Skip to main content

Hello Everyone, one questions always get asked if it is possible to know “who has touched/restored what and when” to audit for compliance or for any other requirement. For Veeam Backup for Microsoft 365, there is already great information published in the post(s) and blog of Jorge, explaining all in very great detail: https://community.veeam.com/blogs-and-podcasts-57/vb365-restore-audit-the-definitive-guide-2557

Possibly, where you need a quick dump of all restore activities (now!), you may also utilize PowerShell interacting with the RESTAPI of VBM365 and list all restore sessions and their events. And the script below is just an “example” to achieve such. You may play with all properties per your needs and create output as you require, even the modified output could even be used to feed into some other applications. (Currently it is only for v6)

RestoreSession and RestoreSessionEvent is what we need to use mainly. The script finds the restore sessions, and then iterates through each of them to spit out the details of each session with its events (session start, views, restores, … session end)

Sample Powershell Code: https://github.com/bulenttolu/VBM365/blob/main/VBM365v6AuditLogsParsing.ps1

Sample Output: 

  • Org: Which 0365 organization
  • SessionID: Restore Session ID for reference
    • The output could seem to have duplicated rows at first but they are not… I wanted to output all events for a session and each restore session can have multiple events.
  • Initiated by: Who has started
  • Session Name: From which job
  • Type : Which explorer
  • Time
  • Clienthost
  • itemName: Which item has been touched
  • itemtype: Folder, mail, etc
  • Source/target
  • Event: View, Restore, Send, Export, Save, and None (session start, and session end)
  • Message: details about the event
  • Order: the order of events within each restore session

PS: I am not a script guru, but finding my way around 😊 Please let me know if there is any issues.

Hope it helps.

Thanks for sharing. Any script to make an admins life easier is great. Bookmarked this one.


Comment