Audit logs for Google Workspace  |  Cloud Logging  |  Google Cloud (2024)

This document provides a conceptual overview of the audit logs thatGoogle Workspace provides as a part of Cloud Audit Logs.

For information about managing your Google Workspace audit logs, seeView and manage audit logs for Google Workspace.

Overview

Google Cloud services write audit logs to help you answer the questions, "Whodid what, where, and when?". You can share your Google Workspace auditlogs with Google Cloud to store, analyze, monitor, and alert onyour Google Workspace data.

Audit logs for Google Workspace are available for Cloud Identity,Cloud Identity Premium, and all Google Workspace customers.

If you'veenabled Google Workspace data sharingwith Google Cloud, then audit logs are always enabled forGoogle Workspace.

Disabling Google Workspace data sharing stops new Google Workspaceaudit log events from being sent to Google Cloud. Any existing logs remainthrough theirdefault retention periods, unlessyou have configured custom retentionto retain your logs for a longer period.

If you don't enable Google Workspace data sharing with Google Cloud, thenyou can't see audit logs for Google Workspace in Google Cloud.

Types of audit logs

Admin Activity audit logs contain logentries for API calls or other actions that modify the configuration or metadataof resources. For example, these logs record when users create VM instances orchange Identity and Access Management (IAM) permissions.

Data Access audit logs contain API callsthat read the configuration or metadata of resources, as well as user-driven APIcalls that create, modify, or read user-provided resource data. Data Accessaudit logs don't record the data-access operations on resources that arepublicly shared (available to All Users or All Authenticated Users) or that canbe accessed without logging into Google Cloud, Google Workspace,Cloud Identity, or Drive Enterprise account.

Google Workspace services forwarding audit logs to Google Cloud

Google Workspace provides the following audit logs at theGoogle Cloud organization level:

• Google Workspace Admin Audit: Admin Audit logs provide arecord of actions performed in your Google Admin console. For example, youcan see when an administrator added a user or turned on a Google Workspaceservice. Admin Audit writes Admin Activity audit logs only.

• Google Workspace Enterprise Groups Audit: Enterprise Groups Auditlogs provide a record of actions performed on groups and group memberships.For example, you can see when an administrator added a user or when a groupowner deleted their group.

  Enterprise Groups Audit writes Admin Activity audit logs only.

• Google Workspace Login Audit: Login Audit logs track usersign-ins to your domain. These logs only record the login event. They don'trecord which system was used to perform the login action.

  Login Audit writes Data Access audit logs only.

• Google Workspace OAuth Token Audit: OAuth Token Audit logs track whichusers are using whichthird-party mobile or web applications in your domain. For example, when auser opens a Google Workspace Marketplace app, the log records the name ofthe app and the person using it. The log also records each time a third-partyapplication is authorized to access Google Account data, such as GoogleContacts, Calendar, and Drive files (Google Workspace only).

  OAuth Token Audit writes both Admin Activity and Data Access audit logs.

• Google Workspace SAML Audit: SAML Audit logs trackusers' successful and failed sign-ins to SAML applications. Entries usuallyappear within an hour of the user action.

  SAML Audit writes Data Access audit logs only.

  See Also

  How to Detect Who Was Accessing Shared Mailbox in Office 365Monitor Mailbox Folder Permission Changes in Exchange OnlineMicrosoft 365 management, reporting, and auditing - ManageEngine M365 Manager PlusWhat is an Audit Trail? - Types, Purpose, & Importance | Tipalti

Service-specific information

Details for each Google Workspace service's audit logs are as follows:

Audit log permissions

IAM permissions and roles determine your ability to access auditlogs data in the Logging API, theLogs Explorer, and theGoogle Cloud CLI.

For detailed information about the organization-level IAMpermissions and roles you might need, see theAccess control with IAM.

Audit log format

Google Workspace audit log entries include the following objects:

• The log entry itself, which is an object of type LogEntry.When examining audit logging data, you might find the followinguseful:

  • logName contains the organization ID and audit log type.
  • resource contains the target of the audited operation.
  • timeStamp contains the time of the audited operation.
  • protoPayload contains the Google Workspace audit log in itsmetadata field.

The protoPayload.metadata field holds the audited Google Workspaceinformation. The following is an example of a Login Audit log:

{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.net" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginFailure", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { "value": "google_password", "type": "TYPE_STRING", "name": "login_type", }, { "name": "login_challenge_method", "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" ] }, ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632500217183212" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nahbepd4l1x", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:16:57.183212Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:25.034361197Z"}

For information about service-specific audit logging fields, and how tointerpret them, select from the services listed inAvailable audit logs.

View logs

For information on viewing your Google Workspace audit logs, seeView and manage audit logs for Google Workspace.

Route audit logs

You can route Google Workspace audit logs from Cloud Logging tosupported destinations, including other Logging buckets.

Here are some applications for routing audit logs:

• To use more powerful search capabilities, you can route copies of youraudit logs to Cloud Storage, BigQuery, or Pub/Sub.Using Pub/Sub, you can route to other applications, otherrepositories, and to third parties.

• To manage your audit logs across an entire organization, you can createaggregated sinks that combine androute logs from all the Google Cloud projects, billing accounts, andfolders contained by your organization. For instance, you might aggregateand route audit log entries from an organization's folders to aCloud Storage bucket.

For instructions on routing logs, seeRoute logs to supported destinations.

Regionalization

You can't choose a region where your Google Workspace logs are stored.Google Workspace logs aren't covered by theGoogle Workspace Data Region Policy.

Retention periods

The following retention periods apply to your audit logs data:

• Data retention policy in Google Workspace.

• Data retention policy in Google Cloud Cloud Logging.

For each organization, Cloud Logging automatically stores logs in twobuckets: a _Default bucket and a _Required bucket. The _Required bucketholds Admin Activity audit logs, System Event audit logs, and Access Transparency logs.The _Default bucket holds all other log entries that aren't stored in the_Required bucket. For more information on Logging buckets, seeRouting and storage overview.

You can configure Cloud Logging to retain the logs in the _Default logsbucket for a period ranging from 1 day to3650 days.

To update the retention period for the _Default logs bucket, seeCustom retention.

You can't change the retention period on the _Required bucket.

Quotas and limits

The same quotas apply to audit logs for Google Workspace andCloud Audit Logs.

For details about these usage limits, including the maximumsizes of audit logs, see Quotas and limits.

Pricing

Google Workspace's organization-level logs are free.

What's next

• Learn how toconfigure and manage Google Workspace audit logs.
• Review best practices forCloud Audit Logs.
• Learn how to view and understand Access Transparency logs for Google Workspace.