-
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue in using "Get-ADAuditLogs" #67
Comments
Hi Joey, I am running the latest version of the Extractor suite. Get-ADAuditLogs -startDate 4-1-2024and Get-ADAuditLogs -startDate 4/1/2024For both, I get the same error as shared earlier |
Thanks for your reply. Currently, the supported time format is limited to yyyy-mm-dd. Could you try again using this format? Link to docs: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/AzureActiveDirectoryAuditLog.html |
Hi Joey, |
Are you trying to retrieve the logs from 2024-01-04 or 2024-04-01 (yyyy-mm-dd)? Since 2024-01 should work because of the retention of the Audit Logs. When I run the tool with 2024-01 I will get a empty output file and it throws an error. Could you try running the following in PowerShell? This is what the Extractor Suite will execute in the background. Perhaps it will throw some error, allowing us to determine if it's the PowerShell module or something else causing the issue.
|
When I run this, it prints all the audit logs on the terminal no error |
Hmm, strange. I am unable to reproduce the error, and I asked some other users, who confirmed that it seems to work fine for them as well. The logic for this script is pretty basic, and I'm not sure what could be causing the error. You can try running the steps below one by one to see if any of them fail: First, it checks if the output directory is present. If not, it will create it.
If the startDate parameter is used, it will set the
Next, it will retrieve all the results and store them in the
The last step is to write the results to a JSON output file.
If you could run the steps one by one, we might be able to identify the step in the Extractor Suite that is causing the issue for you. Additionally, could you try running it on a different system as well, so we can rule out if it's an issue specific to your system? |
I just did a PR in #69 , it wont fix this issue (Looks like it might have been a datatype issue i also cannot reproduce) However, we should look to change this log source to allow time, as i realized a custom interval would not work |
Looks like other date formats might work too (including times) |
Apologies for the delay in responding, did a couple more test runs and found that this occurs when I try to fetch data more than a day (or half a day). When the start and end date is 2 days or more the process stops and writes an empty file |
Would you mind sharing the command lines and / or the log file your using? Might be helpful for troubleshooting. Feel free to download my altered file from PR #69 then reinport the whole module as it could fix the issue. (Using the code in that PR I have managed to pull logs for 6 hours or so, and several days) |
@apps-dfir I just pushed the update from @angry-bender to the main branch. Could you check if you are running into the same issues while using the new version? (I haven't updated the version on the PowerShell Gallery or the release page yet, so make sure to download from the main branch.) |
Hi, i will close this issue for now feel free to reopen it anytime. |
Appears to be an issue with pulling Azure Audit Logs using "Get-ADAuditLogs"
Following is the full error:
Get-AzureADAuditDirectoryLogs : Error occurred while executing GetAuditDirectoryLogs
Code: BadRequest
Message: Invalid filter clause: An identifier was expected at position 20.
InnerError:
RequestId:
DateTimeStamp: Tue, 30 Apr 2024 10:30:20 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users<redacted>\WindowsPowerShell\Modules\Microsoft-Extractor-Suite\1.3.4\Scripts\Get-AzureADLogs.ps1:287 char:14
AuditDirectoryLogs
The text was updated successfully, but these errors were encountered: