Exchange Mailbox Audit Logging: Storage Purging and Archival

Storage

When mailbox auditing is enabled, Exchange writes mailbox audit events to a hidden folder in each mailbox. This means that the overall mailbox audit log is scattered among all the mailboxes in the organization.

The mailbox audit log is not written to any external text file or Windows event log and is therefore inaccessible through any normal log-collection means. LOGbinder for Exchange™ collects the mailbox audit logs through efficient use of the Exchange management API and then parses the cryptic Exchange audit log data and formats it into 11 easy-to-ready messages delivered to your SIEM via several possible channels.

Purging

Exchange automatically purges the mailbox audit entries based on the days specified by the -AuditLogAgeLimit parameter on each mailbox with the Set-Mailbox cmdlet. The default value is 90 days. The parameter is specified in the format of dd.hh:mm:ss. So, the following command would set the audit log to purge events older than 120 days for the user John:

Set-Mailbox John@contoso.com -AuditLogAgeLimit 120.00:00:00

We recommend setting it to the greater of the following two factors:

  • The amount of time (maybe 3-7 days?) it is anticipated that the server hosting a solution (such as LOGbinder for Exchange) that facilitates exporting and archival of Exchange audit events might ever be down. This way, audits accumulate in Exchange until the audit exporting system comes back up and gets them.
  • How far back Exchange admins want to go back using Exchange’s internal/native audit reporting.

What impact will mailbox auditing have on storage? Very little – provided you don’t turn on Owner auditing. What you are auditing is non-owner mailbox access, and Exchange does not log duplicate audit messages for Folder views.

Archival

Exchange does not provide an automated, enterprise method for archiving mailbox audit logs. You can manually export audit logs via PowerShell. The log is exported in the form of an XML file.

For enterprise archiving and connection to your SIEM/log management system, see LOGbinder for Exchange.

Next: Reporting and Alerting

 

Upcoming Webinars
    Additional Resources