Mailbox audit logging is a useful feature but some administrators become concerned when they learn that the audit logs are stored in the mailbox itself.
Does add a significant amount of data to the mailbox?
It really depends a lot on which audit options you’ve turned on, and how many mailbox in your organization are shared mailbox or have a lot of delegates performing actions on them.
What I can say is that my experience has been that mailbox audit logging, using the default 90 days retention and other audit settings, adds about 1-2% to the size of the mailbox. Of course, you should not take that as definitive and should perform some testing and analysis yourself, but I hope that my experience at least helps remove some of the uncertainty when it comes to storage impact of mailbox audit logging.
If you have turned on mailbox audit logging for a mailbox, and you know that actions are being logged already, you can check the size of the audits folder to see what kind of impact it is having.
[PS] C:\>get-mailbox Alan.Reid | Get-MailboxFolderStatistics -FolderScope RecoverableItems | fl name,foldersize Name : Recoverable Items FolderSize : 5.804 MB (6,085,852 bytes) Name : Audits FolderSize : 71.67 KB (73,394 bytes) Name : Deletions FolderSize : 429.2 KB (439,483 bytes) Name : Purges FolderSize : 0 B (0 bytes) Name : Versions FolderSize : 0 B (0 bytes)
In the example above the Audits folder is just 71KB in size, for a mailbox of about 1Gb in total size. This mailbox has just a small amount of delegate activity though. Other mailboxes in the same organization have upwards of 2-3MB of audit data, which is still not very much compared to total mailbox sizes of several gigabytes.
If mailbox audit logging has been widely deployed you can also use a simple script to collect these stats from all mailboxes. This example will list all mailboxes with their mailbox size and audit log size, and then export the stats for all of them to a CSV file at the end.
You can download the Get-AuditLogOverhead.ps1 script from the TechNet Script Gallery or from Github.
$report = @()
$mailboxes = @(Get-Mailbox -Resultsize Unlimited)
foreach ($mailbox in $mailboxes)
{
$name = $mailbox.Name
$auditsfolder = "$($mailbox.Identity)Audits"
$foldersize = ($mailbox | Get-MailboxFolderStatistics -FolderScope RecoverableItems | Where {$_.Name -eq "Audits"}).FolderSize
if ($foldersize)
{
$foldersize = "{0:N2}" -f $foldersize.ToMB()
}
else
{
$foldersize = 0
}
$mailboxsize = (Get-MailboxStatistics $mailbox).TotalItemSize.Value.ToMB()
$reportObj = New-Object PSObject
$reportObj | Add-Member NoteProperty -Name "Name" -Value $name
$reportObj | Add-Member NoteProperty -Name "Mailbox Size (MB)" -Value $mailboxsize
$reportObj | Add-Member NoteProperty -Name "Audits Size (MB)" -Value $foldersize
$report += $reportObj
Write-Host "$name, $mailboxsize, $foldersize"
}
$report | Export-CSV AuditLogOverhead.csv -NoTypeInformation
You could easily customize that for your own environment if you have the need.
Hello Paul,
Does the audit log account against a space quota applied to the inbox?
Thank you
Hi Paul,
Greetings!
I have Dynamics 365 instance, where the audit logs in Dynamics are send to Security and Compliance (O365). I have a query that whether these audit logs will occupy any disk space in O365?
Thanks in advance!
Hi!!!
Can somebody help me out, I am unable to increase age limit of audit log for all the users.
Please share the script.
Thanks
Hi ,
Can i archive Audit Logs as i archived track log and other logs
As i read in article Audit log are not Visible
My Scenario are below:
I want to enable Audit logged setting as i know by default it is for 90 days and it override after 90 days i want to archive audit logs before overriding it is possible
please Guide
Hi Paul,
Greetings for the day.
What is the Maximum age limit of Audit Log Age Limit? when I try to set a random large number using set-mailbox cmdlet, the error gives me the range of 00:00:00 to 24855.03:14:07, my question is will it really save the mailbox audit logs for this (24855) many days? approx. 68 years, that is my main question?
Do you have something that would get the information from O365?
The Real Person!
The Real Person!
The same technique probably works, but in O365 it’s not your problem do deal with. Microsoft deals with storage capacity management.
Hi,
Could you please let me know where these audit logs stored in O365, does they occupy space in Database or any cloud storage? example: One-drive
I have an audit log of 13GB for a mailbox. Is it possible to clear it out?
The Real Person!
The Real Person!
Yes. If you reduce the audit log age limit to something low, Exchange will start purging any logs older than that age limit. It’s not instant, but it should happen reasonably quickly.
Pingback: Using Exchange Server 2013 Mailbox Audit Logging
Hi Paul
In your experience, is there any impact on the performance of the mailbox server when auditing is applied? We are looking into auditing about 10% of the users with all the features enabled. I’m not worried about the disk space consumed, but on the performance side.
Cheers
The Real Person!
The Real Person!
No performance impact at all, in my experience.
Hi,
Hopefully you can help.
We have an automated system that polls a mailbox and raises tickets from unread emails but some are not being picked up as they have been manually opened/read.
Is it possible to determine who read an email in a shared mailbox.
Messagebind is not an option when auditing for delegate access.
geoff
The Real Person!
The Real Person!
Last time I tested it Messagebind does work for auditing delegate access.
I know this is an older post but was wondering if audit logging can be turned on for a Public Folder? Since these folders are usually shared, we would like to know how certain messages originated in a public folder. For example if a user drags a copy of a msg from their mailbox to a public folder. I cannot find a way to find that out without turning audit logging on.
The Real Person!
The Real Person!
I believe that turning up diagnostic logging for the public folders (in Exchange’s diagnostic logging settings) can cause audit logs to be written to the event logs for public folder deletions and other similar tasks, but I’ve never had to look into it closely.