This document provides a conceptual overview of the audit logs thatGoogle Workspace provides as a part of Cloud Audit Logs.
For information about managing your Google Workspace audit logs, seeView and manage audit logs for Google Workspace.
Overview
Google Cloud services write audit logs to help you answer the questions, "Whodid what, where, and when?". You can share your Google Workspace auditlogs with Google Cloud to store, analyze, monitor, and alert onyour Google Workspace data.
Audit logs for Google Workspace are available for Cloud Identity,Cloud Identity Premium, and all Google Workspace customers.
If you'veenabled Google Workspace data sharingwith Google Cloud, then audit logs are always enabled forGoogle Workspace.
Disabling Google Workspace data sharing stops new Google Workspaceaudit log events from being sent to Google Cloud. Any existing logs remainthrough theirdefault retention periods, unlessyou have configured custom retentionto retain your logs for a longer period.
If you don't enable Google Workspace data sharing with Google Cloud, thenyou can't see audit logs for Google Workspace in Google Cloud.
Types of audit logs
Admin Activity audit logs contain logentries for API calls or other actions that modify the configuration or metadataof resources. For example, these logs record when users create VM instances orchange Identity and Access Management (IAM) permissions.
Data Access audit logs contain API callsthat read the configuration or metadata of resources, as well as user-driven APIcalls that create, modify, or read user-provided resource data. Data Accessaudit logs don't record the data-access operations on resources that arepublicly shared (available to All Users or All Authenticated Users) or that canbe accessed without logging into Google Cloud, Google Workspace,Cloud Identity, or Drive Enterprise account.
Google Workspace services forwarding audit logs to Google Cloud
Google Workspace provides the following audit logs at theGoogle Cloud organization level:
Google Workspace Admin Audit: Admin Audit logs provide arecord of actions performed in your Google Admin console. For example, youcan see when an administrator added a user or turned on a Google Workspaceservice. Admin Audit writes Admin Activity audit logs only.
Google Workspace Enterprise Groups Audit: Enterprise Groups Auditlogs provide a record of actions performed on groups and group memberships.For example, you can see when an administrator added a user or when a groupowner deleted their group.
Enterprise Groups Audit writes Admin Activity audit logs only.
Google Workspace Login Audit: Login Audit logs track usersign-ins to your domain. These logs only record the login event. They don'trecord which system was used to perform the login action.
Login Audit writes Data Access audit logs only.
Google Workspace OAuth Token Audit: OAuth Token Audit logs track whichusers are using whichthird-party mobile or web applications in your domain. For example, when auser opens a Google Workspace Marketplace app, the log records the name ofthe app and the person using it. The log also records each time a third-partyapplication is authorized to access Google Account data, such as GoogleContacts, Calendar, and Drive files (Google Workspace only).
OAuth Token Audit writes both Admin Activity and Data Access audit logs.
Google Workspace SAML Audit: SAML Audit logs trackusers' successful and failed sign-ins to SAML applications. Entries usuallyappear within an hour of the user action.
SAML Audit writes Data Access audit logs only.
Service-specific information
Details for each Google Workspace service's audit logs are as follows:
Google Workspace Admin Activities
Google Workspace Admin Audit audit logs use the resource typeaudited_resource
for all audit logs.
Google Workspace Admin Audit audit logs use the service nameadmin.googleapis.com
.
