Exchange Administrator Audit Log: Storage Purging and Archival

Storage

The Exchange administrator audit log is not a normal text file based log or a Windows event log.

Administrator audit log events are stored as email messages inside a special audit mailbox. To view the administrator audit log see Reporting.

If audit log files are to serve their purpose, administrators must be restricted from tampering with the logs. In addition, a malicious outsider’s first action upon compromising a system is usually to cover up his or her tracks by erasing the logs. These two facts are the key drivers behind the commonly accepted best practice of log management, which mandates that logs be moved, as frequently as possible, from the system on which they are generated to a separate system with different access control parameters.

As in the case of mailbox auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange™ collects the hidden administrator audit log files from its internal special mailbox, parses the log data, and formats it into more than 500 easy-to-read messages delivered to your SIEM.

Purging

Exchange automatically purges the administrator audit log based on the days specified in the -AdminAuditLogAgeLimit parameter of the Set-AdminAuditLogConfig cmdlet. The default value is 90 days. The parameter is specified in the format of dd.hh:mm:ss. So, the following command would set the audit log to purge events older than 120 days:

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 120.00:00:00

We recommend setting it to the greater of the following two factors:

The amount of time (maybe 3-7 days?) it is anticipated that the server hosting a solution (such as LOGbinder for Exchange) that facilitates exporting and archival of Exchange audit events might ever be down. This way, audits accumulate in Exchange until the audit exporting system comes back up and gets them.
How far back Exchange admins want to go back using Exchange’s internal/native audit reporting.

What impact will admin auditing have on Exchange storage? Negligible. After all it is only auditing changes made by admins. Maybe if during a migration you create 100,000 mailboxes and make several changes to each one – then you will see some megabytes of audit data.

Archival

Exchange does not provide an automated, enterprise method for archiving the administrator audit log. You can manually export the audit log from the administration web page or via PowerShell. The log is exported in the form of an XML file.

For enterprise archiving and connection to your SIEM/log management system, see LOGbinder for Exchange.

Next: Reporting and Alerting

Upcoming Webinars

Additional Resources

Administrator Auditing

•	Configuration
•	Storage, Purging and Archival
•	Reporting and Alerting
•	SIEM Integration

User name:
Password:
	/ Forgot?
	Register

December 2024 Patch Tuesday	"Patch Tuesday - 2 Zero Days...See You in 2025! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.