I just enabled auding of mailbox folder access. The log entries are successfully created and I can see them. However, my co-workder cannot. When he tries to access the Exchange auditing log he gets "Event viewer cannot open the event log or custom view. Verify the Event log service is running or query is too long. Access is denied (5)."
We are both domain admins. However, I am an Exchange Org admin and he is not. Bing \ Google provided little help. However, the only useful hit I found did specifically mention being an Exchange Org Admin.
I find it quite surprising that someone must be an Exchange Org Admin to see these specific logs. Our compliance officer will need to see these logs but I cannot give him high level Exchange admin rights.
Is there another way to provide access to Exchange auditing logs?
Thank you for the reply. I checked and my co-workers do have admin rights on the server. They are all domain admin and domain admins have local administrator rights.
The volume of logged audit events is directly related to the load on a server together with the number of user operations of the audited type occurring at any time. Because the Application log is also a source of diagnostic and troubleshooting data, Access Auditing does not log events to the Application log. In Exchange 2007 Service Pack 3 (SP3), installing the Mailbox server role on a server creates a new event log. This is the Exchange Auditing event log. By default, the Exchange Auditing event log is located under \Exchange Server\Logs\AuditLogs. On a Windows Server 2008-based computer, this event log is located under Applications and Services Logs\Exchange Auditing. The default file location for this log file is %PROGRAMFILES%\Exchange Server\Logging\Auditlogs. The default access control list (ACL) on the Exchange Auditing log allows the following permissions: • Exchange Recipient Administrators: Read and Clear access • Exchange Organization Administrators: Read and Clear access • Exchange Servers: Read and Write access • Local Service All Access To change the default ACL list, you have to update the CustomSD value in the registry. Update the CustomSD value to include the group or user that you want to access the Exchange Auditing Event Log. The CustomSD value is located under the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Exchange Auditing
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Microsoft Exchange 2007] >> Compliance >> Exchange auditing logs "Access is denied (5)" 
Exchange auditing logs "Access is denied (5)" - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
