SharePoint Online: How to View Audit Log Reports in Security & Compliance Center?
How to view SharePoint Online Audit Logs?
SharePoint Audit log features are moved to Office 365 Security & Compliance Center unified logging! We can't trim or restrict audit log events in SharePoint Online anymore! If you go to "Audit Log Settings" in site settings, page you'll get:
So, to view audit logs, you should use Office 365 Security & Compliance Center site!
Enable Audit Settings in Office 365
We must turn ON the audit logs feature in the Compliance center before you access the audit logs.
How to View SharePoint Online Audit Logs?
Once auditing is enabled, it takes some time (30 min to 24 hours!) to collect data and prepare reports.
Search and Export Office 365 Audit Log using PowerShell:
With PowerShell, you can query Audit log and produce reports. E.g. You may want to generate a report on schedule basis on a specific event such as "External User Invited", "Deleted Items", etc. Here is an example to search and export a unified audit log.
Get SharePoint Online Audit Logs using PowerShell:
Let's filter SharePoint Online audit logs on files and generate a report with PowerShell.
SharePoint Audit log features are moved to Office 365 Security & Compliance Center unified logging! We can't trim or restrict audit log events in SharePoint Online anymore! If you go to "Audit Log Settings" in site settings, page you'll get:
So, to view audit logs, you should use Office 365 Security & Compliance Center site!
Enable Audit Settings in Office 365
We must turn ON the audit logs feature in the Compliance center before you access the audit logs.
- Log in to the Microsoft Office 365 admin center: https://admin.microsoft.com
- Click on the "Show All" link and then "Compliance" under admin Centers in the left navigation.
- In the Compliance center, Click on the "Audit" link in the left navigation >> Click on "Start recording user and admin activity" button and give it a minute to complete. In case, you don't see this link or button, that means auditing is already turned ON.
#Establish Exchange session $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ ` -Credential (Get-Credential) -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking | Out-Null #Enable Audit Log If( (Get-AdminAuditLogConfig).UnifiedAuditLogIngestionEnabled) { Write-host "Auditing is already Enabled!" -f Yellow } Else { Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True Write-host "Enabled the Auditing Successfully!" -f Green } #Remove the session Remove-PSSession $Session
How to View SharePoint Online Audit Logs?
Once auditing is enabled, it takes some time (30 min to 24 hours!) to collect data and prepare reports.
- Login to Security and Compliance Center https://compliance.microsoft.com/auditlogsearch or https://protection.office.com
- Click on "Search" >> "Audit Log Search" from the left navigation.
- In the search panel, You can apply search criteria such as:
- Activities: There are plenty of activities you can choose from.
- Start date and End date: Specify the time duration of the activity
- Users: Define if you need the report for specific users
- File, Folder or Site: Add all or part of the file name, folder name or URL.
- Pick relevant activities and other parameters in the search panel. Once set, click on the "Search" button at the bottom to start searching audit logs from SharePoint Online.
Search and Export Office 365 Audit Log using PowerShell:
With PowerShell, you can query Audit log and produce reports. E.g. You may want to generate a report on schedule basis on a specific event such as "External User Invited", "Deleted Items", etc. Here is an example to search and export a unified audit log.
#Get Credentials to connect $Credential = Get-Credential #Establish a Exchange Session $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking #Set Dates $StartDate = (Get-Date).AddDays(-7) $EndDate = (Get-Date) #Search Unified Log $AuditLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 $AuditLogResults = $AuditLog.AuditData | ConvertFrom-Json | select CreationTime, UserID, Operation, ClientIP, ObjectID $AuditLogResults $AuditLogResults | Export-csv -Path $CSVPath -NoTypeInformation Remove-PSSession $SessionThis gets all audit logs from all applications from Office 365. Refer to this documentation for all available parameters: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
Get SharePoint Online Audit Logs using PowerShell:
Let's filter SharePoint Online audit logs on files and generate a report with PowerShell.
#Get Credentials to connect $Credential = Get-Credential #Establish a Exchange Session $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking #Set Date Filters - past 24 hours! $StartDate = (Get-Date).AddDays(-1) $EndDate = Get-Date #Search Unified Log $SharePointLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType SharePointFileOperation $AuditLogResults = $SharePointLog.AuditData | ConvertFrom-Json | Select CreationTime,UserId,Operation, ObjectID,SiteUrl,SourceFileName,ClientIP #Export Audit log results to CSV $AuditLogResults $AuditLogResults | Export-csv -Path "C:\Temp\AuditLog.csv" -NoTypeInformation Remove-PSSession $SessionTo filter all events of a particular user, use:
$AuditLogs = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -UserIds "[email protected]" $AuditLogResults = $AuditLogs.AuditData | ConvertFrom-Json | Select CreationTime,UserId,Operation,Workload, ObjectID $AuditLogResultsSimilarly, we can filter specific events as:
s#Filter Audit log to Find specific operations $SiteURLs = @("https://crescentintranet.sharepoint.com/*") $CSVFile = "C:\Temp\AuditLog.csv" $Operations = @('PageViewed', 'PageViewedExtended','FileAccessed', 'FileAccessedExtended','FileDeleted') $FileAccessLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $FileAccessOperations -ResultSize 5000 -ObjectIds $SiteURLs $FileAccessLog.AuditData | ConvertFrom-Json | Select CreationTime,UserId,Operation, ObjectID,SiteUrl,SourceFileName,ClientIP | Export-csv $CSVFile -NoTypeInformation -Force#Filter Audit log to Find specific operations
I have to extract all events of a specific file.. Please help.
ReplyDeleteUse "ObjectIds" parameter with your file name. E.g:
Delete$AuditLog = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(+1) -Operations FileModified, FileAccessed, FileUploaded -ObjectIds -ResultSize 1000
How can I fetch large result set audit log, it throws error : Starting a command on the remote server failed with the following error message : The
ReplyDeleteI/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
And reestablish the connect but in mean while it doesn't return record for given time interval, I am trying to fetch record of 30 minutes interval for given start and end date, also retry mechanism is applied still getting random result count