Detecting iOS 6.1 with the Splunk App for Exchange

If you are an Exchange Administrator, you might have heard this one. Basically, if you upgrade your iPhone or iPad to iOS 6.1 and then accept a calendar invitation under certain (unfortunately common) circumstances, then your phone starts generating excessive traffic to the Exchange server. This fills up the logs on your Exchange client access servers and mailbox servers with unnecessary and irrelevant information. Many articles have been written about how to ban users, which defeats getting work done.

Fixing the issue short term is relatively easy – institute a throttling policy for these ActiveSync users. I’ll leave that to the Exchange MVP bloggers (you can find information on this here though). The next thing is to get a list of users who have not upgraded yet. Can we do that with Splunk? Yes, we can, and we already have the data – it’s in the IIS logs.

Let’s start by looking at a typical IIS log for an ActiveSync connection. You can get these by searching for eventtype=client-activesync-usage.

2013-02-28 15:11:05 POST /Microsoft-Server-ActiveSync/default.eas User=zane&DeviceId=ApplNX1LEBOU4YYE&DeviceType=iPhone&Cmd=Sync&Log=V121_Fc1_Fid:5_Ty:Em_Filt2_Sr:S_Sk:2387060_Sst1_LdapC0_LdapL0_RpcC19_RpcL31_Ers1_Pk1115773768_S1_ 443 Apple-iPhone3C3/805.401 200 0 0 55

As you can see, nothing looks like “iOS 5.1” in there. The Splunk App for Microsoft Exchange decodes this for us, and the string we want is stored in the cs_user_agent field. In this particular event, that’s Apple-iPhone3C3/805.401. So, we know it’s an iPhone, and we use that fact to give you a chart of phone types in the ActiveSync dashboard, but let’s look closer at this string.

The first three digits after the Apple-iPhone are the model, including the type. Here is a short table:

 Identifier   Real Model 
 Apple-iPhone3C1/   iPhone 4 
 Apple-iPhone3C3/   iPhone 4 CDMA 
 Apple-iPhone4C1/   iPhone 4S 
 Apple-iPhone5C1/   iPhone 5 GSM 
 Apple-iPhone5C2/   iPhone 5 CDMA 
 Apple-iPad3C1/   iPad 3 WiFi Only 
 Apple-iPad3C2/   iPad 3 WiFi + 4G Verizon / International 
 Apple-iPad3C3/   iPad 3 WiFi + 4G AT&T / International 

You can also get these strings using the Powershell command Get-ActiveSyncDeviceStatistics on a DeviceId (which you can get with Get-ActiveSyncDevice to list the devices known as a user). So, what about the numbers? These are build numbers which can be directly translated into a version number. These have specific major and minor numbers. Here are a few in common circulation:

 Build Number   iOS Version 
 1001.405   iOS 6.0 
 1001.523   iOS 6.0.1 
 1002.141   iOS 6.1 
 1002.146   iOS 6.1.2 

Note that these aren’t an exhaustive list. Sometimes two builds will be released with slightly different numbers to cover the differences between CDMA and GSM networks. However, this gives us a good idea for how to determine which users have not upgraded yet. We start with working out the latest cs_user_agent for each user. We then move on to extracting the model and version of the iOS devices, and finally, we work out which ones are abouve and below our target of 1002.146. Here is my search string:

eventtype="client-activesync-usage" cs_user_agent="Apple-*"|stats latest(cs_user_agent) as cs_user_agent by User,DeviceId|rex field=cs_user_agent "Apple-iPhone(?<model>[^/]+)/(?<version>.*)"|lookup ad_username cs_username as User|table user_subject,DeviceId,cs_user_agent,model,version|where version>1001.000 AND version<1002.146

Simply do this search and create a custom report from it. Then your entire IT group can work with usersThis is the sort of ad-hoc querying that Splunk makes possible. Sure, the dashboards (especially the new ones) are nice and give you lots of on-going information about the habits of your users, but the ability to respond to new threats like the iOS bug is just another reason to use Splunk.

Posted by


Join the Discussion