Solved

Exchange 2010 Audit log performance impact

Posted on 2013-01-09
7
1,967 Views
Last Modified: 2013-12-06
We are now considering enabling audit logs in exchange environment to monitor hard and soft deletions of e-mail.  We have 2 main concerns.  The performance impact of the exchange system with the audit logs enabled on the exchange server and the amount of space consumed by the audit logs while enabled.  Also should I have other concerns with enabling auditing?  From past experience enabling auditing for prolonged periods has had a detrimental effect on the system.  Once enabled, we will be leaving the logging enabled 24x7x365.
0
Comment
Question by:Linktheman2003
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 13

Accepted Solution

by:
imkottees earned 167 total points
ID: 38760149
Hi,

If you are with Exchange 2010 RTM you have to specify the mailbox for audit logging.
In Exchange 2010 SP1, the audit mailbox is a hidden, dedicated arbitration mailbox that cannot be changed. You can use the Exchange Control Panel (ECP) Auditing Reports page, Search-AdminAuditLog, or New-AdminAuditLogSearch to view audit logs.

http://www.mikepfeiffer.net/2010/02/using-administrator-audit-logging-in-exchange-2010/
0
 
LVL 41

Assisted Solution

by:Amit
Amit earned 167 total points
ID: 38760685
I guess you are not planning to set it permanently. For temp use, i don't think it will impact.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 166 total points
ID: 38762239
In exchange 2010 mailbox auditing is stored inside the mailboxes

I have done extensive research on this subject since I had to enable mailbox auditing on a large number of mailboxes recently at a client.

My findings (after opening a case with Microsoft and a lot of emails since it is not documented anywhere) it really goes down to the number of mailboxes to audit and the auditing level

If you are auditing only administrator access then you can ignore the impact since it won't be much anyway. However if, like me, you are planning to audit owners access on a large number of mailboxes i was recommended to add up 5% to 7% to the IOPS number given by the mailbox calculator
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:Linktheman2003
ID: 38767879
I am permenantly enabling audting on the Exchange 2010 SP2 rollup 5 server.  It is a single exchange server with about 100 mailboxes.  We are auditing all mailboxes and all users for hard and soft deletes.  My boss has 2 concerns.  The first is what is the total impact on the server from a perfomance stand point (CPU usage, memory consumption, hard drive IHOPS...) and Total Hard drive space consumed yearly.  Or exchange serve ris virualized on a Windows 2008 R2 host so we can get up to Quad core processing currently which we have already enabled and there is little CPU usage except on the McAfee Security for Microsoft Exchange software we run on it.  It has 32GB of RAM setup, but it consumes anywhere from 16-26 GB depending upon load.  In 10 years we have consumed about 231GB, where we saw 20GB in the last year alone to get an idea of how much data we are talking about.  I don't know actual IHOPS yet.  Our concern is to make sure we can tell if a user deletes files and if so who did it.

My other question which has arisen since this post is how do I change the tombstone life of deleted items.  I need to change from the default of 14 days, to a longer period of 35 days so that all items will be caught by our monthly backups offsite if we ever have to go back and retreive them.
0
 
LVL 41

Expert Comment

by:Amit
ID: 38767887
I suggest enable it and monitor it. As performance can differ server to server. Depends how you configured and using a server, so there is no set answer for this query.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38769600
In your case I don't think you will have any issues at all since the number of users is very small compared to the sizing of your server. Your sever can easily handled 3 times the amount on current users and the extra load of auditing will not be 3x more So i can tell you you will be fine

what raid configuration is your database staying on ? is it on a san storage or local disk? are the disks sata/scsi ??

for the retention period it is easy just go to Org Config -> Mailbox -> DB managemnet -> right click properties on the DB -> limits and change it "keep deleted mailboxes for day(s)
0
 

Author Closing Comment

by:Linktheman2003
ID: 38982735
No hard core proof, but very little impact.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now