LOGbinder Blog

Updates, Tips and News   RSS Feed  

«  New Syslog Features in LO... | SQL Server Audit Support ... »

Dealing with large amount of audit backlog when first starting LOGbinder EX

Wed, 12 Feb 2014 17:38:19 GMT

If you have had auditing enabled on your Exchange server for a while when you install LOGbinder EX (and administrator audit logging is enabled by default), you might have large amount of audit data accumulated, depending on your audit retention period. (See AuditLogAgeLimit for mailboxes, and AdminAuditLogAgeLimit for the administrator audit log.)

When starting LOGbinder EX for the first time, LOGbinder will collect and process all audits existing in your Exchange system. If there is a large amount of audit logs, this can take up a considerable time and computational resources on your Exchange server. How can you find out how much audit data you have in your Exchange environment, and what can you do if you do not want to process large amount of backlogs?

Assessing size of audit data

The following Exchange PowerShell command displays the mailboxes with the 20 largest audit data size. It only queries the mailboxes that have auditing enabled.

Get-Mailbox -Filter {AuditEnabled -eq $true} | Get-MailboxFolderStatistics | where {$_.Name -eq "Audits"} | Sort-Object FolderSize -Descending | Select-Object Identity, ItemsInFolder, FolderSize -First 20

The following Exchange PowerShell command displays the size of the administrator audit log.

Get-Mailbox -Arbitration | Get-MailboxFolderStatistics | where {$_.Name -eq "AdminAuditLogs"} | Select-Object Name, ItemsInFolder, FolderSize

If you find that any of the above seems too large (for example, you have hundreds of megabytes of mailbox audit data in some mailboxes), then you might want to consider bypassing those past events, and start the audit log collection with LOGbinder EX from this point forward.

Omitting past audit logs

If you decide that you would like to omit the past audit logs and let LOGbinder EX start processing only new logs, please contact us at support@logbinder.com, so we can set up LOGbinder for you to start processing from a given time and date.

In the near future, a new feature will be included in a LOGbinder EX release that enables specifying the start time, just like it is already done in our other products: LOGbinder SP and LOGbinder SQL.

Comments disabled

powered by Bloget™