Duet AI is now Gemini for Google Workspace. Learn more

Export logs to Chronicle to monitor insider risk

Supported editions for this feature: Enterprise Standard and Enterprise Plus. Compare your edition

You can export your Google Workspace audit logs to Google Chronicle, a cloud-native security analytics platform that helps your organization detect, investigate, and respond to security threats. To export logs to Chronicle, you need to use the Google Admin console to connect Google Workspace to Chronicle. 

Once you connect to Chronicle, your audit logs are continuously exported to Chronicle, where you can manage insider risk. To manage risk, you use rules that generate detections and alerts, which help you identify risky user behaviors and anomalies related to data access and exfiltration. Learn more about Chronicle.

After you export logs

After your data is exported to Chronicle, you can sign in to your Chronicle account to:

  • Search for any element in your logs data, such as usernames, IP addresses, and sign-in events.
  • View all the alerts and Indicators of Compromise (IOCs) currently impacting your organization. 
  • Analyze any of the alerts.

Before you begin

  • Make sure you have a Google Chronicle account. If you need an account, contact a Google Cloud sales specialist.
  • You need super administrator privileges to connect Google Workspace to Chronicle.

Connect to Chronicle to export logs

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in

  2. In the Admin console, go to Menu and then Reportingand thenData integrations.
  3. Point to the Chronicle export card and click Edit .
  4. On the Connect to Chronicle page, follow the on-screen instructions to:
    1. Go to your organization's Profile page in the Admin console, and copy your Customer ID.
    2. Go to Chronicle, and then go to Settings > Google Workspace . Enter your Google Workspace customer ID and click Generate Token.
    3. On the Google Workspace page, copy your Token and Chronicle instance ID. (Note that your Chronicle instance ID is the same as your Chronicle customer ID.)
    4. Return to the Connect to Chronicle page in the Admin console, and enter the Token and your Chronicle instance ID.
  5. Click Connect.

Once a connection to Chronicle is established, it can take up to 24 hours before logs are exported to Chronicle. After that, your organization's audit logs are continuously exported to Chronicle. 

If a message appears that says a connection couldn't be established: First check if the Chronicle token and instance ID are correct. If they are, try connecting to Chronicle again after a few minutes. If you still can't connect, contact Google Workspace support.

Disconnect from Chronicle

If you no longer want to export audit logs to Chronicle,  you can disconnect your organization's Google Workspace account from Chronicle. 

Note: If you disconnect Google Workspace from Chronicle, your audit logs are not automatically deleted from Chronicle. To delete logs, you can use Chronicle.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in

  2. In the Admin console, go to Menu and then Reportingand thenData integrations.
  3. In the Chronicle export card, click Disconnect from Chronicle.


Expand section  |  Collapse all

Which audit logs are exported to Chronicle?

The following is the key log data that's supported:

  • Admins
  • Chrome
  • Classroom
  • Cloud Search
  • Data export (admin)
  • Data Studio
  • Devices
  • Gmail
  • Google Calendar
  • Google Chat
  • Google Drive
  • Google Groups
  • Google Groups for Business
  • Google Keep
  • Google Meet
  • Google Takeout
  • Google Voice
  • Jamboard management
  • Login
  • OAuth
  • Rules
  • SAML
  • Users
Can I select which audit logs to export to Chronicle?
No, all supported logs are exported to Chronicle.
When can I use audit data after it's logged in the Google Admin console?
Once an audit log is created, its data is streamed to Chronicle.
Note: For information about how long it can take before data is available for log events, see Data retention and lag times.
Are historical logs that were created before I connected to Chronicle also exported?
No, only audit logs that were created in the Admin console after you connect to Chronicle are exported.
Are exported logs converted to a different format in Chronicle?
Yes, Chronicle converts all exported logs to Unified Data Format (UDM), which lets Chronicle to run complex queries and rules against your data.
Which rules can I use in Chronicle to perform risk management?
Chronicle provides prebuilt rules, called Chronicle Rules Sets, which you can turn on individually to detect threats to your organization. These rules generate detections, some of which might be alerts, with risk scores. The Google Workspace Rules Sets in Chronicle help you investigate insider risk and data exfiltration. Learn more about Rule Sets.
Is there a cost to export logs data to Chronicle?
If you use the export feature, standard Chronicle terms and pricing apply. For details, contact your sales representative.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center