Google Workspace Admin Audit writes Admin Activity audit logs only. The followingare the audited operations:
Activity type | AuditLog.method_name |
---|---|
AI_CLASSIFICATION_SETTINGS | google.admin.AdminService.aiClassificationInsufficientTrainingExamples google.admin.AdminService.aiClassificationModelLowScore google.admin.AdminService.aiClassificationNewModelReady |
ALERT_CENTER | google.admin.AdminService.alertCenterBatchDeleteAlerts google.admin.AdminService.alertCenterBatchUndeleteAlerts google.admin.AdminService.alertCenterCreateAlert google.admin.AdminService.alertCenterCreateFeedback google.admin.AdminService.alertCenterDeleteAlert google.admin.AdminService.alertCenterGetAlertMetadata google.admin.AdminService.alertCenterGetCustomerSettings google.admin.AdminService.alertCenterGetSitLink google.admin.AdminService.alertCenterListChange google.admin.AdminService.alertCenterListFeedback google.admin.AdminService.alertCenterListRelatedAlerts google.admin.AdminService.alertCenterUndeleteAlert google.admin.AdminService.alertCenterUpdateAlert google.admin.AdminService.alertCenterUpdateAlertMetadata google.admin.AdminService.alertCenterUpdateCustomerSettings google.admin.AdminService.alertCenterView |
APPLICATION_SETTINGS | google.admin.AdminService.changeApplicationSetting google.admin.AdminService.createApplicationSetting google.admin.AdminService.deleteApplicationSetting google.admin.AdminService.reorderGroupBasedPoliciesEvent google.admin.AdminService.gplusPremiumFeatures google.admin.AdminService.createManagedConfiguration google.admin.AdminService.deleteManagedConfiguration google.admin.AdminService.updateManagedConfiguration google.admin.AdminService.flashlightEduNonFeaturedServicesSelected |
CALENDAR_SETTINGS | google.admin.AdminService.createBuilding google.admin.AdminService.deleteBuilding google.admin.AdminService.updateBuilding google.admin.AdminService.createCalendarResource google.admin.AdminService.deleteCalendarResource google.admin.AdminService.createCalendarResourceFeature google.admin.AdminService.deleteCalendarResourceFeature google.admin.AdminService.updateCalendarResourceFeature google.admin.AdminService.renameCalendarResource google.admin.AdminService.updateCalendarResource google.admin.AdminService.changeCalendarSetting google.admin.AdminService.cancelCalendarEvents google.admin.AdminService.releaseCalendarResources |
CHAT_SETTINGS | google.admin.AdminService.meetInteropCreateGateway google.admin.AdminService.meetInteropDeleteGateway google.admin.AdminService.meetInteropModifyGateway google.admin.AdminService.changeChatSetting |
CHROME_OS_SETTINGS | google.admin.AdminService.changeChromeOsAndroidApplicationSetting google.admin.AdminService.changeChromeOsApplicationSetting google.admin.AdminService.sendChromeOsDeviceCommand google.admin.AdminService.changeChromeOsDeviceAnnotation google.admin.AdminService.changeChromeOsDeviceSetting google.admin.AdminService.changeChromeOsDeviceState google.admin.AdminService.changeChromeOsPublicSessionSetting google.admin.AdminService.insertChromeOsPrinter google.admin.AdminService.deleteChromeOsPrinter google.admin.AdminService.updateChromeOsPrinter google.admin.AdminService.changeChromeOsSetting google.admin.AdminService.changeChromeOsUserSetting google.admin.AdminService.removeChromeOsApplicationSettings |
CONTACTS_SETTINGS | google.admin.AdminService.changeContactsSetting |
DELEGATED_ADMIN_SETTINGS | google.admin.AdminService.assignRole google.admin.AdminService.createRole google.admin.AdminService.deleteRole google.admin.AdminService.addPrivilege google.admin.AdminService.removePrivilege google.admin.AdminService.renameRole google.admin.AdminService.updateRole google.admin.AdminService.unassignRole |
DEVICE_SETTINGS | google.admin.AdminService.deleteDevice google.admin.AdminService.moveDeviceToOrgUnit |
DOCS_SETTINGS | google.admin.AdminService.transferDocumentOwnership google.admin.AdminService.driveDataRestore google.admin.AdminService.changeDocsSetting |
