HomeLOGbinder for EX KBHow ToDealing with large amount of audit backlog when first starting LOGbinder for Exchange

3.6. Dealing with large amount of audit backlog when first starting LOGbinder for Exchange

If you have had auditing enabled on your Exchange server for a while when you install LOGbinder for Exchange (and administrator audit logging is enabled by default), you might have large amount of audit data accumulated, depending on your audit retention period. (SeeAuditLogAgeLimit for mailboxes, and AdminAuditLogAgeLimit for the administrator audit log.)

When starting LOGbinder for Exchange for the first time, LOGbinder will collect and process all audits existing in your Exchange system. If there is a large amount of audit logs, this can take up a considerable time and computational resources on your Exchange server. How can you find out how much audit data you have in your Exchange environment, and what can you do if you do not want to process large amount of backlogs?

Assessing size of audit data

The following Exchange PowerShell command displays the mailboxes with the 20 largest audit data size. It only queries the mailboxes that have auditing enabled.

Get-Mailbox -Filter {AuditEnabled -eq $true} | Get-MailboxFolderStatistics | where {$_.Name -eq "Audits"} | Sort-Object FolderSize -Descending | Select-Object Identity, ItemsInFolder, FolderSize -First 20

The following Exchange PowerShell command displays the size of the administrator audit log.

Get-Mailbox -Arbitration | Get-MailboxFolderStatistics | where {$_.Name -eq "AdminAuditLogs"} | Select-Object Name, ItemsInFolder, FolderSize

If you find that any of the above seems too large (for example, you have hundreds of megabytes of mailbox audit data in some mailboxes), then you might want to consider bypassing those past events, and start the audit log collection with LOGbinder for Exchange from this point forward.

This page was: Helpful | Not Helpful