Get-UALAll - MergeOutput throwing an error when used

Question

Get-UALAll - MergeOutput throwing an error when used

Closed this issue 8 months ago · 11 comments

May be related to the recent change/update that unified MergeCSVOutput to MergeOutput across the various function.

Before, it used to be -MergeCSVOutput with either Y or N as value (IIRC).
Now, according to the documentation, it's -MergeOutput. Since the default is "No", I assume that "Yes" and "No" are the correct values.

https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/UnifiedAuditLog.html#extract-all-audit-logs

I tried both "-MergeOutput Y" and "-MergeOutput Yes" with the Get-UALAll command, but everytime it throws the following error:

MethodException: C:\Users\SecurityAura\Documents\PowerShell\Modules\Microsoft-Extractor-Suite\1.3.3\Scripts\Get-UAL.ps1:148
Line |
 148 | $currentEnd = $currentStart.AddMinutes($Interval)
       | Cannot convert argument "value", with value: "Yes", for "AddMinutes" to type "System.Double": "Cannot convert value "Yes" to type "System.Double". Error: "The input string 'Yes' was not in the correct format.""

So somehow, using --MergeOutput seems to somehow screw with -StartDate and -EndDate?

Answer 1 · 2024-04-15T14:13:16.000Z

Hi, we didn't really like the y/n, so we made it a switch parameter, meaning that adding -MergeOutput is enough.

Running the following should work:
Get-UALAll -EndDate "2024-04-15" -StartDate "2024-04-01" -MergeOutput

I will remove the Default: No from the docs since these are some legacy leftovers. Thanks for pointing it out.

Answer 2 · 2024-04-15T17:25:14.000Z

Testing it right now with -MergeOutput and no more error message! :)

Still have that pesky "Out-File: Could not find part of the path .... LogFile.txt" but I'll open a new issue for it eventually. Just need to make sure it's not coming from a wrong manipulation on my end first.

Answer 3 · 2024-04-16T06:37:24.000Z

Hmm, interesting. I will keep the issue open so you don't have to create a new one.

Do you still have the Output folder in the root where the script is located? And are you using the default structure where the output is written to the Output directory, or are you using the $OutputDir variable to write the output to a different location?

Answer 4 · 2024-04-24T12:42:05.000Z

"$outputDirMerged/UAL-Combined.csv" is equal to .\output\Merged\/<filename>.format on lines #429 , #497, #522 in Get-UALAll.ps1

Answer 5 · 2024-04-25T06:58:26.000Z

Hi @SecurityAura, are you still experiencing issues with the Out-File command?

Answer 6 · 2024-04-26T00:29:02.000Z

Sorry, I totally forgot to get back to you.

I would have to check to be honest. I don't use MES in scripts, I basically just run the cmdlets I need from the terminal and that's it. I'll do a test by grabbing the UAL of 2 accounts from our test tenant and see if I get the error. I remember taking a screenshot of the error during one of my investigation thinking: I'll look into it later and use it to open an issue but... Work took over and now I can't find it.

Let me get back to you quickly!

Answer 7 · 2024-04-26T01:25:47.000Z

Well it didn't take long! From my test laptop:

Terminal launched as Admin
Install MES + Import-Module MES
Install ExchangeOnlineManagement + Import-Module ExchangeOnlineManagement
Connect-M365
Create the D:\Test\Invictus\UAL\UAL-REDACTED_test folder architecture
cd into the Invictus folder
Use the following command:

Get-UALAll -UserIds "REDACTED_test@test.com" -StartDate 4/1/2024 -EndDate 4/26/2024 -MergeOutput -OutputDir "D:\Temp\Invictus\UAL-REDACTED_test\"

Immediately, the output:

PS D:\Temp\Invictus> Get-UALAll -UserIds "REDACTED_test@test.com" -StartDate 4/1/2024 -EndDate 4/26/2024 -MergeOutput -OutputDir "D:\Temp\Invictus\UAL-REDACTED_test\"
[INFO] Running Get-UALAll
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] Setting the Interval to the default value of 720
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] Output set to CSV
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] Custom directory set to: D:\Temp\Invictus\UAL-REDACTED_test\
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] Extracting all available audit logs between 2024-04-01T04:00:00Z and 2024-04-26T04:00:00Z
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] No audit logs between 2024-04-01T04:00:00Z and 2024-04-01T16:00:00Z. Moving on!
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] No audit logs between 2024-04-01T16:00:00Z and 2024-04-02T04:00:00Z. Moving on!
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] No audit logs between 2024-04-02T04:00:00Z and 2024-04-02T16:00:00Z. Moving on!
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.
[INFO] No audit logs between 2024-04-02T16:00:00Z and 2024-04-03T04:00:00Z. Moving on!
Out-File: Could not find a part of the path 'D:\Temp\Invictus\Output\LogFile.txt'.

Answer 8 · 2024-04-26T06:54:07.000Z

Thanks @SecurityAura for the details. The script writes LogFile.txt to the Output directory in the root folder where you run the script.

When I use:

C:\Users\Joey-IR\Documents\GitHub\Microsoft-Extractor-Suite> Get-UALAll -StartDate "2024-04-20" -EndDate "2024-04-26" -MergeOutput -OutputDir "C:\Users\Joey-IR\Downloads\testt"

It writes the LogFile in Microsoft-Extractor-Suite\Output because of this line:
$logFile = "Output\LogFile.txt"

I will try to fix this in the next update, i am think about one of the following two solutions:

Check if the file location exists and create it if it does not. This will prevent the script from throwing an error when the directory is not present.
Write the LogFile to the custom Output Dir, although this may require some restructuring. I'm not sure if you would want a LogFile in every custom output directory.

If you have any other suggestions, feel free to let me know.

Answer 9 · 2024-04-26T11:59:55.000Z

The easiest is probably the first solution. Usually, I "expect" the needed directories/files to be created by the script/module if they're something that is out of my control, such as logging.

The 2nd solution is interesting however, because it would allow you to basically have a "clean" log file for each execution of a MES cmdlet. So it may be easier to go back to a specific folder/output directory and find out how the execution went and/or if there were any errors.

If it were me I would: go with the 1st solution to get a "quick fix" out. Add the 2nd solution to the "to-do" list for the next let's say, "major" update or rewrite of MES :P

Answer 10 · 2024-04-26T12:53:37.000Z

Yes, the output directory is created when importing the module, but if it's deleted afterward, it doesn't check to recreate it. I agree with you and will implement the first option, and perhaps add the second option later. I could even add a parameter allowing you to write the output of the logfile to a specific location.

Answer 11 · 2024-04-29T07:08:47.000Z

We just released the update to fix this. Feel free to reopen the issue if it doesn't work as expected.