Audit logs for Google Workspace
This document provides a conceptual overview of the audit logs thatGoogle Workspace provides as a part of Cloud Audit Logs.
For information about managing your Google Workspace audit logs, seeView and manage audit logs for Google Workspace.
Overview
Google Cloud services write audit logs to help you answer the questions, "Whodid what, where, and when?". You can share your Google Workspace auditlogs with Google Cloud to store, analyze, monitor, and alert onyour Google Workspace data.
Audit logs for Google Workspace are available for Cloud Identity,Cloud Identity Premium, and all Google Workspace customers.
If you'veenabled Google Workspace data sharingwith Google Cloud, then audit logs are always enabled forGoogle Workspace.
Disabling Google Workspace data sharing stops new Google Workspaceaudit log events from being sent to Google Cloud. Any existing logs remainthrough theirdefault retention periods, unlessyou have configuredcustom retentionto retain your logs for a longer period.
If you don't enable Google Workspace data sharing with Google Cloud, thenyou can't see audit logs for Google Workspace in Google Cloud.
Note: Some Enterprise Groups Audit membership changes automatically populatetheprincipalEmail field in the audit log withcloud-support@google.com.For example, an audit log might showcloud-support@google.com as theprincipal removing a user from the group, when the removal of the user isautomatic due to the expiration of a user's membership.Types of audit logs
Admin Activity audit logs contain logentries for API calls or other actions that modify the configuration or metadataof resources. For example, these logs record when users create VM instances orchange Identity and Access Management (IAM) permissions.
Data Access audit logs contain API callsthat read the configuration or metadata of resources, as well as user-driven APIcalls that create, modify, or read user-provided resource data. Data Accessaudit logs don't record the data-access operations on resources that arepublicly shared (available to All Users or All Authenticated Users) or that canbe accessed without logging into Google Cloud, Google Workspace,Cloud Identity, or Drive Enterprise account.
Google Workspace services forwarding audit logs to Google Cloud
Google Workspace provides the following audit logs at theGoogle Cloud organization level:
Access Transparency: Access Transparency logs provide a record ofactions when Google personnel access customer content in yourGoogle Workspace resources. In contrast to Access Transparency, Cloud Audit Logsrecord the actions that members of your Google Cloud organization have takenin your Google Cloud resources.
For more information about the structure of Access Transparency logs and the typesof accesses that are logged, seeLog field descriptions.
Google Workspace Admin Audit: Admin Audit logs provide arecord of actions performed in your Google Admin console. For example, youcan see when an administrator added a user or turned on a Google Workspaceservice.
Admin Audit writes Admin Activity audit logs only.
Note: Unless you use the Google Admin console, changes to Group settings arecaptured in the Google Workspace Enterprise Groups Audit logs. When you use theGoogle Admin console, changes to Group settings are captured in theGoogle Workspace Admin Audit logs. For example, if you changed a Group email address ingroups.google.com, then those changes are captured in Google Workspace Enterprise Groups Auditlogs.Google Workspace Enterprise Groups Audit: Enterprise Groups Auditlogs provide a record of actions performed on groups and group memberships.For example, you can see when an administrator added a user or when a groupowner deleted their group.
Enterprise Groups Audit writes Admin Activity audit logs only.
Google Workspace Login Audit: Login Audit logs track usersign-ins to your domain. These logs only record the login event. They don'trecord which system was used to perform the login action.
Login Audit writes Data Access audit logs only.
Google Workspace OAuth Token Audit: OAuth Token Audit logs track whichusers are using whichthird-party mobile or web applications in your domain. For example, when auser opens a Google Workspace Marketplace app, the log records the name ofthe app and the person using it. The log also records each time a third-partyapplication is authorized to access Google Account data, such as GoogleContacts, Calendar, and Drive files (Google Workspace only).
OAuth Token Audit writes both Admin Activity and Data Access audit logs.
Google Workspace SAML Audit: SAML Audit logs trackusers' successful and failed sign-ins to SAML applications. Entries usuallyappear within an hour of the user action.
SAML Audit writes Data Access audit logs only.
Service-specific information
Details for each Google Workspace service's audit logs are as follows:
Google Workspace Admin Audit
Google Workspace Admin Audit audit logs use the resource typeaudited_resource for all audit logs.
Google Workspace Admin Audit audit logs use the service nameadmin.googleapis.com.
