locked
delete Administrator Audit Logging RRS feed

  • Question

  • How can the system administrator control the Administrator Audit Logging of the Exchange Server.. What I want to do is to check the audit logging ( for some users who get access for an email) and delete some specific operations ( Like search and granting access) .. also how can I delete the log directly? 
    Tuesday, May 27, 2014 11:02 PM

Answers

  • - You can check current size and number of items of Admin Audit log using this method... Exchange Powershell Tip #02

    - You can disable the cmdlets that you don't want logging by following Manage Administrator Audit Logging. Set the various parameters (AudimAuditLogCmdlets, AdminAuditLogExcludedCmdlets and AudminAuditLogParameters, AdminAuditLogAgeLimit) of Set-AdminAuditLogConfig cmdlet to control it...


    Blog | Get Your Exchange Powershell Tip of the Day from here

    • Proposed as answer by Mike Crowley Wednesday, May 28, 2014 12:26 AM
    • Marked as answer by Amit Tank Thursday, June 5, 2014 5:37 AM
    Tuesday, May 27, 2014 11:56 PM
  • Hi,

    Based on my research, to delete the audit log entries which are over 7 days, we can set the AdminAuditLogAgeLimit parameter. Thus, let’s firstly try to double check the property by the following command:

    Get-AdminAuditLogConfig | FL  AdminAuditLogAgeLimit

    If  the value is 02.00:00:00, let’s check if there is any error in the event log to narrow down the cause.

    If you have any question, please feel free to let me know.

    Thanks,


    Angela Shi
    TechNet Community Support

    • Marked as answer by Amit Tank Thursday, June 5, 2014 5:36 AM
    Wednesday, May 28, 2014 9:03 AM
  • I noticed now that it is done, and there is no problem but it needs time.
    • Proposed as answer by Angela Shi Friday, May 30, 2014 1:33 AM
    • Marked as answer by Amit Tank Thursday, June 5, 2014 5:36 AM
    Thursday, May 29, 2014 7:16 AM

All replies

  • - You can check current size and number of items of Admin Audit log using this method... Exchange Powershell Tip #02

    - You can disable the cmdlets that you don't want logging by following Manage Administrator Audit Logging. Set the various parameters (AudimAuditLogCmdlets, AdminAuditLogExcludedCmdlets and AudminAuditLogParameters, AdminAuditLogAgeLimit) of Set-AdminAuditLogConfig cmdlet to control it...


    Blog | Get Your Exchange Powershell Tip of the Day from here

    • Proposed as answer by Mike Crowley Wednesday, May 28, 2014 12:26 AM
    • Marked as answer by Amit Tank Thursday, June 5, 2014 5:37 AM
    Tuesday, May 27, 2014 11:56 PM
  • What IF I want to delete the log of last week ,, I did change the Log limit to 2 Day then next day I tried but still getting the same old log data, how can I Just delete it?
    Wednesday, May 28, 2014 6:59 AM
  • Hi,

    Based on my research, to delete the audit log entries which are over 7 days, we can set the AdminAuditLogAgeLimit parameter. Thus, let’s firstly try to double check the property by the following command:

    Get-AdminAuditLogConfig | FL  AdminAuditLogAgeLimit

    If  the value is 02.00:00:00, let’s check if there is any error in the event log to narrow down the cause.

    If you have any question, please feel free to let me know.

    Thanks,


    Angela Shi
    TechNet Community Support

    • Marked as answer by Amit Tank Thursday, June 5, 2014 5:36 AM
    Wednesday, May 28, 2014 9:03 AM
  • Yes. you can navigate to the following location and find the related log, and then delete it directly.

     

    C:\program files\Microsoft\exchange server\TransportRoles\Logs

    Please check out the given link: http://technet.microsoft.com/en-us/library/dd335144%28v=exchg.150%29.aspx

    Really? Do AdminAuditLogs go to C:\program files\Microsoft\exchange server\TransportRoles\Logs?

    Blog | Get Your Exchange Powershell Tip of the Day from here


    • Edited by Amit Tank Wednesday, May 28, 2014 12:36 PM
    Wednesday, May 28, 2014 12:36 PM
  • I think it is not that one ,, I think the Administrator logs saved in arbitration mailbox ..
    Wednesday, May 28, 2014 1:35 PM
  • I tried this way but after that I still can retrieve reports more than 2 Weeks ago !!! is there is other way? 
    Wednesday, May 28, 2014 1:36 PM
  • Did you see reduction in number of items after you changed it to 2 days?

    Exchange Powershell Tip #02


    Blog | Get Your Exchange Powershell Tip of the Day from here

    Wednesday, May 28, 2014 3:23 PM
  • I noticed now that it is done, and there is no problem but it needs time.
    • Proposed as answer by Angela Shi Friday, May 30, 2014 1:33 AM
    • Marked as answer by Amit Tank Thursday, June 5, 2014 5:36 AM
    Thursday, May 29, 2014 7:16 AM