Can we add a filter in Search-AdminAuditLog command to get the data from a specific originatingServer only?

VIVEK SHARMA 0 Reputation points
2024-08-29T06:13:56.6333333+00:00

Hi Team,
I have multiple exchange servers and while running the Search-AdminAuditLog command it took a lot of time because pulling the data from all the servers. I want to know if is there any way to filter the data based on the originating server so not all the server data is pulled by the Search-AdminAuditLog command.
Thanks in advance!!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,307 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,598 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Mike Hu-MSFT 3,275 Reputation points Microsoft Vendor
    2024-08-29T09:24:32.8666667+00:00

    Hi,

    Welcome to the Microsoft Q&A platform!

    You can try to do the following:

    First, perform the search to retrieve the logs. You may want to limit the search by date range to reduce the data volume.

    
       $startDate = (Get-Date).AddDays(-30)
    
       $endDate = Get-Date
    
       $logs = Search-AdminAuditLog -StartDate $startDate -EndDate $endDate
    
    

    Once you have the logs, you can filter them based on the OriginatingServer property.

    
       $originatingServer = "YourServerName"
    
       $filteredLogs = $logs | Where-Object { $_.OriginatingServer -eq $originatingServer }
    
    

    Finally, you can review the filtered logs or export them for further analysis.

    
       $filteredLogs | Format-Table -AutoSize
    
       # OR
    
       $filteredLogs | Export-Csv -Path "FilteredAuditLogs.csv" -NoTypeInformation
    
    

    Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.


  2. Mike Hu-MSFT 3,275 Reputation points Microsoft Vendor
    2024-08-30T06:44:41.7233333+00:00

    The Search-AdminAuditLog command in Exchange PowerShell does not have a direct parameter to filter results by the originating server. However, you can use the Search-UnifiedAuditLog command as an alternative. This command allows you to set the RecordType parameter to ExchangeAdmin to get similar results as Search-AdminAuditLog

    Here's an example of how you can use the Search-UnifiedAuditLog command to filter by the originating server:

    Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddMinutes(-5) -EndDate (Get-Date) | Where-Object {$_.OriginatingServer -eq "YourServerName"} 
    

    Tips: use your real server's name instead "YourServerName".

    This command will search for all Exchange admin actions in the last 5 minutes and filter the results to include only those from the specified originating server

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.