Export (0) Print
Expand All

How to Configure Automatic Archiving of Exchange Auditing Event Logs

 

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1

Topic Last Modified: 2009-05-15

This topic explains how to use the Event Viewer tool in Windows Server 2008 to configure automatic archiving of Microsoft Exchange Auditing event logs.

Windows Server 2008 can automatically archive the event log when the maximum event log size has been reached. This Windows Server 2008 event log setting is named Archive the log when full, do not overwrite events. By default, this setting is enabled for the Exchange Auditing event log. When the maximum Exchange Auditing event log size is reached, Windows Server 2008 closes the current log file and archives the log file to the folder in which the Exchange Auditing log is located. You can see the archived log files under Saved Logs in Event Viewer.

importantImportant:
We do not recommend that you store the auditing logs on the same logical drives as the database and transaction log files. If available hard disk drive space is low, and the auditing logs consume all available disk space, the Microsoft Exchange Information Store service will dismount the databases because of insufficient disk drive space.

The format of the archive log file is as follows:

Archive-<Exchange Auditing Log file name>-<datetime>.evtx

For example, if the path to the Exchange Auditing log file name is D:\ExchangeAuditing\ExchangeAuditing.evtx, the file name resembles the following:

Archive-ExchangeAuditing-2009-05-06-12-54-33-725.evtx

When a log file has been rolled over, event ID 105 is logged to the System log. This event resembles the following:

Sample event ID 105 entry

 

Log Name: System

Source: Microsoft-Windows-Eventlog

Event ID: 105

Task Category: Log automatic backup

Level: Information

Description:

Event log automatic backup

Log:Exchange Auditing

File:d:\ExchangeAuditing\ Archive-ExchangeAuditing-2009-05-06-12-54-33-725

To perform this procedure, the account you use must be delegated the following:

  • Local Administrator rights

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

  1. Click Start, click Run, type eventvwr, and then click OK.

  2. In Event Viewer, expand Application and Services logs, and then click Exchange Auditing.

  3. Right-click Exchange Auditing, and then click Properties.

  4. Click Archive the log when full, do not overwrite events.

  5. Click OK.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft