EX13-CA-000045 - Exchange Email Diagnostic log level must be set to lowest level.


Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in managing the logs to prevent risk of disk capacity denial of service conditions.

Exchange diagnostic logging is broken up into 29 main 'services', each of which has anywhere from 2 to 26 'categories' of events to be monitored. Moreover, each category may be set to one of four levels of logging: Lowest, Low, Medium, and High, depending on how much detail one desires. The higher the level of detail, the more disk space required to store the audit material.

Diagnostic logging is intended to help administrators debug problems with their systems, not as a general purpose auditing tool. Because the diagnostic logs collect a great deal of information, the log files may grow large very quickly. Diagnostic log levels may be raised for limited periods of time when attempting to debug relevant pieces of Exchange functionality. Once debugging has finished, diagnostic log levels should be reduced again.


Open the Exchange Management Shell and enter the following command:

Set-EventLogLevel -Identity <'IdentityName\EventlogName'> -Level Lowest

Note: The <IdentityName\EventlogName> value must be in quotes.

See Also


Item Details


References: 800-53|AU-12a., CAT|II, CCI|CCI-000169, Rule-ID|SV-234773r617260_rule, STIG-ID|EX13-CA-000045, STIG-Legacy|SV-84353, STIG-Legacy|V-69731, Vuln-ID|V-234773

Plugin: Windows

Control ID: 59009940ce65b629d33b325b036f37b7cb23ab39ff3af99741095ac701873089