How to Configure the Size and Location of Exchange Auditing Event Logs
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Topic Last Modified: 2016-11-10
This topic explains how to use the Exchange Management Console and the Wevtutil tool to configure the size and location of Exchange Auditing event logs.
In Windows Server 2008, you can use the Wevtutil tool to view the current event log size and location. In Windows Server 2003, you can modify the registry to change the event log location.
|If you want to resize the log file to a lower value, you must first click Clear Log to reset the size of the log file|
To perform this procedure, the account you use must be delegated the following:
Local Administrator rights
Exchange Organization Administrator rights
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Run the following command:
wevtutil gl "Exchange Auditing"
This command generates output that resembles the following:
name: Exchange Auditing
logFileName: %SystemRoot%\System32\Winevt\Logs\Exchange Auditing.evtx
|In this output, notice that the Retention and AutoBackup parameters are both set to True. Both these settings must be True to allow for correct automatic archival of the event logs.|
Run the following command:
Wevtutil sl "Exchange Auditing" /lfn:<path>\ExchangeAuditing\ExAudit.evtx
In this command, replace <path> with an appropriate drive letter or path.
For more information about how to use Wevtutil, see Wevtutil.
For more information about how to change the event log location in Windows Server 2003, see Microsoft Knowledge Base article 315417, How to move Event Viewer log files to another location in Windows 2000 and in Windows Server 2003.
Use Windows Explorer to create a folder in which to store the Exchange Auditing log file.
Click Start, click Run, type eventvwr, and then click OK.
In Event Viewer, expand Application and Services Logs, and then click Exchange Auditing.
Right-click Exchange Auditing, and then click Properties.
In the Log path box, type the full path of the new location of the .evtx event log file.
In the Maximum log size (KB) box, specify an appropriate value for the size of the log file.
For more information about Exchange Auditing, see Understanding Mailbox Access Auditing with Exchange Server 2007 Service Pack 3.