DOMAIN_SETTINGS | google.admin.AdminService.changeAccountAutoRenewal google.admin.AdminService.addApplication google.admin.AdminService.addApplicationToWhitelist google.admin.AdminService.changeAdvertisem*ntOption google.admin.AdminService.createAlert google.admin.AdminService.changeAlertCriteria google.admin.AdminService.deleteAlert google.admin.AdminService.alertReceiversChanged google.admin.AdminService.renameAlert google.admin.AdminService.alertStatusChanged google.admin.AdminService.addDomainAlias google.admin.AdminService.removeDomainAlias google.admin.AdminService.skipDomainAliasMx google.admin.AdminService.verifyDomainAliasMx google.admin.AdminService.verifyDomainAlias google.admin.AdminService.toggleOauthAccessToAllApis google.admin.AdminService.toggleAllowAdminPasswordReset google.admin.AdminService.enableApiAccess google.admin.AdminService.authorizeApiClientAccess google.admin.AdminService.removeApiClientAccess google.admin.AdminService.chromeLicensesRedeemed google.admin.AdminService.toggleAutoAddNewService google.admin.AdminService.changePrimaryDomain google.admin.AdminService.changeWhitelistSetting google.admin.AdminService.communicationPreferencesSettingChange google.admin.AdminService.changeConflictAccountAction google.admin.AdminService.enableFeedbackSolicitation google.admin.AdminService.toggleContactSharing google.admin.AdminService.createPlayForWorkToken google.admin.AdminService.toggleUseCustomLogo google.admin.AdminService.changeCustomLogo google.admin.AdminService.changeDataLocalizationForRussia google.admin.AdminService.changeDataLocalizationSetting google.admin.AdminService.changeDataProtectionOfficerContactInfo google.admin.AdminService.deletePlayForWorkToken google.admin.AdminService.viewDnsLoginDetails google.admin.AdminService.changeDomainDefaultLocale google.admin.AdminService.changeDomainDefaultTimezone google.admin.AdminService.changeDomainName google.admin.AdminService.toggleEnablePreReleaseFeatures google.admin.AdminService.changeDomainSupportMessage google.admin.AdminService.addTrustedDomains google.admin.AdminService.removeTrustedDomains google.admin.AdminService.changeEduType google.admin.AdminService.toggleEnableOauthConsumerKey google.admin.AdminService.toggleSsoEnabled google.admin.AdminService.toggleSsl google.admin.AdminService.changeEuRepresentativeContactInfo google.admin.AdminService.generateTransferToken google.admin.AdminService.changeLoginBackgroundColor google.admin.AdminService.changeLoginBorderColor google.admin.AdminService.changeLoginActivityTrace google.admin.AdminService.playForWorkEnroll google.admin.AdminService.playForWorkUnenroll google.admin.AdminService.mxRecordVerificationClaim google.admin.AdminService.toggleNewAppFeatures google.admin.AdminService.toggleUseNextGenControlPanel google.admin.AdminService.uploadOauthCertificate google.admin.AdminService.regenerateOauthConsumerSecret google.admin.AdminService.toggleOpenIdEnabled google.admin.AdminService.changeOrganizationName google.admin.AdminService.toggleOutboundRelay google.admin.AdminService.changePasswordMaxLength google.admin.AdminService.changePasswordMinLength google.admin.AdminService.updateDomainPrimaryAdminEmail google.admin.AdminService.enableServiceOrFeatureNotifications google.admin.AdminService.removeApplication google.admin.AdminService.removeApplicationFromWhitelist google.admin.AdminService.changeRenewDomainRegistration google.admin.AdminService.changeResellerAccess google.admin.AdminService.ruleActionsChanged google.admin.AdminService.createRule google.admin.AdminService.changeRuleCriteria google.admin.AdminService.deleteRule google.admin.AdminService.renameRule google.admin.AdminService.ruleStatusChanged google.admin.AdminService.addSecondaryDomain google.admin.AdminService.removeSecondaryDomain google.admin.AdminService.skipSecondaryDomainMx google.admin.AdminService.verifySecondaryDomainMx google.admin.AdminService.verifySecondaryDomain google.admin.AdminService.updateDomainSecondaryEmail google.admin.AdminService.changeSsoSettings google.admin.AdminService.generatePin google.admin.AdminService.updateRule |
EMAIL_SETTINGS | google.admin.AdminService.dropFromQuarantine google.admin.AdminService.emailLogSearch google.admin.AdminService.emailUndelete google.admin.AdminService.changeEmailSetting google.admin.AdminService.changeGmailSetting google.admin.AdminService.createGmailSetting google.admin.AdminService.deleteGmailSetting google.admin.AdminService.rejectFromQuarantine google.admin.AdminService.releaseFromQuarantine |
