X El Capitan (10.11.3), Office for Mac 2011

Posted on Apr 26, 2016 6:51 AM

Close

Q: IIS Logs Flooded With EWS Requests from iMac

  • All replies
  • Helpful answers

  • by lxzndr,

    lxzndr lxzndr Jun 24, 2016 7:15 AM in response to techthroway443
    Level 1 (4 points)
    Desktops
    Jun 24, 2016 7:15 AM in response to techthroway443

    I was having the same problem, Exchange IIS daily logs over 1GB in size using up all free space.

    Dug into logs and found same messages as you did from my own Mac.

    My case was invalid information (old password) in Internet Accounts for syncing to Mac mail and calendar apps.

    I primarily use Outlook for Mac 2011, so didn’t notice it wasn’t synching after changing password a few weeks ago.

     

    On Mac, go to System Preferences:  Internet Accounts.

    If there is an not an Exchange account then it isn’t the same problem as I was having.

    If there is you can try just unchecking all items to sync. That should stop those messages.  If it does, then likely a problem with the account details.

     

    Or can go to details for the account, enter the current password for user. And then click OK.  If it accepts it, then see if you continue to have those log entries from that Mac.

  • by nectop_spb,

    nectop_spb nectop_spb Aug 29, 2016 2:27 AM in response to lxzndr
    Level 1 (4 points)
    Aug 29, 2016 2:27 AM in response to lxzndr

    Hello. I have same issue. But as far as I can see login and password are correct. It's calendar trying to sync. It's send to Exchange empty login and generates flood so logs are growing up.

     

    Looks like this:

     

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 15

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 1 2148074254 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 1 2148074254 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 1 2148074254 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 1 2148074254 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 1 2148074254 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 0 0 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 - 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 401 1 2148074254 0

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 78

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 499

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 484

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 499

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 578

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 562

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 109

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 548

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 237

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 237

    2016-08-29 09:08:36 192.168.50.100 POST /ews/exchange.asmx - 443 LOCAL\nectop 192.168.51.153 Mac+OS+X/10.11.6+(15G31);+ExchangeWebServices/6.0+(243); - 200 0 0 237