Forum Discussion
Incomplete data from Search-UnifiedAuditLog cmdlet for AzureAD record type
Hi,
From the below cmdlet I got AuditData parameter as an incomplete JSON string.
Search-UnifiedAuditLog -Operations 'Update User.' -RecordType azureactivedirectory -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
I attached the output which i got.
Please help me with this case !!!
- Dahai FangBrass Contributor
7 months passed. The problem still exists.
Now, I think, maybe, this is not a bug, but a feature. :-)
- CSP77Copper Contributor
Hi guys
2021 and this is still an issue for the AuditData field!
Not acceptable. I have had one of my techs inadvertently remove a fairly large list of sharepoint site exclusions from retention policy. Hoping I could use search-unifiedauditlog to get the sites to add back, but no, truncated!
- Daniel René ThulCopper Contributor
Please find attached an sample of the audit log (value of "AuditData"), i have replaced some values with an place-holder ("foobar")
{"CreationTime":"2018-11-10T20:00:14","Id":"foobar","Operation":"CrmDefaultActivity","OrganizationId":"foobar","RecordType":21,"ResultStatus":"Success","UserKey":"Unknown","UserType":2,"Version":1,"Workload":"CRM","ClientIP":"127.0.0.1","ObjectId":"Create email","UserId":"drt@alfapeople.com","CrmOrganizationUniqueName":"foobar","Fields":[{"Name":"subject","Value":"foobar"},{"Name":"description","Value":"foobar"},{"Name":"ownerid","Value":"foobar"},{"Name":"from","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"to","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"cc","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"regardingobjectid","Value":"foobar"},{"Name":"isworkflowcreated","Value":"False"},{"Name":"notifications","Value":"0"},{"Name":"followemailuserpreference","Value":"False"},{"Name":"readreceiptrequested","Value":"False"},{"Name":"foobar","Value":"False"},{"Name":"emailreminderstatus","Value":"0"},{"Name":"isemailfollowed","Value":"False"},{"Name":"emailremindertype","Value":"0"},{"Name":"isregularactivity","Value":"False"},{"Name":"deliveryreceiptrequested","Value":"False"},{"Name":"deliveryprioritycode","Value":"1"},{"Name":"isemailreminderset","Value":"False"},{"Name":"compressed","Value":"False"},{"Name":"prioritycode","Value":"1"},{"Name":"directioncode","Value":"True"},{"Name":"correlationmethod","Value":"0"},{"Name":"activityid","Value":"foobar"}],"InstanceUrl":"https:\/\/foobar.crm4.dynamics.com\/","ItemType":"Dynamics365","ItemUrl":"https:\/\/foobar.crm4.dynamics.com\/main.aspx?etn=email&pagetype=entityrecord&id=foobar","UserAgent":"","CorrelationId":"00000000-0000-0000-0000-000000000000","EntityId":"foobar","EntityName":"email","Message":"Create","PrimaryFieldValue":"","Query":"","QueryResults":"","ServiceContextId":"00000000-0000-0000-0000-000000000000","ServiceContextIdType":"","ServiceName":"Dynamics365","SystemUserId":"foobar","UserUp
- Daniel René ThulCopper Contributor
The same problem is reproduceable for workload "CRM". Hopefully is Microsoft able to address this issue soon.
Hi,
I don't run the CRM workload... could you post an example here of a truncated record so that I can make sure that this workload is fixed in the work that's ongoing?
TR
- Daniel René ThulCopper Contributor
Please find the sample below. I have replaced some values with an place-holder ("foobar")
{"CreationTime":"2018-11-10T20:00:14","Id":"foobar","Operation":"CrmDefaultActivity","OrganizationId":"foobar","RecordType":21,"ResultStatus":"Success","UserKey":"Unknown","UserType":2,"Version":1,"Workload":"CRM","ClientIP":"127.0.0.1","ObjectId":"Create email","UserId":"drt@alfapeople.com","CrmOrganizationUniqueName":"foobar","Fields":[{"Name":"subject","Value":"foobar"},{"Name":"description","Value":"foobar"},{"Name":"ownerid","Value":"foobar"},{"Name":"from","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"to","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"cc","Value":"Microsoft.Xrm.Sdk.Entity[]"},{"Name":"regardingobjectid","Value":"foobar"},{"Name":"isworkflowcreated","Value":"False"},{"Name":"notifications","Value":"0"},{"Name":"followemailuserpreference","Value":"False"},{"Name":"readreceiptrequested","Value":"False"},{"Name":"foobar","Value":"False"},{"Name":"emailreminderstatus","Value":"0"},{"Name":"isemailfollowed","Value":"False"},{"Name":"emailremindertype","Value":"0"},{"Name":"isregularactivity","Value":"False"},{"Name":"deliveryreceiptrequested","Value":"False"},{"Name":"deliveryprioritycode","Value":"1"},{"Name":"isemailreminderset","Value":"False"},{"Name":"compressed","Value":"False"},{"Name":"prioritycode","Value":"1"},{"Name":"directioncode","Value":"True"},{"Name":"correlationmethod","Value":"0"},{"Name":"activityid","Value":"foobar"}],"InstanceUrl":"https:\/\/foobar.crm4.dynamics.com\/","ItemType":"Dynamics365","ItemUrl":"https:\/\/foobar.crm4.dynamics.com\/main.aspx?etn=email&pagetype=entityrecord&id=foobar","UserAgent":"","CorrelationId":"00000000-0000-0000-0000-000000000000","EntityId":"foobar","EntityName":"email","Message":"Create","PrimaryFieldValue":"","Query":"","QueryResults":"","ServiceContextId":"00000000-0000-0000-0000-000000000000","ServiceContextIdType":"","ServiceName":"Dynamics365","SystemUserId":"foobar","UserUp
- AndrewXIron Contributor
from the docs https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance
There's a 3,060-character limit for the data that's displayed in the AuditData field for an audit record. If the 3,060-character limit is exceeded, the data in this field is truncated.
- The problem is not the documented character limit. It is an ingestion problem for specific events that causes the JSON payload to be truncated as the record is written. Engineering is working on the issue.
- Ryan JacobsonCopper Contributor
Great - at the end of the day I am hoping for a valid JSON output. If individual fields have to be thrown away/truncated, so be it.
- Ryan JacobsonCopper Contributor
I'm curious, what character length is it truncating at? I believe I am seeing something similar for which I posted a question for on github. To me it looked like it the JSON string was getting truncated at 3062 characters. If I get an answer there I will try and reply here as well! Link to the issue I created on github: https://github.com/MicrosoftDocs/office-docs-powershell/issues/1733
- MozzzCopper Contributor
Hi Ryan
I am executing the Search-UnifiedAuditLog power shell command and getting error below.
Which module i need to install in Power Shell for ‘Search-UnifiedAuditLog ‘ command ?Search-UnifiedAuditLog : The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try again.
At line:11 char:1
+ Search-UnifiedAuditLog -StartDate 19/02/2019 -EndDate 20/02/2019 -Rec …
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Search-UnifiedAuditLog:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundExceptionThanks
Moz
TonyRedmond was chasing this up with some MS folks, perhaps he can share some info.
I'm still discussing the issue. Microsoft has accepted that a problem exists and they need to fix it. Stay tuned.
Confirmed, I see the same. What's even worse, if you use the UI, you get a "Failure: Record truncated" error. I'm not sure how this made it to production, but it should be addressed ASAP. Open a support case.
As a workaround, you might be able to get the full event details from the Azure AD blade in the Azure portal.