Menu

Search

Blog | Newsletter | Download | Contact
LOGbinder Support

LOGbinder Support


Exceeding the maximum number of audit log search requests


2 Years Ago
bjvista
How To

Amid the many undocumented “features” of Microsoft Exchange server auditing, from time to time we discover new things. This time it is about a limit that is set by Exchange on how many audit log search requests you can execute.

This number seems to be a maximum of 50 asynchronous mailbox audit log search requests (New-MailboxAuditLogSearch cmdlet) and 50 asynchronous admin audit log search requests (New-AdminAuditLogSearch cmdlet). If you issue more than 50 of any of the above cmdlets, you will get an error message like this:

[PS] C:\Windows\system32>(Get-AuditLogSearch).Count 

50

[PS] C:\Windows\system32>[PS] C:\Windows\system32>New-AdminAuditLogSearch -StartDate "2/10/2017 10:00" -EndDate "2/10/2017 11:00" -Name "testing" -StatusMailRecipients testing@test.local

You have exceeded the maximum number of audit log search requests that your organization can submit. Please try again later.

+ CategoryInfo          : QuotaExceeded: (:) [New-AdminAuditLogSearch], InvalidOperationException

+ FullyQualifiedErrorId : [Server=LAB-EX,RequestId=43e8b057-be65-4c4e-9441-64a652efafe0,TimeStamp=2/20/2017 11:01:57 PM] [FailureCategory=Cmdlet-InvalidOperationException] 5776B0C3,Microsoft.Exchange.Management.SystemConfigurationTasks.NewAdminAuditLogSearch

+ PSComputerName        : lab-ex.test.local

After one or more audit log search requests have been processed by Exchange, you can again issue more requests.

The number of counters for admin and mailbox audit log requests are separate. In the above example, we have reached the maximum number of admin audit log search requests, but we have not issued any mailbox audit log requests. Therefore, we can still issue New-MailboxAuditLogSearch cmdlets.

Also, the above limits only apply to asynchronous audit log requests, so in the above example you could still issue Search-AdminAuditLog cmdlets and get the results.

From our testing so far, this applies to most (if not all) cumulative updates of Exchange 2013 and Exchange 2016, but not to Exchange 2010.

Where is this limit specified? Can it be changed? We do not know yet. If you do, please let us know.



On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket
Customer Support Software By InstantKB 2016-4 Final
Execution: 0.000. 7 queries. Compression Disabled.
Login | Terms of Use | Privacy
LOGbinder is a division of Monterey Technology Group, Inc. ©2006-2019 All rights reserved.