Forum Discussion
Help with parameter for Search-UnifiedAuditLog
- Apr 28, 2017
NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.
Have you checked the parameter "SessionCommand" in the Search-UnifiedAuditLog cmdlet?. By using this you can get all the records. But you need to do the filters in the DB where you have stored the audit logs.
NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.
- Wilfred1337May 01, 2024Copper Contributor
Here is my approach to solve this problem, I had something alike and wanted to share it with you, there was a lot of chatter on one specific parameter rendering the 5000 limit useless, within the 24 hours that is, so I created a 4 hour iteration ignoring the bogus parameter, hopes it helps you.
# ignore command "set-whatever" over 1000 hits every x hours$global:day = (Get-Date)# set start date at midnight$hours = $global:day.TimeOfDay.TotalMinutes$startdate = $global:day.AddMinutes(- $hours)# set end date at midnight$enddate = $startdate.AddHours(24)#$logsearch=@()# iterate every x hours ignoring bogus operation$increment=4for($i=0; $i -le (24-$increment); $i=$i+$increment) { $i$logsearch += Search-UnifiedAuditLog -StartDate $startdate.AddHours($i) -EndDate $startdate.AddHours(4+$i) -RecordType <searchtype> -SessionCommand ReturnLargeSet -resultsize 5000|? Operations -NotMatch "set-whatever"}#you could add a group of operation restrictions by using "-in" operator if you have a bunch.
#