You can use the Admin audit log to see a record of actions performed in your Google Admin console. For example, you can see when an administrator added a user or turned on a Google Workspace service.
You can opt in to share the audit log data with Google Cloud Platform (GCP). If you turn on sharing, data is forwarded to GCP Cloud Logging, where you can query and view your logs, and control how you route and store your logs.
For other services and activities, such as Google Drive and user activity, go to the list of available audit logs.
From the Admin console Home page, go to Reports.
- On the left, click AuditAdmin.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Admin audit log provides the following information:
|Event name||The action that was logged, such as revoking a security key or deleting a user|
|Date||Date and time of the event (displayed in your browser's default time zone)|
|Event description||Details about the action, such as the name of the deleted user and the name (or email address for service account admins) of the admin that initiated the action|
|Admin||Name of the admin who performed the action. Instead of an admin’s name, you might see:
IP address of the admin. Usually reflects the admin's physical location, but could be a proxy server or VPN address.
Note: When you delete a user and transfer their data, the IP address doesn't show for the User Deletion event, only for the Data transfer request created event.
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Most event names are self-explanatory. For example, Add application shows when an application was added to your organization or a domain. However, you might see more detailed log data, such as:
|Admin privileges grant||If you assign the Super Admin role to a user, the log shows the Event description as Role_SEED_ADMIN_ROLE|
|Groups events||Logs actions performed in the Admin console, in Google Groups, and more. To track changes by users in Groups, go to the Groups audit log.|
|Marketplace login audit change||Logs when an admin adds or removes an app, turns an app on or off, and authorizes or removes API client access. Some apps might not have IP address details.|
|Auto provisioning automatically disabled||
Logs when auto provisioning is turned off because syncing with a service was failing for a long time.
Auto provisioning was disabled because sync failed for 15 consecutive days. Sync may fail for a variety of reasons.
Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.
When and how long is data available?
Go to Data retention and lag times.