Google Workspace Admin Audit writes Admin Activity audit logs only. The followingare the audited operations:
| Activity type | AuditLog.method_name |
|---|---|
| AI_CLASSIFICATION_SETTINGS | google.admin.AdminService.aiClassificationInsufficientTrainingExamplesgoogle.admin.AdminService.aiClassificationModelLowScoregoogle.admin.AdminService.aiClassificationNewModelReady |
| ALERT_CENTER | google.admin.AdminService.alertCenterBatchDeleteAlertsgoogle.admin.AdminService.alertCenterBatchUndeleteAlertsgoogle.admin.AdminService.alertCenterCreateAlertgoogle.admin.AdminService.alertCenterCreateFeedbackgoogle.admin.AdminService.alertCenterDeleteAlertgoogle.admin.AdminService.alertCenterGetAlertMetadatagoogle.admin.AdminService.alertCenterGetCustomerSettingsgoogle.admin.AdminService.alertCenterGetSitLinkgoogle.admin.AdminService.alertCenterListChangegoogle.admin.AdminService.alertCenterListFeedbackgoogle.admin.AdminService.alertCenterListRelatedAlertsgoogle.admin.AdminService.alertCenterUndeleteAlertgoogle.admin.AdminService.alertCenterUpdateAlertgoogle.admin.AdminService.alertCenterUpdateAlertMetadatagoogle.admin.AdminService.alertCenterUpdateCustomerSettingsgoogle.admin.AdminService.alertCenterView |
| APPLICATION_SETTINGS | google.admin.AdminService.changeApplicationSettinggoogle.admin.AdminService.createApplicationSettinggoogle.admin.AdminService.deleteApplicationSettinggoogle.admin.AdminService.reorderGroupBasedPoliciesEventgoogle.admin.AdminService.gplusPremiumFeaturesgoogle.admin.AdminService.createManagedConfigurationgoogle.admin.AdminService.deleteManagedConfigurationgoogle.admin.AdminService.updateManagedConfigurationgoogle.admin.AdminService.flashlightEduNonFeaturedServicesSelected |
| CALENDAR_SETTINGS | google.admin.AdminService.createBuildinggoogle.admin.AdminService.deleteBuildinggoogle.admin.AdminService.updateBuildinggoogle.admin.AdminService.createCalendarResourcegoogle.admin.AdminService.deleteCalendarResourcegoogle.admin.AdminService.createCalendarResourceFeaturegoogle.admin.AdminService.deleteCalendarResourceFeaturegoogle.admin.AdminService.updateCalendarResourceFeaturegoogle.admin.AdminService.renameCalendarResourcegoogle.admin.AdminService.updateCalendarResourcegoogle.admin.AdminService.changeCalendarSettinggoogle.admin.AdminService.cancelCalendarEventsgoogle.admin.AdminService.releaseCalendarResources |
| CHAT_SETTINGS | google.admin.AdminService.meetInteropCreateGatewaygoogle.admin.AdminService.meetInteropDeleteGatewaygoogle.admin.AdminService.meetInteropModifyGatewaygoogle.admin.AdminService.changeChatSetting |
| CHROME_OS_SETTINGS | google.admin.AdminService.changeChromeOsAndroidApplicationSettinggoogle.admin.AdminService.changeChromeOsApplicationSettinggoogle.admin.AdminService.sendChromeOsDeviceCommandgoogle.admin.AdminService.changeChromeOsDeviceAnnotationgoogle.admin.AdminService.changeChromeOsDeviceSettinggoogle.admin.AdminService.changeChromeOsDeviceStategoogle.admin.AdminService.changeChromeOsPublicSessionSettinggoogle.admin.AdminService.insertChromeOsPrintergoogle.admin.AdminService.deleteChromeOsPrintergoogle.admin.AdminService.updateChromeOsPrintergoogle.admin.AdminService.changeChromeOsSettinggoogle.admin.AdminService.changeChromeOsUserSettinggoogle.admin.AdminService.removeChromeOsApplicationSettings |
| CONTACTS_SETTINGS | google.admin.AdminService.changeContactsSetting |
| DELEGATED_ADMIN_SETTINGS | google.admin.AdminService.assignRolegoogle.admin.AdminService.createRolegoogle.admin.AdminService.deleteRolegoogle.admin.AdminService.addPrivilegegoogle.admin.AdminService.removePrivilegegoogle.admin.AdminService.renameRolegoogle.admin.AdminService.updateRolegoogle.admin.AdminService.unassignRole |
| DEVICE_SETTINGS | google.admin.AdminService.deleteDevicegoogle.admin.AdminService.moveDeviceToOrgUnit |
| DOCS_SETTINGS | google.admin.AdminService.transferDocumentOwnershipgoogle.admin.AdminService.driveDataRestoregoogle.admin.AdminService.changeDocsSetting |
| DOMAIN_SETTINGS | google.admin.AdminService.changeAccountAutoRenewalgoogle.admin.AdminService.addApplicationgoogle.admin.AdminService.addApplicationToWhitelistgoogle.admin.AdminService.changeAdvertisementOptiongoogle.admin.AdminService.createAlertgoogle.admin.AdminService.changeAlertCriteriagoogle.admin.AdminService.deleteAlertgoogle.admin.AdminService.alertReceiversChangedgoogle.admin.AdminService.renameAlertgoogle.admin.AdminService.alertStatusChangedgoogle.admin.AdminService.addDomainAliasgoogle.admin.AdminService.removeDomainAliasgoogle.admin.AdminService.skipDomainAliasMxgoogle.admin.AdminService.verifyDomainAliasMxgoogle.admin.AdminService.verifyDomainAliasgoogle.admin.AdminService.toggleOauthAccessToAllApisgoogle.admin.AdminService.toggleAllowAdminPasswordResetgoogle.admin.AdminService.enableApiAccessgoogle.admin.AdminService.authorizeApiClientAccessgoogle.admin.AdminService.removeApiClientAccessgoogle.admin.AdminService.chromeLicensesRedeemedgoogle.admin.AdminService.toggleAutoAddNewServicegoogle.admin.AdminService.changePrimaryDomaingoogle.admin.AdminService.changeWhitelistSettinggoogle.admin.AdminService.communicationPreferencesSettingChangegoogle.admin.AdminService.changeConflictAccountActiongoogle.admin.AdminService.enableFeedbackSolicitationgoogle.admin.AdminService.toggleContactSharinggoogle.admin.AdminService.createPlayForWorkTokengoogle.admin.AdminService.toggleUseCustomLogogoogle.admin.AdminService.changeCustomLogogoogle.admin.AdminService.changeDataLocalizationForRussiagoogle.admin.AdminService.changeDataLocalizationSettinggoogle.admin.AdminService.changeDataProtectionOfficerContactInfogoogle.admin.AdminService.deletePlayForWorkTokengoogle.admin.AdminService.viewDnsLoginDetailsgoogle.admin.AdminService.changeDomainDefaultLocalegoogle.admin.AdminService.changeDomainDefaultTimezonegoogle.admin.AdminService.changeDomainNamegoogle.admin.AdminService.toggleEnablePreReleaseFeaturesgoogle.admin.AdminService.changeDomainSupportMessagegoogle.admin.AdminService.addTrustedDomainsgoogle.admin.AdminService.removeTrustedDomainsgoogle.admin.AdminService.changeEduTypegoogle.admin.AdminService.toggleEnableOauthConsumerKeygoogle.admin.AdminService.toggleSsoEnabledgoogle.admin.AdminService.toggleSslgoogle.admin.AdminService.changeEuRepresentativeContactInfogoogle.admin.AdminService.generateTransferTokengoogle.admin.AdminService.changeLoginBackgroundColorgoogle.admin.AdminService.changeLoginBorderColorgoogle.admin.AdminService.changeLoginActivityTracegoogle.admin.AdminService.playForWorkEnrollgoogle.admin.AdminService.playForWorkUnenrollgoogle.admin.AdminService.mxRecordVerificationClaimgoogle.admin.AdminService.toggleNewAppFeaturesgoogle.admin.AdminService.toggleUseNextGenControlPanelgoogle.admin.AdminService.uploadOauthCertificategoogle.admin.AdminService.regenerateOauthConsumerSecretgoogle.admin.AdminService.toggleOpenIdEnabledgoogle.admin.AdminService.changeOrganizationNamegoogle.admin.AdminService.toggleOutboundRelaygoogle.admin.AdminService.changePasswordMaxLengthgoogle.admin.AdminService.changePasswordMinLengthgoogle.admin.AdminService.updateDomainPrimaryAdminEmailgoogle.admin.AdminService.enableServiceOrFeatureNotificationsgoogle.admin.AdminService.removeApplicationgoogle.admin.AdminService.removeApplicationFromWhitelistgoogle.admin.AdminService.changeRenewDomainRegistrationgoogle.admin.AdminService.changeResellerAccessgoogle.admin.AdminService.ruleActionsChangedgoogle.admin.AdminService.createRulegoogle.admin.AdminService.changeRuleCriteriagoogle.admin.AdminService.deleteRulegoogle.admin.AdminService.renameRulegoogle.admin.AdminService.ruleStatusChangedgoogle.admin.AdminService.addSecondaryDomaingoogle.admin.AdminService.removeSecondaryDomaingoogle.admin.AdminService.skipSecondaryDomainMxgoogle.admin.AdminService.verifySecondaryDomainMxgoogle.admin.AdminService.verifySecondaryDomaingoogle.admin.AdminService.updateDomainSecondaryEmailgoogle.admin.AdminService.changeSsoSettingsgoogle.admin.AdminService.generatePingoogle.admin.AdminService.updateRule |
| EMAIL_SETTINGS | google.admin.AdminService.dropFromQuarantinegoogle.admin.AdminService.emailLogSearchgoogle.admin.AdminService.emailUndeletegoogle.admin.AdminService.changeEmailSettinggoogle.admin.AdminService.changeGmailSettinggoogle.admin.AdminService.createGmailSettinggoogle.admin.AdminService.deleteGmailSettinggoogle.admin.AdminService.rejectFromQuarantinegoogle.admin.AdminService.releaseFromQuarantine |
| GROUP_SETTINGS | google.admin.AdminService.createGroupgoogle.admin.AdminService.deleteGroupgoogle.admin.AdminService.changeGroupDescriptiongoogle.admin.AdminService.groupListDownloadgoogle.admin.AdminService.addGroupMembergoogle.admin.AdminService.removeGroupMembergoogle.admin.AdminService.updateGroupMembergoogle.admin.AdminService.updateGroupMemberDeliverySettingsgoogle.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverridegoogle.admin.AdminService.groupMemberBulkUploadgoogle.admin.AdminService.groupMembersDownloadgoogle.admin.AdminService.changeGroupEmailgoogle.admin.AdminService.changeGroupNamegoogle.admin.AdminService.changeGroupSettinggoogle.admin.AdminService.whitelistedGroupsUpdated |
| LABELS | google.admin.AdminService.labelDeletedgoogle.admin.AdminService.labelDisabledgoogle.admin.AdminService.labelReenabledgoogle.admin.AdminService.labelPermissionUpdatedgoogle.admin.AdminService.labelPermissionDeletedgoogle.admin.AdminService.labelPublishedgoogle.admin.AdminService.labelCreatedgoogle.admin.AdminService.labelUpdated |
| LICENSES_SETTINGS | google.admin.AdminService.orgUsersLicenseAssignmentgoogle.admin.AdminService.orgAllUsersLicenseAssignmentgoogle.admin.AdminService.userLicenseAssignmentgoogle.admin.AdminService.changeLicenseAutoAssigngoogle.admin.AdminService.userLicenseReassignmentgoogle.admin.AdminService.orgLicenseRevokegoogle.admin.AdminService.userLicenseRevokegoogle.admin.AdminService.updateDynamicLicensegoogle.admin.AdminService.licenseUsageUpdate |
| MOBILE_SETTINGS | google.admin.AdminService.actionCancelledgoogle.admin.AdminService.actionRequestedgoogle.admin.AdminService.addMobileCertificategoogle.admin.AdminService.companyDevicesBulkCreationgoogle.admin.AdminService.companyOwnedDeviceBlockedgoogle.admin.AdminService.companyDeviceDeletiongoogle.admin.AdminService.companyOwnedDeviceUnblockedgoogle.admin.AdminService.companyOwnedDeviceWipedgoogle.admin.AdminService.changeMobileApplicationPermissionGrantgoogle.admin.AdminService.changeMobileApplicationPriorityOrdergoogle.admin.AdminService.removeMobileApplicationFromWhitelistgoogle.admin.AdminService.changeMobileApplicationSettingsgoogle.admin.AdminService.addMobileApplicationToWhitelistgoogle.admin.AdminService.mobileDeviceApprovegoogle.admin.AdminService.mobileDeviceBlockgoogle.admin.AdminService.mobileDeviceDeletegoogle.admin.AdminService.mobileDeviceWipegoogle.admin.AdminService.changeMobileSettinggoogle.admin.AdminService.changeAdminRestrictionsPingoogle.admin.AdminService.changeMobileWirelessNetworkgoogle.admin.AdminService.addMobileWirelessNetworkgoogle.admin.AdminService.removeMobileWirelessNetworkgoogle.admin.AdminService.changeMobileWirelessNetworkPasswordgoogle.admin.AdminService.removeMobileCertificategoogle.admin.AdminService.enrollForGoogleDeviceManagementgoogle.admin.AdminService.useGoogleMobileManagementgoogle.admin.AdminService.useGoogleMobileManagementForNonIosgoogle.admin.AdminService.useGoogleMobileManagementForIosgoogle.admin.AdminService.mobileAccountWipegoogle.admin.AdminService.mobileDeviceCancelWipeThenApprovegoogle.admin.AdminService.mobileDeviceCancelWipeThenBlock |
| ORG_SETTINGS | google.admin.AdminService.chromeLicensesEnabledgoogle.admin.AdminService.chromeApplicationLicenseReservationCreatedgoogle.admin.AdminService.chromeApplicationLicenseReservationDeletedgoogle.admin.AdminService.chromeApplicationLicenseReservationUpdatedgoogle.admin.AdminService.assignCustomLogogoogle.admin.AdminService.unassignCustomLogogoogle.admin.AdminService.createEnrollmentTokengoogle.admin.AdminService.revokeEnrollmentTokengoogle.admin.AdminService.chromeLicensesAllowedgoogle.admin.AdminService.createOrgUnitgoogle.admin.AdminService.removeOrgUnitgoogle.admin.AdminService.editOrgUnitDescriptiongoogle.admin.AdminService.moveOrgUnitgoogle.admin.AdminService.editOrgUnitNamegoogle.admin.AdminService.toggleServiceEnabled |
| SECURITY_INVESTIGATION | google.admin.AdminService.securityInvestigationActiongoogle.admin.AdminService.securityInvestigationActionCancellationgoogle.admin.AdminService.securityInvestigationActionCompletiongoogle.admin.AdminService.securityInvestigationActionRetrygoogle.admin.AdminService.securityInvestigationActionVerificationConfirmationgoogle.admin.AdminService.securityInvestigationActionVerificationRequestgoogle.admin.AdminService.securityInvestigationActionVerificationRequestExpirationgoogle.admin.AdminService.securityInvestigationChartCreategoogle.admin.AdminService.securityInvestigationContentAccessgoogle.admin.AdminService.securityInvestigationDownloadAttachmentgoogle.admin.AdminService.securityInvestigationExportActionResultsgoogle.admin.AdminService.securityInvestigationExportQuerygoogle.admin.AdminService.securityInvestigationObjectCreateDraftInvestigationgoogle.admin.AdminService.securityInvestigationObjectDeleteInvestigationgoogle.admin.AdminService.securityInvestigationObjectDuplicateInvestigationgoogle.admin.AdminService.securityInvestigationObjectOwnershipTransfergoogle.admin.AdminService.securityInvestigationObjectSaveInvestigationgoogle.admin.AdminService.securityInvestigationObjectUpdateDirectSharinggoogle.admin.AdminService.securityInvestigationObjectUpdateLinkSharinggoogle.admin.AdminService.securityInvestigationQuerygoogle.admin.AdminService.securityInvestigationSettingUpdate |
| SECURITY_SETTINGS | google.admin.AdminService.addToTrustedOauth2Appsgoogle.admin.AdminService.allowAspWithout2Svgoogle.admin.AdminService.allowServiceForOauth2Accessgoogle.admin.AdminService.allowStrongAuthenticationgoogle.admin.AdminService.blockOnDeviceAccessgoogle.admin.AdminService.changeAllowedTwoStepVerificationMethodsgoogle.admin.AdminService.changeAppAccessSettingsCollectionIdgoogle.admin.AdminService.changeCaaAppAssignmentsgoogle.admin.AdminService.changeCaaDefaultAssignmentsgoogle.admin.AdminService.changeCaaErrorMessagegoogle.admin.AdminService.changeSessionLengthgoogle.