How to Configure the Size and Location of Exchange Auditing Event Logs

Exchange 2007

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2016-11-10

This topic explains how to use the Exchange Management Console and the Wevtutil tool to configure the size and location of Exchange Auditing event logs.

In Windows Server 2008, you can use the Wevtutil tool to view the current event log size and location. In Windows Server 2003, you can modify the registry to change the event log location.

If you want to resize the log file to a lower value, you must first click Clear Log to reset the size of the log file

To perform this procedure, the account you use must be delegated the following:

  • Local Administrator rights

  • Exchange Organization Administrator rights

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

  • Run the following command:

    wevtutil gl "Exchange Auditing"

This command generates output that resembles the following:


name: Exchange Auditing

enabled: true

type: Admin


isolation: Application

channelAccess: O:BAG:SYD:(D;;CCDCLC;;;AN)(D;;CCDCLC;;;BG)(A;;CCDC;;;SY)(A;;CCDC;;;S-1-5-21-2105946205-4879329-3509040111-1103)(A;;CCLC;;;S-1-5-21-2105946205-4879329-3509040111-1104)(A;;CCLC;;;S-1-5-21-2105946205-4879329-3509040111-1105)


logFileName: %SystemRoot%\System32\Winevt\Logs\Exchange Auditing.evtx

retention: true

autoBackup: true

maxSize: 1052672


In this output, notice that the Retention and AutoBackup parameters are both set to True. Both these settings must be True to allow for correct automatic archival of the event logs.

  • Run the following command:

    Wevtutil sl "Exchange Auditing" /lfn:<path>\ExchangeAuditing\ExAudit.evtx

    In this command, replace <path> with an appropriate drive letter or path.

  • Run the following command:

    Wevtutil sl "Exchange Auditing" /ms:<size in bytes>

    For example, to change the log file to 100 MB, run:

    Wevtutil sl "Exchange Auditing" /ms:104857600

For more information about how to use Wevtutil, see Wevtutil.

For more information about how to change the event log location in Windows Server 2003, see Microsoft Knowledge Base article 315417, How to move Event Viewer log files to another location in Windows 2000 and in Windows Server 2003.

  1. Use Windows Explorer to create a folder in which to store the Exchange Auditing log file.

  2. Click Start, click Run, type eventvwr, and then click OK.

  3. In Event Viewer, expand Application and Services Logs, and then click Exchange Auditing.

  4. Right-click Exchange Auditing, and then click Properties.

  5. In the Log path box, type the full path of the new location of the .evtx event log file.

  6. In the Maximum log size (KB) box, specify an appropriate value for the size of the log file.

  7. Click OK.