Forum Discussion
Help with parameter for Search-UnifiedAuditLog
NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.
Have you checked the parameter "SessionCommand" in the Search-UnifiedAuditLog cmdlet?. By using this you can get all the records. But you need to do the filters in the DB where you have stored the audit logs.
NarasimaPerumal Chandramohan I have been fiddling around with that a bit but did not manage to get it to work. To me the instructions on how to use it are a bit vague. I don't know what they mean with Paging, and a full tenant backup is likely to require more than 50k objects to be returned.
However, it seems like I can use multiple session ID's and that each one will return 50k if I use the ReturnLastSet parameter. I think it's worth trying out again. I need to make sure that the rest of the script can handle the way objects are returned through paging, as it needs to convert from JSON to allow proper export.
Here is a bit of the script I use today:
$AuditOutputPM = Search-UnifiedAuditLog -StartDate "$StartDate 12:00 PM" -EndDate "$EndDate 23:59 PM" -ResultSize 5000 $AuditOutputAM = Search-UnifiedAuditLog -StartDate "$StartDate 00:01 AM" -EndDate "$EndDate 11:59 AM" -ResultSize 5000 $ConvertedOutputPM = $AuditOutputPM | Select-Object -ExpandProperty AuditData | ConvertFrom-Json $ConvertedOutputAM = $AuditOutputAM | Select-Object -ExpandProperty AuditData | ConvertFrom-Json $ConvertedOutputPM | Select-Object CreationTime,UserId,Operation,Workload,ObjectID,SiteUrl,SourceFileName,ClientIP,UserAgent | Export-Csv $OutputFile -NoTypeInformation -Append $ConvertedOutputAM | Select-Object CreationTime,UserId,Operation,Workload,ObjectID,SiteUrl,SourceFileName,ClientIP,UserAgent | Export-Csv $OutputFile -NoTypeInformation -Append
