none
C# Sharepoint Online, CSOM, download audit log RRS feed

  • Question

  • Is this possible to do using the latest CSOM? It looks like you can configure it, turn it on/off but is it possible to actually retrieve the log?
    • Moved by CoolDadTx Thursday, November 15, 2018 7:40 PM Sharepoint related
    Thursday, November 15, 2018 2:10 PM

All replies

  • https://social.msdn.microsoft.com/Forums/office/en-US/9c707a46-3aa2-4475-b7d5-a8c49e2bf8f7/how-to-download-sharepoint-online-audit-logs-using-api-or-csom-office-365

    Justin Liu Office Servers and Services MVP, MCSE
    Senior Software Engineer
    Please Vote and Mark as Answer if it helps you.

    Friday, November 16, 2018 2:45 AM
  • Hi Bigbacon,

    You could use this PowerShell get the Aduit log:

    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    #################################### Configuration Section ###################################################
    $logFile = "C:\Users\username\Desktop\MyLog.txt"
    $outputFile = "C:\Users\username\Desktop\AuditRecords.csv"
    [DateTime]$start = "1/22/18 03:59"
    [DateTime]$end = "1/23/18 03:59"
    $record = "SharePointFileOperation"
    $resultSize = 1000
    $intervalMinutes = 15
    $retryCount = 3
    #################################### End Configuration Section ###################################################
    [DateTime]$currentStart = $start
    [DateTime]$currentEnd = $start
    $currentTries = 0
     
    Function Write-LogFile ([String]$Message)
    {
    $final = [DateTime]::Now.ToString() + ":" + $Message
    $final | Out-File $logFile -Append
    }
     
    while ($true)
    {
    $currentEnd = $currentStart.AddMinutes($intervalMinutes)
    if ($currentEnd -gt $end)
    {
    break
    }
    $currentTries = 0
    $sessionID = [DateTime]::Now.ToString().Replace('/', '_')
    Write-LogFile "INFO: Retrieving audit logs between $($currentStart) and $($currentEnd)"
    $currentCount = 0
    while ($true)
    {
    [Array]$results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $record -SessionId $sessionID -SessionCommand ReturnNextPreviewPage -ResultSize $resultSize
    if ($results -eq $null -or $results.Count -eq 0)
    {
    #Retry if needed. This may be due to a temporary network glitch
    if ($currentTries -lt $retryCount)
    {
    $currentTries = $currentTries + 1
    continue
    }
    else
    {
    Write-LogFile "WARNING: Empty data set returned between $($currentStart) and $($currentEnd). Retry count reached. Moving forward!"
    break
    }
    }
    $currentTotal = $results[0].ResultCount
    if ($currentTotal -gt 5000)
    {
    Write-LogFile "WARNING: $($currentTotal) total records match the search criteria. Some records may get missed. Consider reducing the time interval!"
    }
    $currentCount = $currentCount + $results.Count
    Write-LogFile "INFO: Retrieved $($currentCount) records out of the total $($currentTotal)"
    $results | epcsv $outputFile -NoTypeInformation -Append
    if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
    {
    $message = "INFO: Successfully retrieved $($currentTotal) records for the current time range. Moving on!"
    Write-LogFile $message
    break
    }
    }
    $currentStart = $currentEnd
    }
    Remove-PSSession $Session

    Reference:

    Retrieving Office 365 Audit Data using PowerShell

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, November 16, 2018 9:16 AM