Admin audit log

Track task history
If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

The Admin audit log shows a history of every task performed in your Google Admin console and which administrator performed the task. As your organization's administrator, use the Admin console audit log to track how your administrators are managing your domain's core Google services. These Google Marketplace app events are also logged:

  • Add Application or Remove Application—When a domain administrator adds or removes a Marketplace app from a domain.
  • API Client Access Authorize or API Client Access Remove—When a domain administrator grants or revokes data access to an application.
  • Service Change—When a domain administrator turns a Marketplace app on or off for an Organizational Unit.

Some Marketplace app events may not include IP Address details.

Step 1: Open your Admin audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. Click Admin.
  4. Optionally, at the top right, click Select columns Select columns. Select the columns you want to see or hide:
    • Event Description—Details about the change, such as the new group's email address or the user account name that was deleted.
    • Admin—The administrator who performed the action.
    • Date—The date the event occurred (displayed in your browser's default time zone).
    • IP Address—The IP address used by the administrator to sign in to the Admin console. This address usually reflects the administrator's physical location, but could instead be a proxy server or a Virtual Private Network (VPN) address.

Step 2: Understand Admin audit log data

Data you can view
Data Type Description
Event name The action that was logged, such as adding a group to your organization's account, revoking a security key, or deleting a user.
Event description Details of the event described in the Event name field.
IP address Internet Protocol (IP) address that the administrator used to sign in to the Admin console. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.
Date Date and time the event occurred (displayed in your browser's default time zone).
Admin The name of the administrator who performed the action.


Note: If you assign a pre-built Super Admin role to a user, this change appears in Event Name column as Role Assign and in the Event Description column as Role _SEED_ADMIN_ROLE, followed by the user name. This confirms that you made that user a Super Admin.

Groups actions: Actions an admin takes in the Admin console are logged in the Admin audit log, but actions performed in Google Groups directly are logged in the Groups audit log.

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or administrators. For example, find all log events for when an administrator changed a password for a user, or find all activity for a particular administrator.

  1. Open your Admin audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. Click Search.

Export your audit log data

You can export your Admin audit log data to a Google Sheet, or download it to a CSV file.

  1. Open your Admin audit log as shown above.
  2. (Optional) To change the data to include in your export, on the toolbar, click Select columns Select columns.
  3. On the toolbar, click Download Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. The Audit logs are limited to 10,000 rows, regardless of the number of columns.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can receive email alerts for sign-in activity based on your filters.

  1. Open your Admin audit log as shown above.
  2. If you don't see the Filters section, click Filter filter .
  3. In the Filters section, select the criteria to filter. You can use any combination of filters, except IP Address and Date and time range.
  4. Click Set Alert.
  5. Enter an Alert name.
  6. Choose the recipients of the email alert:
    1. Check the box to deliver the email alert to super administrators.
    2. Enter the email addresses of any other email alert recipients.
  7. Click Save.

To edit your custom alerts, refer to Administrator email alerts.

Was this article helpful?
How can we improve it?