Exchange Mailbox Audit Logging: Storage Purging and Archival
Storage
When mailbox auditing is enabled, Exchange writes mailbox audit events to a hidden
folder in each mailbox. This means that the overall mailbox audit log is scattered
among all the mailboxes in the organization.
The mailbox audit log is not written to any external text file or Windows event
log and is therefore inaccessible through any normal log-collection means.
LOGbinder for Exchange™
collects the mailbox audit logs through efficient use of the Exchange management
API and then parses the cryptic Exchange audit log data and formats it into
11 easy-to-ready messages
delivered to your SIEM via several possible channels.
Purging
Exchange automatically purges the mailbox audit entries based on the days specified
by the -AuditLogAgeLimit parameter on each mailbox with the
Set-Mailbox
cmdlet. The default value is 90 days.
The parameter is specified in the format of dd.hh:mm:ss. So, the following command would set
the audit log to purge events older than 120 days for the user John:
Set-Mailbox John@contoso.com -AuditLogAgeLimit 120.00:00:00
We recommend setting it to the greater of the following two factors:
-
The amount of time (maybe 3-7 days?) it is anticipated that the server hosting a solution
(such as LOGbinder for Exchange)
that facilitates exporting and archival
of Exchange audit events might ever be down.
This way, audits accumulate in Exchange until the audit exporting system comes back up and gets them.
-
How far back Exchange admins want to go back using Exchange’s internal/native audit reporting.
What impact will mailbox auditing have on storage?
Very little – provided you don’t turn on Owner auditing.
What you are auditing is non-owner mailbox access,
and Exchange does not log duplicate audit messages for Folder views.
Archival
Exchange does not provide an automated, enterprise method for archiving mailbox
audit logs. You can manually export audit logs via PowerShell. The log is exported
in the form of an XML file.
For enterprise archiving and connection to your SIEM/log management system, see
LOGbinder for Exchange.
Next:
Reporting and Alerting