我正在使用从Office 365导出审核日志的功能。转储日志时,AuditData字段包含我认为有用的信息。我希望仅导出该字段并将其转换为CSV。下面是我的功能。
Function ExportAuditLog($User) {
$logResults = @()
if ($user -eq $null) {
$user = SelectUser "Please select a user to audit"
}
$logData = Search-UnifiedAuditLog -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) -UserIds $user -Operations MailboxLogin -Formatted | select AuditData
foreach ($entry in $logData) {
$logResults += $entry.AuditData
}
return $logResults
}
这是输出。
{
"CreationTime": "2018-12-01T14:08:55",
"Id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Operation": "MailboxLogin",
"OrganizationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"RecordType": "ExchangeItem",
"ResultStatus": "Succeeded",
"UserKey": "xxxxxxxxxxxxxxxx",
"UserType": "Regular",
"Version": 1,
"Workload": "Exchange",
"UserId": "user@domain.com",
"ClientIPAddress": "1.2.3.4",
"ClientInfoString":
"Client=Microsoft.Exchange.Autodiscover; Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.11001; Pro)",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxx",
"MailboxGuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"MailboxOwnerSid": "x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxx",
"MailboxOwnerUPN": "user@domain.com",
"OrganizationName": "domain.com",
"OriginatingServer": "",
"SessionId": ""
}
我的目标是让每行的第一部分作为列标题,第二部分作为数据。
答案 0 :(得分:0)
使用ConvertFrom-Json cmdlet将字段转换为Powershell对象:
$logResults += ConvertFrom-Json $entry.AuditData
然后使用Export-Csv cmdlet将其导出到csv文件:
$logResults | Export-Csv -Path AuditData.csv -NoTypeInformation