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDurationgoogle.admin.AdminService.changeTwoStepVerificationFrequencygoogle.admin.AdminService.changeTwoStepVerificationGracePeriodDurationgoogle.admin.AdminService.changeTwoStepVerificationStartDategoogle.admin.AdminService.disallowServiceForOauth2Accessgoogle.admin.AdminService.enableNonAdminUserPasswordRecoverygoogle.admin.AdminService.enforceStrongAuthenticationgoogle.admin.AdminService.removeFromTrustedOauth2Appsgoogle.admin.AdminService.sessionControlSettingsChangegoogle.admin.AdminService.toggleCaaEnablementgoogle.admin.AdminService.trustDomainOwnedOauth2Appsgoogle.admin.AdminService.unblockOnDeviceAccessgoogle.admin.AdminService.untrustDomainOwnedOauth2Appsgoogle.admin.AdminService.updateErrorMsgForRestrictedOauth2Appsgoogle.admin.AdminService.weakProgrammaticLoginSettingsChanged |
| SITES_SETTINGS | google.admin.AdminService.addWebAddressgoogle.admin.AdminService.deleteWebAddressgoogle.admin.AdminService.changeSitesSettinggoogle.admin.AdminService.changeSitesWebAddressMappingUpdatesgoogle.admin.AdminService.viewSiteDetails |
| USER_SETTINGS | google.admin.AdminService.delete2SvScratchCodesgoogle.admin.AdminService.generate2SvScratchCodesgoogle.admin.AdminService.revoke3LoDeviceTokensgoogle.admin.AdminService.revoke3LoTokengoogle.admin.AdminService.addRecoveryEmailgoogle.admin.AdminService.addRecoveryPhonegoogle.admin.AdminService.grantAdminPrivilegegoogle.admin.AdminService.revokeAdminPrivilegegoogle.admin.AdminService.revokeAspgoogle.admin.AdminService.toggleAutomaticContactSharinggoogle.admin.AdminService.bulkUploadgoogle.admin.AdminService.bulkUploadNotificationSentgoogle.admin.AdminService.cancelUserInvitegoogle.admin.AdminService.changeUserCustomFieldgoogle.admin.AdminService.changeUserExternalIdgoogle.admin.AdminService.changeUserGendergoogle.admin.AdminService.changeUserImgoogle.admin.AdminService.enableUserIpWhitelistgoogle.admin.AdminService.changeUserKeywordgoogle.admin.AdminService.changeUserLanguagegoogle.admin.AdminService.changeUserLocationgoogle.admin.AdminService.changeUserOrganizationgoogle.admin.AdminService.changeUserPhoneNumbergoogle.admin.AdminService.changeRecoveryEmailgoogle.admin.AdminService.changeRecoveryPhonegoogle.admin.AdminService.changeUserRelationgoogle.admin.AdminService.changeUserAddressgoogle.admin.AdminService.createEmailMonitorgoogle.admin.AdminService.createDataTransferRequestgoogle.admin.AdminService.grantDelegatedAdminPrivilegesgoogle.admin.AdminService.deleteAccountInfoDumpgoogle.admin.AdminService.deleteEmailMonitorgoogle.admin.AdminService.deleteMailboxDumpgoogle.admin.AdminService.changeFirstNamegoogle.admin.AdminService.gmailResetUsergoogle.admin.AdminService.changeLastNamegoogle.admin.AdminService.mailRoutingDestinationAddedgoogle.admin.AdminService.mailRoutingDestinationRemovedgoogle.admin.AdminService.addNicknamegoogle.admin.AdminService.removeNicknamegoogle.admin.AdminService.changePasswordgoogle.admin.AdminService.changePasswordOnNextLogingoogle.admin.AdminService.downloadPendingInvitesListgoogle.admin.AdminService.removeRecoveryEmailgoogle.admin.AdminService.removeRecoveryPhonegoogle.admin.AdminService.requestAccountInfogoogle.admin.AdminService.requestMailboxDumpgoogle.admin.AdminService.resendUserInvitegoogle.admin.AdminService.resetSigninCookiesgoogle.admin.AdminService.securityKeyRegisteredForUsergoogle.admin.AdminService.revokeSecurityKeygoogle.admin.AdminService.userInvitegoogle.admin.AdminService.viewTempPasswordgoogle.admin.AdminService.turnOff2StepVerificationgoogle.admin.AdminService.unblockUserSessiongoogle.admin.AdminService.unenrollUserFromTitaniumgoogle.admin.AdminService.archiveUsergoogle.admin.AdminService.updateBirthdategoogle.admin.AdminService.createUsergoogle.admin.AdminService.deleteUsergoogle.admin.AdminService.downgradeUserFromGplusgoogle.admin.AdminService.userEnrolledInTwoStepVerificationgoogle.admin.AdminService.downloadUserlistCsvgoogle.admin.AdminService.moveUserToOrgUnitgoogle.admin.AdminService.userPutInTwoStepVerificationGracePeriodgoogle.admin.AdminService.renameUsergoogle.admin.AdminService.unenrollUserFromStrongAuthgoogle.admin.AdminService.suspendUsergoogle.admin.AdminService.unarchiveUsergoogle.admin.AdminService.undeleteUsergoogle.admin.AdminService.unsuspendUsergoogle.admin.AdminService.upgradeUserToGplusgoogle.admin.AdminService.usersBulkUploadgoogle.admin.AdminService.usersBulkUploadNotificationSent |
Google Workspace Enterprise Groups Audit
Google Workspace Enterprise Groups Audit audit logs use the resource typeaudited_resource forall audit logs.
Google Workspace Enterprise Groups Audit audit logs use the service namecloudidentity.googleapis.com.
Google Workspace Enterprise Groups Audit writes Admin Activity audit logs only. The following arethe audited operations:
Audit logs category | AuditLog.method_name |
|---|---|
| Admin Activity audit logs | google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroupgoogle.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership |
Google Workspace Login Audit
All Google Workspace Login Audit audit logs use the resource typeaudited_resource.
Google Workspace Login Audit audit logs use the service namelogin.googleapis.com.
Google Workspace Login Audit writes Data Access audit logs only. The following are theaudited operations;log samples foreach operation are available.
| Audit logs category | AuditLog.method_name |
|---|---|
| Data Access audit logs | google.login.LoginService.2svDisablegoogle.login.LoginService.2svEnrollgoogle.login.LoginService.accountDisabledPasswordLeakgoogle.login.LoginService.accountDisabledGenericgoogle.login.LoginService.accountDisabledSpammingThroughRelaygoogle.login.LoginService.accountDisabledSpamminggoogle.login.LoginService.accountDisabledHijackedgoogle.login.LoginService.emailForwardingOutOfDomaingoogle.login.LoginService.govAttackWarninggoogle.login.LoginService.loginChallengegoogle.login.LoginService.loginFailuregoogle.login.LoginService.loginVerificationgoogle.login.LoginService.logoutgoogle.login.LoginService.loginSuccessgoogle.login.LoginService.passkeyEnrolledgoogle.login.LoginService.passkeyRemovedgoogle.login.LoginService.passwordEditgoogle.login.LoginService.recoveryEmailEditgoogle.login.LoginService.recoveryPhoneEditgoogle.login.LoginService.recoverySecretQaEditgoogle.login.LoginService.riskySensitiveActionAllowedgoogle.login.LoginService.riskySensitiveActionBlockedgoogle.login.LoginService.suspiciousLogingoogle.login.LoginService.suspiciousLoginLessSecureAppgoogle.login.LoginService.suspiciousProgrammaticLogingoogle.login.LoginService.titaniumEnrollgoogle.login.LoginService.titaniumUnenroll |
Google Workspace OAuth Token Audit
Google Workspace OAuth Token Audit audit logs use the resource typeaudited_resource forall audit logs.
Google Workspace OAuth Token Audit audit logs use the service nameoauth2.googleapis.com.
Google Workspace OAuth Token Audit writes both Admin Activity and Data Access audit logs. Thefollowing are the audited operations:
Audit logs category | AuditLog.method_name |
|---|---|
| Admin Activity audit logs | google.identity.oauth2.Denygoogle.identity.oauth2.GetTokengoogle.identity.oauth2.Requestgoogle.identity.oauth2.RevokeToken |
| Data Access audit logs | google.identity.oauth2.GetTokenInfo |
Google Workspace SAML Audit
Google Workspace SAML Audit audit logs use the resource typeaudited_resource forall audit logs.
