#Exchange Online 中的Admin Audit Log,需要一个小时的延迟时间,以下脚本可以直接拿到Exchange Online中管理员的操作日志
#Admin Audit Log in Exchange Online requires a one-hour delay. The following script can directly get the administrator's operation log in Exchange Online
#Version 1.6
#Added function 3
#Written by [email protected]
#Modified by [email protected] on 9/8/2019 14:42 PM
Write-host "
Admin Audit Log
----------------------------
1.Export the entire Admin Audit Log
2.Search for specific CMDLET in the Admin Audit Log
3.Export the Admin Audit Log to seperate files
"-ForeGround "Cyan"
#----------------
# Script
#----------------
Write-Host " "
$number = Read-Host "Choose the task"
$output = @()
switch ($number)
{
1 {
$CSV= Read-Host "Enter the export file location (E.g c:\temp\AdminAuditLog.csv)"
$results = search-adminauditlog
$results | Export-csv -path $CSV -NoTypeInformation
Write-host ("File has been created under " + $CSV ) -fore Green
;Break
}
2 {
$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date, Eg. 08/31/2019')
$StartDate = $StartDate.tostring("MM/dd/yyyy")
$endDate = Get-Date (Read-Host -Prompt 'Enter the end date, Eg. 09/30/2019')
$endDate = $endDate.tostring("MM/dd/yyyy")
$word= Read-Host "Enter the CMDLET you are looking for(E.g 'set-mailbox', or 'mailbox')"
$CSV= Read-Host "Enter the export file location (E.g c:\temp\AdminAuditLog.csv)"
$results = search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {$_.cmdletname -like "*$word*"}
$results | Export-csv -path $CSV -NoTypeInformation
Write-host ("File has been created under " + $CSV ) -fore Green
;Break
}
3 {
$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date, Eg. 08/31/2019')
$StartDate = $StartDate.tostring("MM/dd/yyyy")
$endDate = Get-Date (Read-Host -Prompt 'Enter the end date, Eg. 09/30/2019')
$endDate = $endDate.tostring("MM/dd/yyyy")
$CSV= Read-Host "Enter the export file location (E.g c:\temp)"
$Mailflow = search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*transport*") -or ($_.cmdletname -like "*connector*")}
$Mailbox += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*mailbox*") -or ($_.cmdletname -like "*inbox*")}
$User += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*user*") -or ($_.cmdletname -like "*group*")}
$Organization += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*organization*") -or ($_.cmdletname -like "*domain*")}
$Others += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -notlike "*transport*") -AND ($_.cmdletname -notlike "*mailbox*") -AND ($_.cmdletname -notlike "*group*") -AND ($_.cmdletname -notlike "*organization*") -AND ($_.cmdletname -notlike "*user*") -AND ($_.cmdletname -notlike "*connector*") -AND ($_.cmdletname -notlike "*inbox*")}
$mailflow | Export-csv -path ($CSV+"\mailflow.csv") -NoTypeInformation
Write-host ("File has been created under " + ($CSV+"\mailflow.csv") ) -fore Green
$Mailbox | Export-csv -path ($CSV+"\Mailbox.csv") -NoTypeInformation
Write-host ("File has been created under " + ($CSV+"\Mailbox.csv") ) -fore Green
$User | Export-csv -path ($CSV+"\User.csv") -NoTypeInformation
Write-host ("File has been created under " + ($CSV+"\User.csv") ) -fore Green
$Organization | Export-csv -path ($CSV+"\Organization.csv") -NoTypeInformation
Write-host ("File has been created under " + ($CSV+"\Organization.csv") ) -fore Green
$Others | Export-csv -path ($CSV+"\Others.csv") -NoTypeInformation
Write-host ("File has been created under " + ($CSV+"\Others.csv") ) -fore Green
;Break
}
}