GROUP_SETTINGS | google.admin.AdminService.createGroup google.admin.AdminService.deleteGroup google.admin.AdminService.changeGroupDescription google.admin.AdminService.groupListDownload google.admin.AdminService.addGroupMember google.admin.AdminService.removeGroupMember google.admin.AdminService.updateGroupMember google.admin.AdminService.updateGroupMemberDeliverySettings google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride google.admin.AdminService.groupMemberBulkUpload google.admin.AdminService.groupMembersDownload google.admin.AdminService.changeGroupEmail google.admin.AdminService.changeGroupName google.admin.AdminService.changeGroupSetting google.admin.AdminService.whitelistedGroupsUpdated |
LABELS | google.admin.AdminService.labelDeleted google.admin.AdminService.labelDisabled google.admin.AdminService.labelReenabled google.admin.AdminService.labelPermissionUpdated google.admin.AdminService.labelPermissionDeleted google.admin.AdminService.labelPublished google.admin.AdminService.labelCreated google.admin.AdminService.labelUpdated |
LICENSES_SETTINGS | google.admin.AdminService.orgUsersLicenseAssignment google.admin.AdminService.orgAllUsersLicenseAssignment google.admin.AdminService.userLicenseAssignment google.admin.AdminService.changeLicenseAutoAssign google.admin.AdminService.userLicenseReassignment google.admin.AdminService.orgLicenseRevoke google.admin.AdminService.userLicenseRevoke google.admin.AdminService.updateDynamicLicense google.admin.AdminService.licenseUsageUpdate |
MOBILE_SETTINGS | google.admin.AdminService.actionCancelled google.admin.AdminService.actionRequested google.admin.AdminService.addMobileCertificate google.admin.AdminService.companyDevicesBulkCreation google.admin.AdminService.companyOwnedDeviceBlocked google.admin.AdminService.companyDeviceDeletion google.admin.AdminService.companyOwnedDeviceUnblocked google.admin.AdminService.companyOwnedDeviceWiped google.admin.AdminService.changeMobileApplicationPermissionGrant google.admin.AdminService.changeMobileApplicationPriorityOrder google.admin.AdminService.removeMobileApplicationFromWhitelist google.admin.AdminService.changeMobileApplicationSettings google.admin.AdminService.addMobileApplicationToWhitelist google.admin.AdminService.mobileDeviceApprove google.admin.AdminService.mobileDeviceBlock google.admin.AdminService.mobileDeviceDelete google.admin.AdminService.mobileDeviceWipe google.admin.AdminService.changeMobileSetting google.admin.AdminService.changeAdminRestrictionsPin google.admin.AdminService.changeMobileWirelessNetwork google.admin.AdminService.addMobileWirelessNetwork google.admin.AdminService.removeMobileWirelessNetwork google.admin.AdminService.changeMobileWirelessNetworkPassword google.admin.AdminService.removeMobileCertificate google.admin.AdminService.enrollForGoogleDeviceManagement google.admin.AdminService.useGoogleMobileManagement google.admin.AdminService.useGoogleMobileManagementForNonIos google.admin.AdminService.useGoogleMobileManagementForIos google.admin.AdminService.mobileAccountWipe google.admin.AdminService.mobileDeviceCancelWipeThenApprove google.admin.AdminService.mobileDeviceCancelWipeThenBlock |
ORG_SETTINGS | google.admin.AdminService.chromeLicensesEnabled google.admin.AdminService.chromeApplicationLicenseReservationCreated google.admin.AdminService.chromeApplicationLicenseReservationDeleted google.admin.AdminService.chromeApplicationLicenseReservationUpdated google.admin.AdminService.assignCustomLogo google.admin.AdminService.unassignCustomLogo google.admin.AdminService.createEnrollmentToken google.admin.AdminService.revokeEnrollmentToken google.admin.AdminService.chromeLicensesAllowed google.admin.AdminService.createOrgUnit google.admin.AdminService.removeOrgUnit google.admin.AdminService.editOrgUnitDescription google.admin.AdminService.moveOrgUnit google.admin.AdminService.editOrgUnitName google.admin.AdminService.toggleServiceEnabled |
SECURITY_INVESTIGATION | google.admin.AdminService.securityInvestigationAction google.admin.AdminService.securityInvestigationActionCancellation google.admin.AdminService.securityInvestigationActionCompletion google.admin.AdminService.securityInvestigationActionRetry google.admin.AdminService.securityInvestigationActionVerificationConfirmation google.admin.AdminService.securityInvestigationActionVerificationRequest google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration google.admin.AdminService.securityInvestigationChartCreate google.admin.AdminService.securityInvestigationContentAccess google.admin.AdminService.securityInvestigationDownloadAttachment google.admin.AdminService.securityInvestigationExportActionResults google.admin.AdminService.securityInvestigationExportQuery google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation google.admin.AdminService.securityInvestigationObjectDeleteInvestigation google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation google.admin.AdminService.securityInvestigationObjectOwnershipTransfer google.admin.AdminService.securityInvestigationObjectSaveInvestigation google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing google.admin.AdminService.securityInvestigationQuery google.admin.AdminService.securityInvestigationSettingUpdate |
SECURITY_SETTINGS | google.admin.AdminService.addToTrustedOauth2Apps google.admin.AdminService.allowAspWithout2Sv google.admin.AdminService.allowServiceForOauth2Access google.admin.AdminService.allowStrongAuthentication google.admin.AdminService.blockOnDeviceAccess google.admin.AdminService.changeAllowedTwoStepVerificationMethods google.admin.AdminService.changeAppAccessSettingsCollectionId google.admin.AdminService.changeCaaAppAssignments google.admin.AdminService.changeCaaDefaultAssignments google.admin.AdminService.changeCaaErrorMessage google.admin.AdminService.changeSessionLength google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration google.admin.AdminService.changeTwoStepVerificationFrequency google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration google.admin.AdminService.changeTwoStepVerificationStartDate google.admin.AdminService.disallowServiceForOauth2Access google.admin.AdminService.enableNonAdminUserPasswordRecovery google.admin.AdminService.enforceStrongAuthentication google.admin.AdminService.removeFromTrustedOauth2Apps google.admin.AdminService.sessionControlSettingsChange google.admin.AdminService.toggleCaaEnablement google.admin.AdminService.trustDomainOwnedOauth2Apps google.admin.AdminService.unblockOnDeviceAccess google.admin.AdminService.untrustDomainOwnedOauth2Apps google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps google.admin.AdminService.weakProgrammaticLoginSettingsChanged |
SITES_SETTINGS | google.admin.AdminService.addWebAddress google.admin.AdminService.deleteWebAddress google.admin.AdminService.changeSitesSetting google.admin.AdminService.changeSitesWebAddressMappingUpdates google.admin.AdminService.viewSiteDetails |
USER_SETTINGS | google.admin.AdminService.delete2SvScratchCodes google.admin.AdminService.generate2SvScratchCodes google.admin.AdminService.revoke3LoDeviceTokens google.admin.AdminService.revoke3LoToken google.admin.AdminService.addRecoveryEmail google.admin.AdminService.addRecoveryPhone google.admin.AdminService.grantAdminPrivilege google.admin.AdminService.revokeAdminPrivilege google.admin.AdminService.revokeAsp google.admin.AdminService.toggleAutomaticContactSharing google.admin.AdminService.bulkUpload google.admin.AdminService.bulkUploadNotificationSent google.admin.AdminService.cancelUserInvite google.admin.AdminService.changeUserCustomField google.admin.AdminService.changeUserExternalId google.admin.AdminService.changeUserGender google.admin.AdminService.changeUserIm google.admin.AdminService.enableUserIpWhitelist google.admin.AdminService.changeUserKeyword google.admin.AdminService.changeUserLanguage google.admin.AdminService.changeUserLocation google.admin.AdminService.changeUserOrganization google.admin.AdminService.changeUserPhoneNumber google.admin.AdminService.changeRecoveryEmail google.admin.AdminService.changeRecoveryPhone google.admin.AdminService.changeUserRelation google.admin.AdminService.changeUserAddress google.admin.AdminService.createEmailMonitor google.admin.AdminService.createDataTransferRequest google.admin.AdminService.grantDelegatedAdminPrivileges