Solved

Exchange 2010 Audit log performance impact

Posted on 2013-01-09
7
2,080 Views
Last Modified: 2013-12-06
We are now considering enabling audit logs in exchange environment to monitor hard and soft deletions of e-mail.  We have 2 main concerns.  The performance impact of the exchange system with the audit logs enabled on the exchange server and the amount of space consumed by the audit logs while enabled.  Also should I have other concerns with enabling auditing?  From past experience enabling auditing for prolonged periods has had a detrimental effect on the system.  Once enabled, we will be leaving the logging enabled 24x7x365.
0
Comment
Question by:Linktheman2003
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 13

Accepted Solution

by:
imkottees earned 167 total points
ID: 38760149
Hi,

If you are with Exchange 2010 RTM you have to specify the mailbox for audit logging.
In Exchange 2010 SP1, the audit mailbox is a hidden, dedicated arbitration mailbox that cannot be changed. You can use the Exchange Control Panel (ECP) Auditing Reports page, Search-AdminAuditLog, or New-AdminAuditLogSearch to view audit logs.

http://www.mikepfeiffer.net/2010/02/using-administrator-audit-logging-in-exchange-2010/
0
 
LVL 43

Assisted Solution

by:Amit
Amit earned 167 total points
ID: 38760685
I guess you are not planning to set it permanently. For temp use, i don't think it will impact.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 166 total points
ID: 38762239
In exchange 2010 mailbox auditing is stored inside the mailboxes

I have done extensive research on this subject since I had to enable mailbox auditing on a large number of mailboxes recently at a client.

My findings (after opening a case with Microsoft and a lot of emails since it is not documented anywhere) it really goes down to the number of mailboxes to audit and the auditing level

If you are auditing only administrator access then you can ignore the impact since it won't be much anyway. However if, like me, you are planning to audit owners access on a large number of mailboxes i was recommended to add up 5% to 7% to the IOPS number given by the mailbox calculator
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Linktheman2003
ID: 38767879
I am permenantly enabling audting on the Exchange 2010 SP2 rollup 5 server.  It is a single exchange server with about 100 mailboxes.  We are auditing all mailboxes and all users for hard and soft deletes.  My boss has 2 concerns.  The first is what is the total impact on the server from a perfomance stand point (CPU usage, memory consumption, hard drive IHOPS...) and Total Hard drive space consumed yearly.  Or exchange serve ris virualized on a Windows 2008 R2 host so we can get up to Quad core processing currently which we have already enabled and there is little CPU usage except on the McAfee Security for Microsoft Exchange software we run on it.  It has 32GB of RAM setup, but it consumes anywhere from 16-26 GB depending upon load.  In 10 years we have consumed about 231GB, where we saw 20GB in the last year alone to get an idea of how much data we are talking about.  I don't know actual IHOPS yet.  Our concern is to make sure we can tell if a user deletes files and if so who did it.

My other question which has arisen since this post is how do I change the tombstone life of deleted items.  I need to change from the default of 14 days, to a longer period of 35 days so that all items will be caught by our monthly backups offsite if we ever have to go back and retreive them.
0
 
LVL 43

Expert Comment

by:Amit
ID: 38767887
I suggest enable it and monitor it. As performance can differ server to server. Depends how you configured and using a server, so there is no set answer for this query.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38769600
In your case I don't think you will have any issues at all since the number of users is very small compared to the sizing of your server. Your sever can easily handled 3 times the amount on current users and the extra load of auditing will not be 3x more So i can tell you you will be fine

what raid configuration is your database staying on ? is it on a san storage or local disk? are the disks sata/scsi ??

for the retention period it is easy just go to Org Config -> Mailbox -> DB managemnet -> right click properties on the DB -> limits and change it "keep deleted mailboxes for day(s)
0
 

Author Closing Comment

by:Linktheman2003
ID: 38982735
No hard core proof, but very little impact.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
how to add IIS SMTP to handle application/Scanner relays into office 365.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question