Blog | Newsletter | Download | Contact

LOGbinder Blog

Updates, Tips and News   RSS Feed  
Search
Categories
Recent Blogs
Archive

«  LOGbinder SP 4.0 & Me... | LOGbinder 3.6 released! »

Changing the Exchange audit search poll interval

Thu, 11 Jul 2013 14:53:17 GMT

If you are doing auditing for Exchange server using the New-AdminAuditLogSearch and New-MailboxAuditLogSearch cmdlets, you might have noticed that it takes a while until Exchange delivers the audit reports. You might wonder: How long does it actually take to get the results? Is there any setting that determines this? If yes, can it be changed?

First of all, we must note that Microsoft says on their Overview of Administrator Audit Logging page for Exchange 2010 and on the Administrator Audit Logging page for Exchange 2013, that after you run the New-AdminAuditLogSearch cmdlet, Exchange may take up to 15 minutes to deliver the report to the specified recipient. However, in reality you will find that at times Exchange takes significantly more time than that to deliver the report. On Exchange 2013, it can take up to a day. This might not suit the need of all, so let’s see how we can change this behavior.

The value that controls this timing is stored in an XML configuration file under the %ExchangeInstallPath% folder. The file is in the Bin folder, and called Microsoft.Exchange.Servicehost.exe.config. Look for the following line inside the <appSettings> tag:

<add key="AuditLogSearchPollIntervalInMilliseconds" value="…" />

This value determines (in milliseconds) the frequency of audit log searches, affecting both the admin audit log search and the mailbox audit log search.  The default value for Exchange 2010 is 1800000 (that is 30 minutes). For Exchange 2013, the default value is 86400000 (that is 24 hours). This means that Exchange 2010 and 2013 will execute audit log search polls every 30 minutes and 24 hours, respectively.

If you would like to use a different value, you can simply change it in the config file using a text editor. Please note that you have to restart the Microsoft Exchange Service Host service for the change to take effect.

If you prefer to change the value more programmatically, you can do it from PowerShell, but running the following script (e.g. to change the interval to 10 minutes):

$cfgpath = $Env:ExchangeInstallPath + "Bin\Microsoft.Exchange.Servicehost.exe.config"

[xml]$cfg = Get-Content -Path $cfgpath

($cfg.configuration.appSettings.add | where key -Match "AuditLogSearchPollIntervalInMilliseconds").value = "600000"

$cfg.Save($cfgpath)

(Again, don’t forget to restart the service after the change.)

In this blog, we looked at how to determine and control the audit log search poll interval in Exchange 2010 and 2013. As a final note, please mind the implications this setting might have on your CPU usage, if you set the value too low.

email this digg reddit
comments (0) references (0)
Related:
November 2014 LOGbinder Newsletter: Windows Event Collection and your SIEM; 2 Tech Tips for security analysts
Changing the Exchange audit search poll interval
The 24-hour Bug in Microsoft Exchange Mailbox Auditing
December 2014 LOGbinder Newsletter: QRadar fully supports Exchange, SharePoint and SQL Server audit; Tech resources for security analysts

Comments disabled

powered by Bloget™
Login | Terms of Use | Privacy
LOGbinder is a division of Monterey Technology Group, Inc. ©2006-2024 All rights reserved.
For complaints please contact abuse@logbinder.com.