HomeLOGbinder for EX KBHow ToExceeding the maximum number of audit log search requests

3.4. Exceeding the maximum number of audit log search requests

Amid the many undocumented “features” of Microsoft Exchange server auditing, from time to time we discover new things. This time it is about a limit that is set by Exchange on how many audit log search requests you can execute.

This number seems to be a maximum of 50 asynchronous mailbox audit log search requests (New-MailboxAuditLogSearch cmdlet) and 50 asynchronous admin audit log search requests (New-AdminAuditLogSearch cmdlet). If you issue more than 50 of any of the above cmdlets, you will get an error message like this:

[PS] C:\Windows\system32>(Get-AuditLogSearch).Count 

50

[PS] C:\Windows\system32>[PS] C:\Windows\system32>New-AdminAuditLogSearch -StartDate "2/10/2017 10:00" -EndDate "2/10/2017 11:00" -Name "testing" -StatusMailRecipients testing@test.local

You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later.

+ CategoryInfo          : QuotaExceeded: (:) [New-AdminAuditLogSearch], InvalidOperationException

+ FullyQualifiedErrorId : [Server=LAB-EX,RequestId=43e8b057-be65-4c4e-9441-64a652efafe0,TimeStamp=2/20/2017 11:01:57 PM] [FailureCategory=Cmdlet-InvalidOperationException] 5776B0C3,Microsoft.Exchange.Management.SystemConfigurationTasks.NewAdminAuditLogSearch

+ PSComputerName        : lab-ex.test.local

After one or more audit log search requests have been processed by Exchange, you can again issue more requests.

The number of counters for admin and mailbox audit log requests are separate. In the above example, we have reached the maximum number of admin audit log search requests, but we have not issued any mailbox audit log requests. Therefore, we can still issue New-MailboxAuditLogSearch cmdlets.

Also, the above limits only apply to asynchronous audit log requests, so in the above example you could still issue Search-AdminAuditLog cmdlets and get the results.

From our testing so far, this applies to most (if not all) cumulative updates of Exchange 2013 and Exchange 2016, but not to Exchange 2010.

Where is this limit specified? Can it be changed? We do not know yet. If you do, please let us know.

This page was: Helpful | Not Helpful
Where to find information about LOGbinder events LOGbinder troubleshooting tip: Use the Diagnostic Logs