#Exchange Online 中的Admin Audit Log,需要一个小时的延迟时间,以下脚本可以直接拿到Exchange Online中管理员的操作日志

#Admin Audit Log in Exchange Online requires a one-hour delay. The following script can directly get the administrator's operation log in Exchange Online


#Version 1.6
#Added function 3
#Written by [email protected]
#Modified by [email protected] on 9/8/2019 14:42 PM

Write-host " 

Admin Audit Log
---------------------------- 
1.Export the entire Admin Audit Log
2.Search for specific CMDLET in the Admin Audit Log
3.Export the Admin Audit Log to seperate files

"-ForeGround "Cyan" 

#---------------- 
# Script 
#---------------- 

Write-Host "               " 

$number = Read-Host "Choose the task" 
$output = @() 
switch ($number)  
{ 

1 { 
    $CSV= Read-Host "Enter the export file location (E.g c:\temp\AdminAuditLog.csv)"  

    $results = search-adminauditlog 

    $results | Export-csv -path $CSV -NoTypeInformation 

    Write-host ("File has been created under " + $CSV ) -fore Green

;Break

} 

2 {

$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date, Eg.  08/31/2019') 
$StartDate = $StartDate.tostring("MM/dd/yyyy")
$endDate =  Get-Date (Read-Host -Prompt 'Enter the end date, Eg.  09/30/2019')
$endDate = $endDate.tostring("MM/dd/yyyy")

    $word= Read-Host "Enter the CMDLET you are looking for(E.g 'set-mailbox', or 'mailbox')"  
    $CSV= Read-Host "Enter the export file location (E.g c:\temp\AdminAuditLog.csv)" 

    $results = search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {$_.cmdletname -like "*$word*"}    

    $results | Export-csv -path $CSV -NoTypeInformation 

    Write-host ("File has been created under " + $CSV ) -fore Green

;Break

} 

3 {

$StartDate = Get-Date (Read-Host -Prompt 'Enter the start date, Eg.  08/31/2019') 
$StartDate = $StartDate.tostring("MM/dd/yyyy")
$endDate =  Get-Date (Read-Host -Prompt 'Enter the end date, Eg.  09/30/2019')
$endDate = $endDate.tostring("MM/dd/yyyy")

    $CSV= Read-Host "Enter the export file location (E.g c:\temp)" 

    $Mailflow = search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*transport*") -or ($_.cmdletname -like "*connector*")} 
    $Mailbox += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*mailbox*") -or ($_.cmdletname -like "*inbox*")} 
    $User += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*user*") -or ($_.cmdletname -like "*group*")} 
    $Organization += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -like "*organization*") -or ($_.cmdletname -like "*domain*")}
    $Others += search-adminauditlog -StartDate $StartDate -EndDate $endDate | where-object {($_.cmdletname -notlike "*transport*") -AND ($_.cmdletname -notlike "*mailbox*")  -AND ($_.cmdletname -notlike "*group*") -AND ($_.cmdletname -notlike "*organization*") -AND ($_.cmdletname -notlike "*user*")  -AND ($_.cmdletname -notlike "*connector*") -AND ($_.cmdletname -notlike "*inbox*")}

    $mailflow | Export-csv -path ($CSV+"\mailflow.csv") -NoTypeInformation 
    Write-host ("File has been created under " + ($CSV+"\mailflow.csv") ) -fore Green
    $Mailbox | Export-csv -path ($CSV+"\Mailbox.csv") -NoTypeInformation 
    Write-host ("File has been created under " + ($CSV+"\Mailbox.csv") ) -fore Green
    $User | Export-csv -path ($CSV+"\User.csv") -NoTypeInformation 
    Write-host ("File has been created under " + ($CSV+"\User.csv") ) -fore Green
    $Organization | Export-csv -path ($CSV+"\Organization.csv") -NoTypeInformation
    Write-host ("File has been created under " + ($CSV+"\Organization.csv") ) -fore Green 
    $Others | Export-csv -path ($CSV+"\Others.csv") -NoTypeInformation 
    Write-host ("File has been created under " + ($CSV+"\Others.csv") ) -fore Green

;Break
}

}