ROP Breakdown by User
Hey all,
I'm back with some more info to empower your Exchange administration! Once you've enabled ROP logging on your servers, there's a lot of things you can do with the data because the operation-specific field is now populated. Let's say a particular user is pushing a lot of requests against the server and you want to know what s/he is doing. One way to determine their intent is by analyzing what ROPs they are sending against the server. For example, if someone is sending a lot of FastTransferSourceGetBuffer ROPs, they are attempting to pull data (download) from the server. If they are constantly sending a lot of FastTransferSourcePutBuffer, they are attempting to push data (upload) to the server. You can read more about Fast Transfer in the official specifications documentation or watch Joe Warren's presentation on it.
Since multiple ROPs can be packaged into a single request, we need to extract the ROPs out so we can do analysis on them. I've written a PowerShell script which I'll attach to this blog post that takes a directory path and parses every .log file inside it, producing a corresponding "expanded" .csv file that has 2 columns: client-name and ROP.
Running the script is easy. You invoke it in an administrative PowerShell window with a command like: .\RopBreakdownByUser.ps1 "d:\myRcaLogs"
Once the CSV files are produced, you can use Log Parser Studio or Excel to analyze the data. Let's say I choose to use LPS to get the top ROPs by user. I launch LPS, set my log directory to be the csv files the PS script produced earlier, set my Log Type to CSVLOG, input my query, and execute. Here's what I end up with:
Now again, ROPs are usually the building blocks to bigger operations and it is not immediately obvious what this user is doing. Experience and knowledge is the only way around this ambiguity. Here, we can at least infer the top user is doing a lot of downloading against the server. Perhaps his/her Outlook is simply doing an initial sync of their profile and thus this high activity is normal. Sometimes when a user is truly an outlier (ROP count is at least 3x the next user), their Outlook is probably misbehaving and trying to sync a corrupted item. Hands-on investigation is required and a trip to the user's desktop will usually reveal the issue like an item stuck in Outbox constantly attempting to sync or a single recurring meeting with hundreds of exceptions, etc.
Hope this helps,
Matt