Thursday 15 August 2019

Logs

How to collect ActiveSync device logs to troubleshoot sync issues between mobile devices and Exchange Online

  • 2 minutes to read
  • Applies to:
    Exchange Online

Introduction

This article describes how to collect Exchange ActiveSync device logs to troubleshoot sync issues between mobile devices and Exchange Online in Microsoft Office 365. If you can't sync your mobile device to your mailbox, you may be asked by Office 365 Support to collect logs for troubleshooting.

Procedure

To capture ActiveSync device log information, use one of the following methods.

Method 1: Use Outlook on the web

  1. Sign in to the Office 365 portal (https://portal.office.com/).
  2. Click Mail to open Outlook on the web (formerly known as Outlook Web App). In the upper-right area of the page, click Settings, and then click Options.
  3. In the navigation pane on the left, expand General, and then click Mobile Devices.
  4. In the list of devices, select the device that you want to track, and then click Start Logging.
  5. In the Information dialog box, click Yes.
  6. Reproduce the behavior that you want to capture, and then click Retrieve Log.
    An email message that contains the log file (EASMailboxLog.txt) as an attachment is sent to your mailbox.

Method 2: Use Exchange Online PowerShell

  1. Connect to Exchange Online by using remote PowerShell. For more information, see Connect to Exchange Online using remote PowerShell.
  2. Run the following command to enable ActiveSync logging for a specific user:
    PowerShell
    Set-CASMailbox alias -ActiveSyncDebugLogging:$true
  3. Reproduce the behavior that you want to capture.
  4. Run the following command to retrieve the log:
    PowerShell
    Get-MobileDeviceStatistics -Mailbox alias -GetMailboxLog:$true -NotificationEmailAddresses "admin@contoso.com"
     Note
    This command retrieves the statistics for the mobile device that's set up to synchronize with the mailbox of the user who you specified. In this example, it also sends the log file to admin@contoso.com.

Internal Logging for Office 365 Engineering

  • 2 minutes to read
In addition to the events and log data available for customers, there is also an internal log data collection system that is available to Office 365 engineers. Many different types of log data are uploaded from Office 365 servers to an internal, big data computing service called Cosmos. Each service team uploads audit logs from their respective servers into the Cosmos database for aggregation and analysis. This data transfer occurs over a FIPS 140-2-validated TLS connection on specifically approved ports and protocols using a proprietary automation tool called the Office Data Loader (ODL). The tools used in Office 365 to collect and process audit records do not allow permanent or irreversible changes to the original audit record content or time ordering.
Service teams use Cosmos as a centralized repository to conduct an analysis of application usage, to measure system and operational performance, and to look for abnormalities and patterns that may indicate problems or security issues. Each service team uploads a baseline of logs into Cosmos, depending on what they are looking to analyze, that often include:
  • Event logs
  • AppLocker logs
  • Performance data
  • System Center data
  • Call detail records
  • Quality of experience data
  • IIS Web Server logs
  • SQL Server logs
  • Syslog data
  • Security audit logs
Prior to uploading data into Cosmos, the ODL application uses a scrubbing service to obfuscate any fields that contain customer data, such as tenant information and end-user identifiable information, and replace those fields with a hash value. The anonymized and hashed logs are rewritten and then uploaded into Cosmos. Service teams run scoped queries against their data in Cosmos for correlation, alerting, and reporting. The period of audit log data retention in Cosmos is determined by the service teams; most audit log data is retained for 90 days or longer to support security incident investigations and to meet regulatory retention requirements.
Access to Office 365 data stored in Cosmos is restricted to authorized personnel. Microsoft restricts the management of audit functionality to the limited subset of service team members that are responsible for audit functionality. These team members do not have the ability to modify or delete data from Cosmos, and all changes to logging mechanisms for Cosmos are recorded and audited.
Each service team accesses its log data for analysis by authorizing certain applications to conduct specific analysis. For example, the Office 365 Security team uses data from Cosmos through a proprietary event log parser to correlate, alert, and generate actionable reports on possible suspicious activity in the Office 365 production environment. The reports from this data are used to correct vulnerabilities, and to improve the overall performance of the service. If a specific alert or report requires further investigation, service personnel can request that data be imported back into the Office 365 service. Since the specific log being imported from Cosmos is in encrypted and service personnel do not have access to decryption keys, the target log is programmatically passed through a decryption service that returns scoped results to the authorized service personnel. Any vulnerabilities found from this exercise are reported and escalated using Microsoft's standard security incident management channels.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)