Forum Discussion

Ketzpatel's avatar
Ketzpatel
Brass Contributor
Aug 16, 2024

Issues with Search-UnifiedAuditLog

I have been trying to export user mailbox audit logs using search-unfiedauditlog PS script but it does not export or find any logs related to delete, movetodeleteditems,softdelete or harddelete operations. I tried below and all other options and either it error out or does not pull anything. I am trying with all below operations and only UPDATE & CREATE works.

 Search-UnifiedAuditLog -StartDate "08/01/2024" -EndDate "08/15/2024" -UserIds "email address removed for privacy reasons" -RecordType "ExchangeItem" -Operations "SoftDelete", "HardDelete", "MoveToDeletedItems" -ResultSize 5000 -SessionCommand ReturnLargeSet -HighCompleteness

OR

Search-UnifiedAuditLog -StartDate "08/01/2024" -EndDate "08/15/2024" -UserIds "email address removed for privacy reasons" -RecordType "ExchangeItem" -Operations "SoftDelete", "HardDelete", "MoveToDeletedItems" -ResultSize 5000 -SessionCommand ReturnLargeSet 

I also tried the above PS using each individul operations but nothing works.

Does anybody have any clue or fix for this? Appreciate your help.

Admin
Exchange Online
office 365
  • VasilMichev's avatar
    VasilMichev
    MVP
    Aug 16, 2024
    Try removing the -RecordType "ExchangeItem" parameter. Exchange "groups" similar records together in order to minimize the number of entries generated, so they might end up with ExchangeItemGroup record type instead.

    Also, try using "neutral" datetime format, such as -StartDate "01 Aug 2024" -EndDate "15 Aug 2024"
    • Ketzpatel's avatar
      Ketzpatel
      Brass Contributor
      Aug 16, 2024
      Thanks VasilMichev

      tried below but not getting desired result. I know I deleted several emails and calendar items but when running below I get only 1 log entry in csv.

      Search-UnifiedAuditLog -StartDate "8/1/2024" -EndDate "8/15/2024" -UserIds email address removed for privacy reasons -SessionId "UnifiedAuditLogSearch 05/08/17" -SessionCommand ReturnLargeSet -ResultSize 5000 -RecordType exchangeitemgroup
      • Ketzpatel's avatar
        Ketzpatel
        Brass Contributor
        Aug 16, 2024
        AND if I run below PS without record type or operations, it works but only pull user login & mailitemasccessed operations. It does not pull any logs related to softdelete, harddelete or any other exchange operations.

        Search-UnifiedAuditLog -StartDate "8/1/2024" -EndDate "8/15/2024" -UserIds email address removed for privacy reasons -SessionId "UnifiedAuditLogSearch 05/08/17" -SessionCommand ReturnLargeSet -ResultSize 5000 | export-csv

Resources