Google Workspace SAML Audit audit logs use the service namelogin.googleapis.com.
Google Workspace SAML Audit writes Data Access audit logs only. The following are theaudited operations:
Audit logs category | AuditLog.method_name |
|---|---|
| Data Access audit logs | google.apps.login.v1.SamlLoginFailed |
google.apps.login.v1.SamlLoginSucceeded |
Audit log permissions
IAM permissions and roles determine your ability to access auditlogs data in theLogging API, theLogs Explorer, and theGoogle Cloud CLI.
For detailed information about the organization-level IAMpermissions and roles you might need, see theAccess control with IAM.
Audit log format
Google Workspace audit log entries include the following objects:
The log entry itself, which is an object of type
LogEntry.When examining audit logging data, you might find the followinguseful:logNamecontains the organization ID and audit log type.resourcecontains the target of the audited operation.timeStampcontains the time of the audited operation.protoPayloadcontains the Google Workspace audit log in itsmetadatafield.
TheprotoPayload.metadata field holds the audited Google Workspaceinformation. The following is an example of a Login Audit log:
{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"test-user@example.net"},"requestMetadata":{"callerIp":"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff","requestAttributes":{},"destinationAttributes":{}},"serviceName":"login.googleapis.com","methodName":"google.login.LoginService.loginFailure","resourceName":"organizations/123","metadata":{"event":[{"eventName":"login_failure","eventType":"login","parameter":[{"value":"google_password","type":"TYPE_STRING","name":"login_type",},{"name":"login_challenge_method","type":"TYPE_STRING","label":"LABEL_REPEATED","multiStrValue":["password","idv_preregistered_phone","idv_preregistered_phone"]},]}],"activityId":{"uniqQualifier":"358068855354","timeUsec":"1632500217183212"},"@type":"type.googleapis.com/ccc_hosted_reporting.ActivityProto"}},"insertId":"-nahbepd4l1x","resource":{"type":"audited_resource","labels":{"method":"google.login.LoginService.loginFailure","service":"login.googleapis.com"}},"timestamp":"2021-09-24T16:16:57.183212Z","severity":"NOTICE","logName":"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access","receiveTimestamp":"2021-09-24T17:51:25.034361197Z"}
For information about service-specific audit logging fields, and how tointerpret them, select from the services listed inAvailable audit logs.
View logs
For information on viewing your Google Workspace audit logs, seeView and manage audit logs for Google Workspace.
Route audit logs
You can route Google Workspace audit logs from Cloud Logging tosupported destinations, including other Logging buckets.
Here are some applications for routing audit logs:
To use more powerful search capabilities, you can route copies of youraudit logs to Cloud Storage, BigQuery, or Pub/Sub.Using Pub/Sub, you can route to other applications, otherrepositories, and to third parties.
To manage your audit logs across an entire organization, you can createaggregated sinks that combine androute logs from all the Google Cloud projects, billing accounts, andfolders contained by your organization. For instance, you might aggregateand route audit log entries from an organization's folders to aCloud Storage bucket.
For instructions on routing logs, seeRoute logs to supported destinations.
Regionalization
You can't choose a region where your Google Workspace logs are stored.Google Workspace logs aren't covered by theGoogle Workspace Data Region Policy.
Retention periods
The following retention periods apply to your audit logs data:
For each organization, Cloud Logging automatically stores logs in twobuckets: a_Default bucket and a_Required bucket. The_Required bucketholds Admin Activity audit logs, System Event audit logs, andAccess Transparency logs.The_Default bucket holds all other log entries that aren't stored in the_Required bucket. For more information on Logging buckets, seeRouting and storage overview.
You can configure Cloud Logging to retain the logs in the_Default logsbucket for a period ranging from 1 day to3650 days.
To update the retention period for the_Default logs bucket, seeCustom retention.
You can't change the retention period on the_Required bucket.
Quotas and limits
The same quotas apply to audit logs for Google Workspace andCloud Audit Logs.
For details about these usage limits, including the maximumsizes of audit logs, seeQuotas and limits.
Pricing
For pricing information, seeGoogle Cloud Observability pricing.
What's next
- Learn how toconfigure and manage Google Workspace audit logs.
- Reviewbest practices forCloud Audit Logs.
- Learn how toview and understand Access Transparency logs for Google Workspace.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.