o365-exchange-logs
Fetch exchange logs using Office 365 Management API
o365-exchange-logs [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- profile=PROFILE
- Office 365 connect profile name
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | |
| profile | String | Connect profile | The identifier of Office 365 connect profile |
| workload | String | Workload | e.g. Exchange |
| org_name | String | 주 도메인 | e.g. acme.onmicrosoft.com |
| origin_server | String | Origin server | |
| client_ip | IP address | Client IP | |
| user_id | String | User ID | e.g. S-1-5-18 |
| operation | String | Operation | e.g. Add-MailboxPermission, ModifyFolderPermissions, Set-OwaMailboxPolicy |
| object_id | String | Object ID | e.g. acme.onmicrosoft.com\Admin Audit Log Settings |
| result_status | String | Result status | e.g. Succeeded, True |
| external_access | Bool | External access | |
| parameters | List | Parameters | Elements with name and value properties |
| record_type | Integer | Record type | e.g. 1, 2 |
| user_type | Integer | User type | e.g. 2, 3 |
| user_key | String | User key | e.g. S-1-5-18, NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost) |
| version | Integer | Version | e.g. 1 |
| id | String | ID | GUID |
| org_id | String | Tenant ID | GUID format |
| app_id | String | App ID | GUID format |