Scripts/Get-AzureActivityLogs.ps1
|
Function StartDateAzure { if (($startDate -eq "") -Or ($null -eq $startDate)) { $startDate = [datetime]::Now.ToUniversalTime().AddDays(-89) $startDate = Get-Date $startDate -Format "yyyy-MM-dd HH:mm:ss" write-host "[INFO] No start date provived by user setting the start date to: $startDate" $script:StartDate = Get-Date $startDate -Format "yyyy-MM-dd HH:mm:ss" } else { $script:startDate = $startDate -as [datetime] if (!$script:startDate ) { write-host "[WARNING] Not A valid start date and time, make sure to use YYYY-MM-DD" } } } function EndDateAzure { if (($endDate -eq "") -Or ($null -eq $endDate)) { $endDate = [datetime]::Now.ToUniversalTime() $endDate = Get-Date $endDate -Format "yyyy-MM-dd HH:mm:ss" write-host "[INFO] No end date provived by user setting the end date to: $endDate" $script:endDate = Get-Date $endDate -Format "yyyy-MM-dd HH:mm:ss" } else { $script:endDate = $endDate -as [datetime] if (!$endDate) { write-host "[WARNING] Not A valid end date and time, make sure to use YYYY-MM-DD" } } } function Get-ActivityLogs { <# .SYNOPSIS Retrieves the Activity logs. .DESCRIPTION The Get-ActivityLogs cmdlet collects the Azure Activity logs. The output will be written to: Output\AzureAD\$date\$iD-ActivityLog.json .PARAMETER StartDate startDate is the parameter specifying the start date of the date range. Default: Today -89 days .PARAMETER EndDate endDate is the parameter specifying the end date of the date range. Default: Now .PARAMETER SubscriptionID SubscriptionID is the parameter specifies the subscription ID for which the collection of Activity logs is required. Default: All subscriptions .PARAMETER OutputDir OutputDir is the parameter specifying the output directory. Default: Output\AzureActivityLogs .EXAMPLE Get-ActivityLogs Get all the activity logs for all subscriptions connected to the logged-in user account for the last 89 days. .EXAMPLE Get-ActivityLogs -EndDate 2023-04-12 Get all the activity logs before 2023-04-12. .EXAMPLE Get-ActivityLogs -StartDate 2023-04-12 Get all the activity logs after 2023-04-12. .EXAMPLE Get-ActivityLogs -SubscriptionID "4947f939-cf12-4329-960d-4dg68a3eb66f" Get all the activity logs for the subscription 4947f939-cf12-4329-960d-4dg68a3eb66f #> [CmdletBinding()] param( [string]$StartDate, [string]$EndDate, [string]$SubscriptionID, [string]$OutputDir ) try { $areYouConnected = Get-AzActivityLog -ErrorAction stop -WarningAction silentlyContinue } catch { write-logFile -Message "[WARNING] You must call Connect-AzureAZ before running this script" -Color "Red" break } StartDateAzure EndDateAzure $date = [datetime]::Now.ToString('yyyyMMddHHmmss') if ($OutputDir -eq "" ){ $OutputDir = "Output\AzureActivityLogs\$date\" if (!(test-path $OutputDir)) { write-logFile -Message "[INFO] Creating the following directory: $OutputDir" New-Item -ItemType Directory -Force -Name $OutputDir | Out-Null } } else{ write-logFile -Message "[INFO] Output directory set to: $OutputDir" -Color "Green" } if ($SubscriptionID -eq "") { write-logFile -Message "[INFO] Retrieving all subscriptions linked to the logged-in user account" -Color "Green" $subScription = Get-AzSubscription foreach ($i in $subScription) { write-logFile -Message "[INFO] Identified Subscription: $i" } } else { $subScription = Get-AzSubscription -SubscriptionId $SubscriptionID } foreach ($sub in $Subscription) { $name = $sub.Name $iD = $sub.Id write-logFile -Message "[INFO] Retrieving all Activity Logs for $sub" -Color "Green" Set-AzContext -Subscription $iD | Out-Null write-logFile -Message "[INFO] Connected to $iD" -Color "Green" $filePath = "$OutputDir\$iD-ActivityLog.json" [DateTime]$currentStart = $script:StartDate [DateTime]$currentEnd = $script:EndDate $totalDays = ($currentEnd - $currentStart).TotalDays for ($i = 0; $i -lt $totalDays; $i++) { $dagCounter = $currentStart.AddDays($i) $formattedDate = $dagCounter.ToString("yyyy-MM-dd") [DateTime]$start = (Get-Date $formattedDate).Date [DateTime]$end = (Get-Date $formattedDate).Date.AddDays(1).AddSeconds(-1) $currentStartnew = $start $currentEnd = $end $amountResults = Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction SilentlyContinue if ($amountResults.count -gt 0) { if ($amountResults.count -gt 1000) { while ($currentStartnew -lt $currentEnd) { Write-LogFile -Message "[WARNING] $formattedDate - We have exceeded the maximum allowable number of 100 logs, lowering the time interval.." -Color "Red" Write-LogFile -Message "[INFO] $formattedDate - Temporary lowering time interval.." -Color "Yellow" $tempInterval = 24 $tempStartDate = $start $amountResults = Get-AzActivityLog -StartTime $tempStartDate -EndTime $currentEnd -MaxRecord 1000 -WarningAction SilentlyContinue while ($($amountResults.count) -gt 1000) { $timeLeft = ($currentEnd - $tempStartDate).TotalHours $tempInterval = $timeLeft / 2 $backup = $tempInterval $tempStartDate = $tempStartDate.AddHours($tempInterval) $amountResults = Get-AzActivityLog -StartTime $tempStartDate -EndTime $currentEnd -MaxRecord 1000 -WarningAction SilentlyContinue } $amountResults = Get-AzActivityLog -StartTime $tempStartDate -EndTime $currentEnd -MaxRecord 1000 -WarningAction SilentlyContinue Write-LogFile -Message "[INFO] Successfully retrieved $($amountResults.count) Activity logs between $tempStartDate and $currentEnd" -Color "Green" $amountResults | Out-File -FilePath $filePath -Append if ($tempStartDate -eq $currentEnd) { $timeLeft = ($currentEnd - $start).TotalHours $tempStartDate = $start } $currentEnd = $tempStartDate } } else { Write-LogFile -Message "[INFO] Successfully retrieved $($amountResults.count) Activity logs for $formattedDate. Moving on!" -Color "Green" Get-AzActivityLog -StartTime $start -EndTime $end -MaxRecord 1000 -WarningAction silentlyContinue | Out-File -FilePath $filePath -Append } } else { Write-LogFile -Message "[INFO] No Activity Logs found on $formattedDate. Moving on!" } } Write-LogFile -Message "[INFO] Done all logs are collected for $name" -Color "Green" } } |