Forum Discussion
Incomplete data from Search-UnifiedAuditLog cmdlet for AzureAD record type
Hi, From the below cmdlet I got AuditData parameter as an incomplete JSON string. Search-UnifiedAuditLog -Operations 'Update User.' -RecordType azureactivedirectory -StartDate (Get-Date).AddDays...
from the docs https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance
There's a 3,060-character limit for the data that's displayed in the AuditData field for an audit record. If the 3,060-character limit is exceeded, the data in this field is truncated.
- The problem is not the documented character limit. It is an ingestion problem for specific events that causes the JSON payload to be truncated as the record is written. Engineering is working on the issue.
Great - at the end of the day I am hoping for a valid JSON output. If individual fields have to be thrown away/truncated, so be it.
As I said, the truncation issue is being worked and we should have a solution soon. I am actively tracking the issue with engineering. See https://office365foritpros.com/2018/10/22/longer-retention-office365-auditdata/
