Admin console audit log
You can track exactly how your administrators are managing your account's core Google services, using the Admin console audit log. Here, you can see a history of which tasks have been performed in your Google Admin console, and by whom.Audit log setup
The Admin console audit log tracks administrator actions for core Google services you've enabled for your users. To begin tracking events for a service, you must therefore add the service to your account. Only after you do this will events begin to appear in the log.
From your Google Admin console, go to Reports > Audit Log > Admin Console.
- Event Name. Identifies the action the administrator performed, such as adding a group to your organization's account or deleting a user.
- Event Description. More details about the change, such as the new group's email address or the user account name that was deleted.
- User. The administrator who performed the event.
- IP Address. The internet protocol (IP) address used by the administrator to sign in to the Admin console. This might reflect the administrator's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
- Date. The date the event occurred, displayed in your domain's default timezone.
You can filter log entries to list only events of a particular type, or that were performed during a specific date range. At the top of the Admin audit log, click the Edit link (next to filtering options). Then specify the following:
- Event Name. Select an Admin console event you want to list in the audit log (or leave it set to All Events).
- Start date. Choose a start date for listing events (any day within the past 180 days, including today).
- End date. Choose the end date of events you want to list (any day from the Start date through today).
- Additional filters. Click here to filter log entries by more criteria.
- Reset. Click Reset to return to listing all administrator actions, up to the current day.
- The Admin console audit log lists a maximum of 100 events.
- When an administrator enables or disables mail flow by updating your domain's MX records at your service provider, the audit log tracks only the administrator's confirmation that they completed the MX record change.
You can export audit log events in a "comma-separated-values" (CSV) format, which you can then import into a spreadsheet. After viewing or filtering log events, click the Export to CSV button at the top-right of the event list. This downloads a CSV file to your computer that you can open in any spreadsheet or text editor.
For more information about the audit log, see the Admin Audit API.