google.admin.AdminService.deleteAccountInfoDump google.admin.AdminService.deleteEmailMonitor google.admin.AdminService.deleteMailboxDump google.admin.AdminService.changeFirstName google.admin.AdminService.gmailResetUser google.admin.AdminService.changeLastName google.admin.AdminService.mailRoutingDestinationAdded google.admin.AdminService.mailRoutingDestinationRemoved google.admin.AdminService.addNickname google.admin.AdminService.removeNickname google.admin.AdminService.changePassword google.admin.AdminService.changePasswordOnNextLogin google.admin.AdminService.downloadPendingInvitesList google.admin.AdminService.removeRecoveryEmail google.admin.AdminService.removeRecoveryPhone google.admin.AdminService.requestAccountInfo google.admin.AdminService.requestMailboxDump google.admin.AdminService.resendUserInvite google.admin.AdminService.resetSigninCookies google.admin.AdminService.securityKeyRegisteredForUser google.admin.AdminService.revokeSecurityKey google.admin.AdminService.userInvite google.admin.AdminService.viewTempPassword google.admin.AdminService.turnOff2StepVerification google.admin.AdminService.unblockUserSession google.admin.AdminService.unenrollUserFromTitanium google.admin.AdminService.archiveUser google.admin.AdminService.updateBirthdate google.admin.AdminService.createUser google.admin.AdminService.deleteUser google.admin.AdminService.downgradeUserFromGplus google.admin.AdminService.userEnrolledInTwoStepVerification google.admin.AdminService.downloadUserlistCsv google.admin.AdminService.moveUserToOrgUnit google.admin.AdminService.userPutInTwoStepVerificationGracePeriod google.admin.AdminService.renameUser google.admin.AdminService.unenrollUserFromStrongAuth google.admin.AdminService.suspendUser google.admin.AdminService.unarchiveUser google.admin.AdminService.undeleteUser google.admin.AdminService.unsuspendUser google.admin.AdminService.upgradeUserToGplus google.admin.AdminService.usersBulkUpload google.admin.AdminService.usersBulkUploadNotificationSent |
Google Workspace Enterprise Groups
Google Workspace Enterprise Groups Audit audit logs use the resource type audited_resource
forall audit logs.
Google Workspace Enterprise Groups Audit audit logs use the service namecloudidentity.googleapis.com
.
Google Workspace Enterprise Groups Audit writes Admin Activity audit logs only. The following arethe audited operations:
Audit logs category | AuditLog.method_name |
---|---|
Admin Activity audit logs | google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership |
Google Workspace Login Audit
All Google Workspace Login Audit audit logs use the resource type audited_resource
.
Google Workspace Login Audit audit logs use the service namelogin.googleapis.com
.
Google Workspace Login Audit writes Data Access audit logs only. The following are theaudited operations; log samples foreach operation are available.
Audit logs category | AuditLog.method_name |
---|---|
Data Access audit logs | google.login.LoginService.2svDisable google.login.LoginService.2svEnroll google.login.LoginService.accountDisabledPasswordLeak google.login.LoginService.accountDisabledGeneric google.login.LoginService.accountDisabledSpammingThroughRelay google.login.LoginService.accountDisabledSpamming google.login.LoginService.accountDisabledHijacked google.login.LoginService.emailForwardingOutOfDomain google.login.LoginService.govAttackWarning google.login.LoginService.loginChallenge google.login.LoginService.loginFailure google.login.LoginService.loginVerification google.login.LoginService.logout google.login.LoginService.loginSuccess google.login.LoginService.passwordEdit google.login.LoginService.recoveryEmailEdit google.login.LoginService.recoveryPhoneEdit google.login.LoginService.recoverySecretQaEdit google.login.LoginService.riskySensitiveActionAllowed google.login.LoginService.riskySensitiveActionBlocked google.login.LoginService.suspiciousLogin google.login.LoginService.suspiciousLoginLessSecureApp google.login.LoginService.suspiciousProgrammaticLogin google.login.LoginService.titaniumEnroll google.login.LoginService.titaniumUnenroll |
Google Workspace OAuth Token
Google Workspace OAuth Token Audit audit logs use the resource type audited_resource
forall audit logs.
