If you are doing auditing for Exchange server using the New-AdminAuditLogSearch and New-MailboxAuditLogSearch cmdlets, you might have noticed that it takes a while until Exchange delivers the audit reports. You might wonder: How long does it actually take to get the results? Is there any setting that determines this? If yes, can it be changed?
First of all, we must note that Microsoft says that
after you run the New-AdminAuditLogSearch cmdlet, Exchange may
take up to 15 minutes to deliver the report to the specified recipient. (See for Exchange 2010: Overview of Administrator Audit Logging, for Exchange 2013: Administrator Audit Logging, for Exchange 2016 and later: Admin audit logging)
However, in reality you will find that at times Exchange takes significantly more time than that to deliver the report. On Exchange 2013 and later, it can take up to a day. This might not suit the need of all, so let’s see how we can change this behavior.
The value that controls this timing is stored in an XML configuration file under the %ExchangeInstallPath% folder. The file is in the Bin folder, and called Microsoft.Exchange.Servicehost.exe.config. Look for the following line inside the <appSettings> tag:
<add key="AuditLogSearchPollIntervalInMilliseconds" value="…" />
This value determines (in milliseconds) the frequency of audit log searches, affecting both the admin audit log search and the mailbox audit log search. The default value for Exchange 2010 is 1800000 (that is 30 minutes). For Exchange 2013 and later, the default value is 86400000 (that is 24 hours). This means that Exchange 2010 will execute audit log search polls every 30 minutes and Exchange 2013 and later versions will execute audit log search polls every 24 hours.
If you would like to use a different value, you can simply change it in the config file using a text editor. Please note that you have to restart the Microsoft Exchange Service Host service for the change to take effect.
If you prefer to change the value more programmatically, you can do it from PowerShell, but running the following script (e.g. to change the interval to 10 minutes):
$cfgpath = $Env:ExchangeInstallPath + "Bin\Microsoft.Exchange.Servicehost.exe.config"
[xml]$cfg = Get-Content -Path $cfgpath
($cfg.configuration.appSettings.add | where key -Match "AuditLogSearchPollIntervalInMilliseconds").value = "600000"
(Again, don’t forget to restart the service after the change.)
In this article, we looked at how to determine and control the audit log search poll interval in Exchange. As a final note, please mind the implications this setting might have on your CPU usage, if you set the value too low.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!