How to Configure Automatic Archiving of Exchange Auditing Event Logs
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2009-05-15
This topic explains how to use the Event Viewer tool in Windows Server 2008 to configure automatic archiving of Microsoft Exchange Auditing event logs.
Windows Server 2008 can automatically archive the event log when the maximum event log size has been reached. This Windows Server 2008 event log setting is named Archive the log when full, do not overwrite events. By default, this setting is enabled for the Exchange Auditing event log. When the maximum Exchange Auditing event log size is reached, Windows Server 2008 closes the current log file and archives the log file to the folder in which the Exchange Auditing log is located. You can see the archived log files under Saved Logs in Event Viewer.
|We do not recommend that you store the auditing logs on the same logical drives as the database and transaction log files. If available hard disk drive space is low, and the auditing logs consume all available disk space, the Microsoft Exchange Information Store service will dismount the databases because of insufficient disk drive space.|
The format of the archive log file is as follows:
Archive-<Exchange Auditing Log file name>-<datetime>.evtx
For example, if the path to the Exchange Auditing log file name is D:\ExchangeAuditing\ExchangeAuditing.evtx, the file name resembles the following:
When a log file has been rolled over, event ID 105 is logged to the System log. This event resembles the following:
Sample event ID 105 entry
Log Name: System
Event ID: 105
Task Category: Log automatic backup
Event log automatic backup
To perform this procedure, the account you use must be delegated the following:
Local Administrator rights
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Click Start, click Run, type eventvwr, and then click OK.
In Event Viewer, expand Application and Services logs, and then click Exchange Auditing.
Right-click Exchange Auditing, and then click Properties.
Click Archive the log when full, do not overwrite events.
For more information about Exchange Auditing, see Understanding Mailbox Access Auditing with Exchange Server 2007 Service Pack 3.