Solved

Exchange 2010 Audit log performance impact

Posted on 2013-01-09
7
2,029 Views
Last Modified: 2013-12-06
We are now considering enabling audit logs in exchange environment to monitor hard and soft deletions of e-mail.  We have 2 main concerns.  The performance impact of the exchange system with the audit logs enabled on the exchange server and the amount of space consumed by the audit logs while enabled.  Also should I have other concerns with enabling auditing?  From past experience enabling auditing for prolonged periods has had a detrimental effect on the system.  Once enabled, we will be leaving the logging enabled 24x7x365.
0
Comment
Question by:Linktheman2003
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 13

Accepted Solution

by:
imkottees earned 167 total points
ID: 38760149
Hi,

If you are with Exchange 2010 RTM you have to specify the mailbox for audit logging.
In Exchange 2010 SP1, the audit mailbox is a hidden, dedicated arbitration mailbox that cannot be changed. You can use the Exchange Control Panel (ECP) Auditing Reports page, Search-AdminAuditLog, or New-AdminAuditLogSearch to view audit logs.

http://www.mikepfeiffer.net/2010/02/using-administrator-audit-logging-in-exchange-2010/
0
 
LVL 42

Assisted Solution

by:Amit
Amit earned 167 total points
ID: 38760685
I guess you are not planning to set it permanently. For temp use, i don't think it will impact.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 166 total points
ID: 38762239
In exchange 2010 mailbox auditing is stored inside the mailboxes

I have done extensive research on this subject since I had to enable mailbox auditing on a large number of mailboxes recently at a client.

My findings (after opening a case with Microsoft and a lot of emails since it is not documented anywhere) it really goes down to the number of mailboxes to audit and the auditing level

If you are auditing only administrator access then you can ignore the impact since it won't be much anyway. However if, like me, you are planning to audit owners access on a large number of mailboxes i was recommended to add up 5% to 7% to the IOPS number given by the mailbox calculator
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Linktheman2003
ID: 38767879
I am permenantly enabling audting on the Exchange 2010 SP2 rollup 5 server.  It is a single exchange server with about 100 mailboxes.  We are auditing all mailboxes and all users for hard and soft deletes.  My boss has 2 concerns.  The first is what is the total impact on the server from a perfomance stand point (CPU usage, memory consumption, hard drive IHOPS...) and Total Hard drive space consumed yearly.  Or exchange serve ris virualized on a Windows 2008 R2 host so we can get up to Quad core processing currently which we have already enabled and there is little CPU usage except on the McAfee Security for Microsoft Exchange software we run on it.  It has 32GB of RAM setup, but it consumes anywhere from 16-26 GB depending upon load.  In 10 years we have consumed about 231GB, where we saw 20GB in the last year alone to get an idea of how much data we are talking about.  I don't know actual IHOPS yet.  Our concern is to make sure we can tell if a user deletes files and if so who did it.

My other question which has arisen since this post is how do I change the tombstone life of deleted items.  I need to change from the default of 14 days, to a longer period of 35 days so that all items will be caught by our monthly backups offsite if we ever have to go back and retreive them.
0
 
LVL 42

Expert Comment

by:Amit
ID: 38767887
I suggest enable it and monitor it. As performance can differ server to server. Depends how you configured and using a server, so there is no set answer for this query.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38769600
In your case I don't think you will have any issues at all since the number of users is very small compared to the sizing of your server. Your sever can easily handled 3 times the amount on current users and the extra load of auditing will not be 3x more So i can tell you you will be fine

what raid configuration is your database staying on ? is it on a san storage or local disk? are the disks sata/scsi ??

for the retention period it is easy just go to Org Config -> Mailbox -> DB managemnet -> right click properties on the DB -> limits and change it "keep deleted mailboxes for day(s)
0
 

Author Closing Comment

by:Linktheman2003
ID: 38982735
No hard core proof, but very little impact.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
A procedure for exporting installed hotfix details of remote computers using powershell
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question