Get-AuditLogSearch (ExchangePowerShell) (2024)

Reference

Module:: ExchangePowerShell

Applies to:: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Get-AuditLogSearch cmdlet to return a list of current audit log searches that were created with the New-AdminAuditLogSearch or New-MailboxAuditLogSearch cmdlets. The Get-AuditLogSearch cmdlet also returns audit log searches that are initiated whenever an administrator uses the Exchange admin center (EAC) to export audit logs.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Get-AuditLogSearch [[-Identity] <AuditLogSearchIdParameter>] [-CreatedAfter <ExDateTime>] [-CreatedBefore <ExDateTime>] [-ResultSize <Int32>] [-Type <String>] [<CommonParameters>]

Description

Run the Get-AuditLogSearch cmdlet to return a list of pending audit log searches. If an audit log search has been completed, it won't be displayed in the list of audit log searches.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

Get-AuditLogSearch | Format-List

This example displays detailed information for all current audit log searches.

Example 2

Get-AuditLogSearch -Type admin

This example returns a list of current administrator audit log searches.

Parameters

-CreatedAfter

The CreatedAfter parameter filters the results to audit log searches that were created after the specified date.

-CreatedBefore

The CreatedBefore parameter filters the results to audit log searches that were created before the specified date.

Type:	ExDateTime
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-Identity

The Identity parameter specifies the GUID for an audit log search. You can run the command Get-AuditLogSearch | Format-List Identity to display the GUIDs for all current audit log searches.

Type:	AuditLogSearchIdParameter
Position:	1
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False
Applies to:	Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-ResultSize

The ResultSize parameter specifies the maximum number of results to return. If you want to return all requests that match the query, use unlimited for the value of this parameter. The default value is 1000.

Type:	Int32
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-Type

The Type parameter specifies the type of audit log searches to return. Use the value Admin to return administrator audit log searches or use mailbox to return mailbox audit log searches. If the Type parameter isn't used, the cmdlet returns both administrator and mailbox audit log searches.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False
Applies to:	Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

Inputs

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Outputs

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn't return data.

Get-AuditLogSearch (ExchangePowerShell) (2024)

FAQs

How do I get the audit log in exchange PowerShell? ›

Run the Get-AuditLogSearch cmdlet to return a list of pending audit log searches. If an audit log search has been completed, it won't be displayed in the list of audit log searches. You need to be assigned permissions before you can run this cmdlet.

Read On ›

How to get the mailbox audit logs? ›

Review the audit log

Open the Security & Compliance Center.
Click Search & Investigation -> Click Audit log search.
Filter activities using Activity button on the left pane, click Search.
Click activity you want to review, for example, modified permissions of folder:

Discover More Details ›

How to check exchange online logs? ›

In the EAC, go to Compliance management > Auditing, and then choose Run the admin audit log report. In the Search for changes to administrator role groups page that opens, choose a Start date and End date (the default range is the past two weeks), and then choose Search.

Where are exchange audit logs stored? ›

By default, administrator audit logging is enabled and logs are stored in the Microsoft Exchange System Mailbox. Customizing Mailbox Audit Logging: Similar to administrator audit logging, mailbox audit logging can be customized based on the type of activity and the accessing account (Administrator, Delegate, or Owner).

See Details ›

How to export mailbox audit logs Exchange Online PowerShell? ›

Export the mailbox audit log

In the EAC, go to Compliance Management > Auditing.
Click Export mailbox audit logs.
Configure the following search criteria for exporting the entries from the mailbox audit log: Start and end dates: Select the date range for the entries to include in the exported file. ...
Click Export.

Feb 22, 2024

Find Out More ›

How do I find audit logs for a shared mailbox? ›

Reviewing Mailbox Audit Logs #

Sign in to the Security & Compliance Center with your Office 365 Admin user account. Select Search & Investigation, and then select Audit log search.

Tell Me More ›

How do I get o365 audit logs? ›

Complete the following steps to get started with search:

Sign into the Microsoft Purview compliance portal.
Select the Audit tab on the left panel.
Select New Search tab at the top of the Audit page.
On the New Search tab, configure the following search criteria as applicable: ...
Select Search to start your search job.

Mar 26, 2024

Show Me More ›

How do I use audit log search? ›

To run an audit log search:

Start a New Search. In the Security & Compliance Center, click Search, Audit log search.
Configure Your Search Criteria. The main criteria to specify are: ...
Filter the Search Results. Filtering the search results will help you analyze the data more effectively. ...
Save your Results.

Jan 31, 2024

Explore More ›

Where are the Exchange logging files? ›

By default, the connectivity log files exist in these locations: Mailbox servers: Transport service: %ExchangeInstallPath%TransportRoles\Logs\Hub\Connectivity. Front End Transport service: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\Connectivity.

How do I read Exchange message tracking logs? ›

You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell to search for entries in the message tracking log by using specific search criteria. For example: Find out what happened to a message that was sent by a user to a specific recipient.

Show Me More ›

How long does O365 keep audit logs? ›

An audit log retention policy lets you specify how long to retain audit logs in your organization. Logs are kept for 90 or 365 days, or up to 10 years, depending on the license. To enable retention beyond 90 days, you'll need to have an Office 365 ES subscription or an Office 365 Advanced Compliance add-on license.

Read The Full Story ›

How to read mailbox audit logs? ›

How to Use Search-MailboxAuditLog PowerShell Command

Step 1: Connect to Exchange Online PowerShell. ...
Step 2: Identify the Mailbox Audit Logs Locations. ...
Step 3: Enable Mailbox Audit Logging. ...
Step 4: Run the Search-MailboxAuditLog Command.

Feb 5, 2024

See Details ›

How do I check folder audit logs? ›

To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below. Search the Security Windows Logs for the event ID 4656 with the Audit Failed keyword to find out who tried changing a file or folder.

Get More Info Here ›

How do I open audit logs? ›

Type audlog from the command line and press Enter or click Execute Command. Open the audit. summ form from Database Manager. Click Tailoring > Audit > Audit Log.

How do I view audit policies in powershell? ›

Use the Get-AuditConfigurationPolicy cmdlet to view audit configuration policies.

How do I view server audit logs? ›

Using SQL Server Management Studio

In Object Explorer, expand the Security folder.
Expand the Audits folder.
Right-click the audit log that you want to view and select View Audit Logs. This opens the Log File Viewer -server_name dialog box. For more information, see Log File Viewer F1 Help.
When finished, click Close.

Feb 28, 2023

View Details ›

How to search unified audit log in PowerShell? ›

Use the Search-UnifiedAuditLog cmdlet to search the unified audit log. This log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Entra ID, Microsoft Teams, Power BI, and other Microsoft 365 services.

How do I find ad audit logs? ›

Step 1: This can be done by going to your Group Policy management console → Domain policy → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy/Advanced audit policy configuration. Step 2: Select the events you want to audit.

Learn More ›