LogBinder For Exchange 2013


LogBinder For Exchange 2013

sshuga

We are currently testing this product. It seems to give us everything we need except we have a 6-7 hour window every day where we don't see events but our AD events do show activity. Is this a configuration issue within logbinder? Would love to get this resolved so that we can purchase the product.

Thanks,
Shelley
bjvista

Shelley

This is not expected behavior. Is the gap consistent (same hours each day)?
sshuga

bjvista - 1/9/2018
Shelley This is not expected behavior. Is the gap consistent (same hours each day)?

The gap occurs every 24 hour period but it's not the exact time every day. The duration of the gap is roughly the same though 6-7 hours.


sshuga

Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 
Tamas Lengyel

sshuga - 1/9/2018
Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 

It is very unlikely that it is related to reaching the memory threshold. LOGbinder is very careful not to lose any audit data, so even if the service would need to restart, it would still save and process any audit data.

It sounds more like the symptoms we experienced when we discovered the 24-hour issue with Exchange. Please go to LOGbinder options and enable the 24-hour delay. After you change this setting, you will have to restart the service for the change to take effect. Let us know if you experience any difference. (Please note that you will not receive any mailbox audit log events for 24 hours after enabling the above delay, and after that every mailbox audit log event will be 24 hours behind. Unfortunately, this is a limitation of Exchange auditing.)

sshuga

Tamas Lengyel - 1/9/2018
sshuga - 1/9/2018
Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 

It is very unlikely that it is related to reaching the memory threshold. LOGbinder is very careful not to lose any audit data, so even if the service would need to restart, it would still save and process any audit data.

It sounds more like the symptoms we experienced when we discovered the 24-hour issue with Exchange. Please go to LOGbinder options and enable the 24-hour delay. After you change this setting, you will have to restart the service for the change to take effect. Let us know if you experience any difference. (Please note that you will not receive any mailbox audit log events for 24 hours after enabling the above delay, and after that every mailbox audit log event will be 24 hours behind. Unfortunately, this is a limitation of Exchange auditing.)

We have that option selected already. Any other thoughts?
sshuga

Tamas Lengyel - 1/9/2018
sshuga - 1/9/2018
Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 

It is very unlikely that it is related to reaching the memory threshold. LOGbinder is very careful not to lose any audit data, so even if the service would need to restart, it would still save and process any audit data.

It sounds more like the symptoms we experienced when we discovered the 24-hour issue with Exchange. Please go to LOGbinder options and enable the 24-hour delay. After you change this setting, you will have to restart the service for the change to take effect. Let us know if you experience any difference. (Please note that you will not receive any mailbox audit log events for 24 hours after enabling the above delay, and after that every mailbox audit log event will be 24 hours behind. Unfortunately, this is a limitation of Exchange auditing.)

In looking at the Input screen on Logbinder, we notice gaps of time where search results are not returned.
 
Since there is no file name or completed time, I assume we are not getting those events. Are there adjustments we can make to ensure we receive all files?
Tamas Lengyel

sshuga - 1/10/2018
Tamas Lengyel - 1/9/2018
sshuga - 1/9/2018
Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 

It is very unlikely that it is related to reaching the memory threshold. LOGbinder is very careful not to lose any audit data, so even if the service would need to restart, it would still save and process any audit data.

It sounds more like the symptoms we experienced when we discovered the 24-hour issue with Exchange. Please go to LOGbinder options and enable the 24-hour delay. After you change this setting, you will have to restart the service for the change to take effect. Let us know if you experience any difference. (Please note that you will not receive any mailbox audit log events for 24 hours after enabling the above delay, and after that every mailbox audit log event will be 24 hours behind. Unfortunately, this is a limitation of Exchange auditing.)

In looking at the Input screen on Logbinder, we notice gaps of time where search results are not returned.
 
Since there is no file name or completed time, I assume we are not getting those events. Are there adjustments we can make to ensure we receive all files?

When the File Name and the Completed columns are empty, that means that Exchange has not sent back the results of the audit log search request yet. If those results are not received, LOGbinder will abandon those requests, mark them as failed and retry the same time range again.

