How to Configure Diagnostic Logging SharePoint 2013

SharePoint can configure the diagnostic logging settings after deployment, after upgrade and if a change is made to the environment, such as adding or removing a server. The guidelines in the following list can help us to form best practices for the specific environment.

• Change the drive to which the server writes logs.

By default, SharePoint 2013 writes diagnostic logs to the same drive and partition on which it was installed. Because diagnostic logging can use a large amount of drive space and compromise drive performance, we should configure SharePoint 2013 to write to another drive on which SharePoint 2013 is not installed. We should also consider the connection speed to the drive on which SharePoint 2013 writes the logs. If verbose-level logging is configured, the server records a large amount of data. Therefore, a slow connection might result in poor log performance.

• Restrict log disk space usage.

By default, the amount of disk space that diagnostic logging can use is unlimited. Therefore, restrict the disk space that logging uses, especially if we configure logging to write verbose-level events. When the disk reaches the restriction, SharePoint 2013 removes the oldest logs before it records new logging data.

• Use the Verbose setting sparingly.

We can configure diagnostic logging to record verbose-level events. This means that SharePoint 2013 records every action that it takes. Verbose-level logging can quickly use drive space and affect drive and server performance. We can use verbose-level logging to record more detail when we are making critical changes and then reconfigure logging to record only higher-level events after we have made the change.

• Regularly back up logs.

Diagnostic logs contain important data. Therefore, back up the logs regularly to ensure that this data is preserved. When we restrict log drive space usage, or if we keep logs for only a few days, SharePoint 2013 automatically deletes log files, starting with the oldest files first, when the threshold is met.

• Enable event log flooding protection.

When we enable this setting, SharePoint 2013 detects repeating events in the Windows event log and suppresses them until conditions return to a typical state.

We can set the level of diagnostic logging for the event log and for the trace log. This limits the types and amount of information that are written to each log. The following tables define the levels of logging that are available for the event log and trace log.

To configure diagnostic logging by using Central Administration

1. Verify that you have the following administrative credentials:
   o The user account that is performing this procedure must be a member of the Farm Administrators SharePoint group.
2. In Central Administration, on the Home page, click Monitoring.
3. On the Monitoring page, in the Reporting section, click Configure diagnostic logging.
4. On the Diagnostic Logging page, in the Event Throttling section, configure event throttling as follows:

   To configure event throttling for all categories:
   

   • Select the All Categories check box.
   • Select the event log level from the least critical event to report to the event log list.

   To configure event throttling for one or more categories:
   

   • Select the check boxes of the categories that you want.
   • Select the event log level from the least critical event to report to the event log list.
   • Select the trace log level from the least critical event to report to the trace log list.

   To configure event throttling for one or more subcategories (you can expand one or more categories and select any subcategory):
   

   • Click the plus (+) next to the category to expand the category.
   • Select the check box of the subcategory.
   • Select the event log level from the least critical event to report to the event log list.
   • Select the trace log level from the least critical event to report to the trace log list.

   To return event throttling for all categories to default settings:
   

   • Select the All Categories check box.
   • Select Reset to default from the least critical event to report to the event log list.
   • Select Reset to default from the least critical event to report to the trace log list.
     
     
5. In the Event Log Flood Protection section, select the Enable Event Log Flood Protection check box.
6. In the Trace Log section, in the Path box, type the path of the folder to which you want logs to be written.
   
7. In the Number of days to store log files box, type the number of days (1-366) that you want logs to be kept. After this time, logs will automatically be deleted.
   
8. To restrict the amount of disk space that logs can use, select the Restrict Trace Log disk space usage check box and then type the number gigabytes (GB) you want to restrict log files to. When logs reach this value, older logs will automatically be deleted.
   
9. After you have made the changes that you want on the Diagnostic Logging page, click OK.
   To configure diagnostic logging by using Windows PowerShell:
   
   
   1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin On the Start menu, click All Programs.
   2. Click Microsoft SharePoint 15 Products.
   3. Click SharePoint 15 Management Shell.
   4. At the Windows PowerShell command prompt (that is, PS C:\>), type the following command and then press Enter:
      

Set-SPLogLevel -TraceSeverity {None | Unexpected | Monitorable | Medium | High | Verbose | VerboseEx} -EventSeverity {None | Information | Warning | Error | Critical | Verbose} [-Identity <Category name…>] -Verbose

The Identity parameter specifies one or more categories to change; for example, Administration. If you do not specify a value for the Identity parameter, all categories are changed.

To view the current settings, type Get-SPLogLevel and then press Enter.

To view the current settings, type Get-SPLogLevel and then press Enter.