查看管理员审核日志View the administrator audit log

在 Microsoft Exchange Online Protection (EOP)、 Microsoft Exchange Online 和 Microsoft Exchange Server,您可以使用 Exchange 管理员中心 (EAC) 搜索和查看管理员审核日志中的条目。管理员审核日志记录基于 Exchange Management Shell cmdlet,管理员和已分配的管理权限的用户执行的特定操作。管理员审核日志条目为您提供了有关运行哪些 cmdlet、 使用哪些参数、 用户运行此 cmdlet,和哪些对象受到影响。In Microsoft Exchange Online Protection (EOP), Microsoft Exchange Online, and Microsoft Exchange Server, you can use the Exchange admin center (EAC) to search for and view entries in the administrator audit log. The administrator audit log records specific actions, based on Exchange Management Shell cmdlet, performed by administrators and users who have been assigned administrative privileges. Entries in the administrator audit log provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.

备注

默认情况下启用管理员审核日志记录。> 管理员审核日志不记录基于以谓词GetSearch测试开始 Exchange 命令行管理程序 cmdlet 的任何操作。> 审核日志条目是保留 90 天。超过 90 天条目后,则将其删除。Administrator auditing logging is enabled by default. > The administrator audit log doesn't record any action that is based on an Exchange Management Shell cmdlet that begins with the verbs Get, Search, or Test. > Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.

在开始之前,需要知道什么?What do you need to know before you begin?

  • 估计完成时间:5 分钟Estimated time to complete: 5 minutes

  • 您必须先获得权限,然后才能执行此过程或多个过程。若要查看所需的权限,请参阅 Feature Permissions in EOP主题中的"查看报告"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View reports" entry in the Feature Permissions in EOP topic.

  • 如上文所述,管理员审核日志记录已默认启用。若要验证是否已启用,您可以运行以下命令:As previously stated, administrator audit logging is enabled by default. To verify that it's enabled, you can run the following command.

    Get-AdminAuditLogConfig | FL AdminAuditLogEnabled
    

    在 Exchange 服务器,可以启用管理员审核日志记录如果它通过运行以下命令被禁用。In Exchange Server, you can enable administrator audit logging if it's disabled by running the following command.

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
    

    在 Exchange Online Protection 和 Exchange Online 中,管理员审核日志记录始终启用,不能禁用。In Exchange Online Protection and Exchange Online, administrator audit logging is always enabled. It can't be disabled.

  • 若要了解可能适用于此主题中过程的键盘快捷键,请参阅 Exchange 管理中心内的键盘快捷键For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

提示

遇到问题了吗?请在 Exchange 论坛中寻求帮助。 请访问以下论坛:Exchange ServerExchange OnlineExchange Online ProtectionHaving problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server,Exchange Online, or Exchange Online Protection.

使用 EAC 查看管理员审核日志Use the EAC to view the administrator audit log

  1. 在 EAC 中,转到合规性管理 > 审核,并选择运行管理员审核日志报告In the EAC, go to Compliance management > Auditing, and choose Run the admin audit log report.

  2. 选择开始日期结束日期,然后选择搜索。在指定的时间段内所做的所有配置更改显示,并可以进行排序,使用以下信息:Choose a Start date and End date, and then choose Search. All configuration changes made during the specified time period are displayed, and can be sorted, using the following information:

    • 日期日期和时间进行配置更改。以协调世界时 (UTC) 格式存储日期和时间。Date The date and time that the configuration change was made. The date and time are stored in Coordinated Universal Time (UTC) format.

    • CmdletCmdlet 用于进行配置更改的名称。Cmdlet The name of the cmdlet that was used to make the configuration change.

    • 用户进行配置更改的用户的用户帐户的名称。User The name of the user account of the user who made the configuration change.

      将分多页显示多达 5000 个条目。如果您需要缩小结果范围,请指定一个较小的日期范围。如果您选择单个搜索结果,将在详细信息窗格中显示以下附加信息:Up to 5000 entries will be displayed on multiple pages. Specify a smaller date range if you need to narrow your results. If you select an individual search result, the following additional information is displayed in the details pane:

    • 修改对象通过 cmdlet 修改对象。Object modified The object that was modified by the cmdlet.

    • 参数 (Parameter: Value) 使用此 cmdlet 的参数和使用参数指定任何值。Parameters (Parameter:Value) The cmdlet parameters that were used, and any value specified with the parameter.

  3. 如果您想要打印的特定的审核日志条目,请在详细信息窗格中选择打印按钮。If you want to print a specific audit log entry, choose the Print button in the details pane.

您如何知道这有效?How do you know this worked?

如果您已成功运行管理员审核日志报告,在您指定的日期范围内所做的配置更改将显示在搜索结果窗格中。如果没有结果,请更改日期范围,然后再次运行报告。If you've successfully run an administrator audit log report, configuration changes made within the date range you specify are displayed in the search results pane. If there are no results, change the date range and then run the report again.

备注

在组织中进行更改后,将需要 15 分钟才能显示在审核日志搜索结果中。如果更改未出现在管理员审核日志中,请等待几分钟,然后再次运行搜索。When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results. If a change doesn't appear in the administrator audit log, wait a few minutes and run the search again.