Forum Discussion

Pontus T's avatar
Pontus T
Iron Contributor
Apr 27, 2017
Solved

Help with parameter for Search-UnifiedAuditLog

Hi,   Disclaimer: I am new to PowerShell, hence why I turn here for your input.   Background: I'm creating a Power BI dashboard based on data exported from the O365 Audit Log. For the moment, I'...
Search-UnifiedAuditLog
  • Pontus T's avatar
    Pontus T
    Apr 28, 2017

    NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.

benjoyner's avatar
benjoyner
Copper Contributor
Jun 04, 2019

Pontus T   Hello, I love your script its exactly what we have been trying to accomplish; however, I have found a problem.  It seems that many records are duplicated and even though i am sorting the records in the command by creation date, they seem to be out of order.  Its almost as if the file is appended about 100 records at a time and i notice the creation dates jumbled. for example the creation dates will be:

5/20/2019 0:19
5/19/2019 21:23
5/16/2019 22:40
5/16/2019 20:34
5/16/2019 20:30
5/16/2019 20:30
5/16/2019 20:30
5/16/2019 12:28
5/16/2019 12:26
5/24/2019 21:00
5/24/2019 20:59
5/24/2019 20:59
5/24/2019 20:58
5/24/2019 20:58
5/24/2019 20:57

This wouldn't be so bad as I can sort the data in Excel, but because there are duplicate records it seems there may be some overlap during the append.

  • benjoyner's avatar
    benjoyner
    Copper Contributor
    Jun 05, 2019
    I was able to get this working. I had to add " | Sort-object CreationDate | " as a pipe reght before the export csv command. The default order is Ascending so that fixed the problem of the records out of order. As for the duplicate records, Looking in the office 365 service center it seems these records are already duplicated so its not a problem with overlap in the command. Furthermore does anybody know if its possible to download the audit logs and correct for time zone? it seems all the creation dates are listed in UTC rather than my local time zone as it is in the online interface.
  • benjoyner's avatar
    benjoyner
    Copper Contributor
    Jun 05, 2019

    Rajiv ChokshiThanks Rajiv, that script functions much as the one in this post functions, however it has some more functionality with the logging that I like.  However, there is still an issue with duplicate records and I see that the append function still seems to write the data out of order.  When I look at creation times they are broken up; the numbers below show how the appending is broken.  The creation times should all be written sequentially.  Any idea why this is not happening? does it need a separate flag or pipe to fix this?

     

    10

    9

    8

    7

    6

    5

    4

    3

    2

    1

    18

    17

    16

    15

    14

    13

    12

    11

    25

    24

    23

    22

    21

    20

    19

Resources