It seams that you all your audit log search requests are served by Exchange at a specific time. It is hard to say from the screenshot for certain, but it looks like maybe only once a day. This is because, by default, Exchange 2013 serves audit log search requests only once every 24 hours. (In Exchange 2010 this was every 30 minutes.) However, this can be adjusted. We recommend setting the audit log search poll interval to 10 or 15 minutes. You can do it through an Exchange setting file as described in the blog Changing the Exchange audit search poll interval.

sshuga

Tamas Lengyel - 1/10/2018
sshuga - 1/10/2018
Tamas Lengyel - 1/9/2018
sshuga - 1/9/2018
Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 

It is very unlikely that it is related to reaching the memory threshold. LOGbinder is very careful not to lose any audit data, so even if the service would need to restart, it would still save and process any audit data.

It sounds more like the symptoms we experienced when we discovered the 24-hour issue with Exchange. Please go to LOGbinder options and enable the 24-hour delay. After you change this setting, you will have to restart the service for the change to take effect. Let us know if you experience any difference. (Please note that you will not receive any mailbox audit log events for 24 hours after enabling the above delay, and after that every mailbox audit log event will be 24 hours behind. Unfortunately, this is a limitation of Exchange auditing.)

In looking at the Input screen on Logbinder, we notice gaps of time where search results are not returned.
 
Since there is no file name or completed time, I assume we are not getting those events. Are there adjustments we can make to ensure we receive all files?

When the File Name and the Completed columns are empty, that means that Exchange has not sent back the results of the audit log search request yet. If those results are not received, LOGbinder will abandon those requests, mark them as failed and retry the same time range again.

It seams that you all your audit log search requests are served by Exchange at a specific time. It is hard to say from the screenshot for certain, but it looks like maybe only once a day. This is because, by default, Exchange 2013 serves audit log search requests only once every 24 hours. (In Exchange 2010 this was every 30 minutes.) However, this can be adjusted. We recommend setting the audit log search poll interval to 10 or 15 minutes. You can do it through an Exchange setting file as described in the blog Changing the Exchange audit search poll interval.

Thanks, Tamas. 

I thought the recommendation was to check once every 24 hours. What is the risk of changing this setting to once every 15 minutes?
Tamas Lengyel

sshuga - 1/10/2018
Tamas Lengyel - 1/10/2018
sshuga - 1/10/2018
Tamas Lengyel - 1/9/2018
sshuga - 1/9/2018
Could the memory threshold setting have anything to do with this? It says "Logbinder service will restart after the memory limit has been reached". These servers do happen to have a high memory utilization rate. 

It is very unlikely that it is related to reaching the memory threshold. LOGbinder is very careful not to lose any audit data, so even if the service would need to restart, it would still save and process any audit data.

It sounds more like the symptoms we experienced when we discovered the 24-hour issue with Exchange. Please go to LOGbinder options and enable the 24-hour delay. After you change this setting, you will have to restart the service for the change to take effect. Let us know if you experience any difference. (Please note that you will not receive any mailbox audit log events for 24 hours after enabling the above delay, and after that every mailbox audit log event will be 24 hours behind. Unfortunately, this is a limitation of Exchange auditing.)

In looking at the Input screen on Logbinder, we notice gaps of time where search results are not returned.
 
Since there is no file name or completed time, I assume we are not getting those events. Are there adjustments we can make to ensure we receive all files?

When the File Name and the Completed columns are empty, that means that Exchange has not sent back the results of the audit log search request yet. If those results are not received, LOGbinder will abandon those requests, mark them as failed and retry the same time range again.

It seams that you all your audit log search requests are served by Exchange at a specific time. It is hard to say from the screenshot for certain, but it looks like maybe only once a day. This is because, by default, Exchange 2013 serves audit log search requests only once every 24 hours. (In Exchange 2010 this was every 30 minutes.) However, this can be adjusted. We recommend setting the audit log search poll interval to 10 or 15 minutes. You can do it through an Exchange setting file as described in the blog Changing the Exchange audit search poll interval.

Thanks, Tamas. 

I thought the recommendation was to check once every 24 hours. What is the risk of changing this setting to once every 15 minutes?

If it is set to once every 24 hours, Exchange can decide when the best time is to do it and schedule it to a time that is not so busy. When it is set to every 15 minutes, Exchange is forced to do it, even if it is busy.

On the other hand, doing it only once every 24 hours might end up with a large amount of audit data, which will not only take long to process, by many times will end up with Exchange not being able to deliver the results, stating that there were too many results.

I don't recall anybody complaining so far that polling every 15 minutes adversely affected their system.

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search