How to Configure Automatic Archiving of Exchange Auditing Event Logs
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how to use the Event Viewer tool in Windows Server 2008 to configure automatic archiving of Microsoft Exchange Auditing event logs.
Windows Server 2008 can automatically archive the event log when the maximum event log size has been reached. This Windows Server 2008 event log setting is named Archive the log when full, do not overwrite events. By default, this setting is enabled for the Exchange Auditing event log. When the maximum Exchange Auditing event log size is reached, Windows Server 2008 closes the current log file and archives the log file to the folder in which the Exchange Auditing log is located. You can see the archived log files under Saved Logs in Event Viewer.
Important
We do not recommend that you store the auditing logs on the same logical drives as the database and transaction log files. If available hard disk drive space is low, and the auditing logs consume all available disk space, the Microsoft Exchange Information Store service will dismount the databases because of insufficient disk drive space.
The format of the archive log file is as follows:
Archive-<Exchange Auditing Log file name>-<datetime>.evtx
For example, if the path to the Exchange Auditing log file name is D:\ExchangeAuditing\ExchangeAuditing.evtx, the file name resembles the following:
Archive-ExchangeAuditing-2009-05-06-12-54-33-725.evtx
When a log file has been rolled over, event ID 105 is logged to the System log. This event resembles the following:
Sample event ID 105 entry
Log Name: System Source: Microsoft-Windows-Eventlog Event ID: 105 Task Category: Log automatic backup Level: Information Description: Event log automatic backup Log:Exchange Auditing File:d:\ExchangeAuditing\ Archive-ExchangeAuditing-2009-05-06-12-54-33-725 |
Before You Begin
To perform this procedure, the account you use must be delegated the following:
- Local Administrator rights
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Procedure
To use the Windows Server 2008 Event Viewer to automatically archive event logs
Click Start, click Run, type eventvwr, and then click OK.
In Event Viewer, expand Application and Services logs, and then click Exchange Auditing.
Right-click Exchange Auditing, and then click Properties.
Click Archive the log when full, do not overwrite events.
Click OK.
For More Information
For more information about Exchange Auditing, see Understanding Mailbox Access Auditing with Exchange Server 2007 Service Pack 3.