HomeLOGbinder for EX KBHow ToBulletin: Exchange Cumulative Update breaks auditing

3.12. Bulletin: Exchange Cumulative Update breaks auditing

Update

This issue is likely not related to cumulative updates, as stated below, but to Exceeding the maximum number of audit log search requests.


The issue

In December 2016 Microsoft released the following cumulative updates for Exchange Server:

Early in 2016, our development team discovered that auditing in Exchange 2016 was not functioning properly.  Even without LOGbinder installed, the New-AdminAuditLogSearch and the New-MailboxAuditLogSearch cmdlets were successfully issued but the problem we discovered was that in many Exchange environments, the audit requests were never processed.  The audit request would fill up a queue and then subsequent requests would fail with the error "You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later."  (See below)

 

It has recently been reported to us by some customers that they are now receiving these same results in Exchange 2013 and Exchange 2010.  It appears that the latest cumulative updates have introduced undocumented changes to auditing that break LOGbinder for Exchange. LOGbinder relies on a functioning Exchange environment to work properly.  Specifically, the new-adminauditlogsearch and new-mailboxauditlogsearch cmdlets must be functioning properly in order for LOGbinder to work.

 We are currently working with one of our contacts at Microsoft to determine if this is a known Exchange issue or if we have discovered another Exchange bug (previously we discovered the 24 hour bug in Exchange).

Our recommendation:

At this time, if you are a current LOGbinder for Exchange customer or a prospective customer, we recommend that you do not update to the latest cumulative updates in the bullet points at the start of this article.  If you do so, you may risk breaking auditing in Exchange which will in turn break LOGbinder for Exchange.

Do you have the issue:

If you are having the symptoms described above or suspect you may have this issue, please follow these steps:

  1. Which version of Exchange are you using and which cumulative update do you have installed?
    • For Exchange 2010 run this command in Exchange Management Shell: Get-Command ExSetup | ForEach {$_.FileVersionInfo} 
    • For Exchange 2013 run this command in Exchange Management Shell: Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion
    • Now compare your results to this page:  https://technet.microsoft.com/en-us/library/hh135098(v=exchg.150).aspx
  2. If you are using the latest update and have been issuing audit requests you need to check to see if the audit request queue is full.
    • In Exchange Management Shell run:  "new-adminauditlogsearch -startdate "1/25/2017 5:14:45 PM" -EndDate "1/25/2017 5:25:04 PM" -StatusMailRecipients ServiceAccountMailbox@YourDomain.local -name test"
      • Please note you will have to modify the above command to use a mailbox in your organization. If you are a current LOGbinder for Exchange customer you will probably be using the mailbox related to the service account user you are using in LOGbinder.
    • Do you receive an error similar to what is shown in the screenshot above?

If so please contact us and tell us your Exchange version, Cumulative Update version and a screenshot of the error after running the audit request.

This page was: Helpful | Not Helpful