EX16-MB-000050 - The Exchange Email Diagnostic log level must be set to the lowest level.

Information

Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in managing the logs to prevent risk of disk capacity denial-of-service conditions.

Exchange diagnostic logging is divided into 29 main 'services', each of which has anywhere from 2 to 26 'categories' of events to be monitored. Each category may be set to one of four levels of logging: Lowest, Low, Medium, and High, depending on how much detail is required. Higher levels of detail require more disk space to store the audit material.

Diagnostic logging is intended to help administrators debug problems with their systems, not as a general-purpose auditing tool. Because the diagnostic logs collect a great deal of information, the log files may grow large very quickly. Diagnostic log levels may be raised for limited periods of time when attempting to debug relevant pieces of Exchange functionality. Once debugging has finished, diagnostic log levels should be reduced again.

Solution

Open the Exchange Management Shell and enter the following command:

Set-EventLogLevel -Identity <'IdentityName\EventlogName'> -Level Lowest

Note: The <IdentityName\EventlogName> value must be in single quotes.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2016_Y21M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12a., CAT|II, CCI|CCI-000169, Rule-ID|SV-228358r612748_rule, STIG-ID|EX16-MB-000050, STIG-Legacy|SV-95341, STIG-Legacy|V-80631, Vuln-ID|V-228358

Plugin: Windows

Control ID: c2dc346e29978678b115a3c5edb723da3699e4bb6663105af92a88555bdaf22f