Google Workspace OAuth Token Audit audit logs use the service nameoauth2.googleapis.com
.
Google Workspace OAuth Token Audit writes both Admin Activity and Data Access audit logs. Thefollowing are the audited operations:
Audit logs category | AuditLog.method_name |
---|---|
Admin Activity audit logs | google.identity.oauth2.Deny google.identity.oauth2.GetToken google.identity.oauth2.Request google.identity.oauth2.RevokeToken |
Data Access audit logs | google.identity.oauth2.GetTokenInfo |
Google Workspace SAML
Google Workspace SAML Audit audit logs use the resource type audited_resource
forall audit logs.
Google Workspace SAML Audit audit logs use the service namelogin.googleapis.com
.
Google Workspace SAML Audit writes Data Access audit logs only. The following are theaudited operations:
Audit logs category | AuditLog.method_name |
---|---|
Data Access audit logs | google.apps.login.v1.SamlLoginFailed |
google.apps.login.v1.SamlLoginSucceeded |
Audit log permissions
IAM permissions and roles determine your ability to access auditlogs data in the Logging API, theLogs Explorer, and theGoogle Cloud CLI.
For detailed information about the organization-level IAMpermissions and roles you might need, see theAccess control with IAM.
Audit log format
Google Workspace audit log entries include the following objects:
The log entry itself, which is an object of type LogEntry.When examining audit logging data, you might find the followinguseful:
logName
contains the organization ID and audit log type.resource
contains the target of the audited operation.timeStamp
contains the time of the audited operation.protoPayload
contains the Google Workspace audit log in itsmetadata
field.
The protoPayload.metadata
field holds the audited Google Workspaceinformation. The following is an example of a Login Audit log:
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.net" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginFailure", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { "value": "google_password", "type": "TYPE_STRING", "name": "login_type", }, { "name": "login_challenge_method", "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" ] }, ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632500217183212" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nahbepd4l1x", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:16:57.183212Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:25.034361197Z"}
For information about service-specific audit logging fields, and how tointerpret them, select from the services listed inAvailable audit logs.
View logs
For information on viewing your Google Workspace audit logs, seeView and manage audit logs for Google Workspace.
Route audit logs
You can route Google Workspace audit logs from Cloud Logging tosupported destinations, including other Logging buckets.
Here are some applications for routing audit logs:
To use more powerful search capabilities, you can route copies of youraudit logs to Cloud Storage, BigQuery, or Pub/Sub.Using Pub/Sub, you can route to other applications, otherrepositories, and to third parties.
To manage your audit logs across an entire organization, you can createaggregated sinks that combine androute logs from all the Google Cloud projects, billing accounts, andfolders contained by your organization. For instance, you might aggregateand route audit log entries from an organization's folders to aCloud Storage bucket.
For instructions on routing logs, seeRoute logs to supported destinations.
Regionalization
You can't choose a region where your Google Workspace logs are stored.Google Workspace logs aren't covered by theGoogle Workspace Data Region Policy.
Retention periods
The following retention periods apply to your audit logs data:
Data retention policy in Google Workspace.
Data retention policy in Google Cloud Cloud Logging.
For each organization, Cloud Logging automatically stores logs in twobuckets: a _Default
bucket and a _Required
bucket. The _Required
bucketholds Admin Activity audit logs, System Event audit logs, and Access Transparency logs.The _Default
bucket holds all other log entries that aren't stored in the_Required
bucket. For more information on Logging buckets, seeRouting and storage overview.
You can configure Cloud Logging to retain the logs in the _Default
logsbucket for a period ranging from 1 day to3650 days.
To update the retention period for the _Default
logs bucket, seeCustom retention.
You can't change the retention period on the _Required
bucket.
Quotas and limits
The same quotas apply to audit logs for Google Workspace andCloud Audit Logs.
For details about these usage limits, including the maximumsizes of audit logs, see Quotas and limits.
Pricing
Google Workspace's organization-level logs are free.
What's next
- Learn how toconfigure and manage Google Workspace audit logs.
- Review best practices forCloud Audit Logs.
- Learn how to view and understand Access Transparency logs for Google Workspace.