Admin audit log

View administrator activity in the Admin console

The Admin audit log shows a record of actions performed in your Google Admin console. For example, you can see when an administrator added a user or turned on a G Suite service.

See the list of audits for other services and activities, such as Drive and user logins.

Step 1: Open your Admin audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click Admin.
  4. Optionally, at the top right, click Select columns Select columns. Select the columns you want to see or hide:
Data Type Description
Event name The action that was logged, such as revoking a security key or deleting a user.
Event description Details about the action, such as the name of the deleted user.
IP address IP address of the administrator. Usually reflects the administrator's physical location, but could be a proxy server or a VPN address.
Date Date and time of the event (displayed in your browser's default time zone).
Admin The administrator who performed the action.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Details on audit logs

Information on how the log records some activities: 

  • Admin role assignment: If you assign a pre-built Super Admin role to a user,  the log shows the Event Description as Role _SEED_ADMIN_ROLE.
  • Groups:  Logs Group actions performed in the Admin console. See the Groups audit log for actions performed in Google Groups for Business.
  • Marketplace services: Logs when an administrator adds/removes an app, turns on/off an app, and authorizes/removes API client access. Some apps may not have IP address details
  • Access groups: Logs when a service is turned on/unset for an access group. For example, if Gmail is turned on for an access group: 

Service Gmail changed to true for Solarmora organization unit
in Solarmora.com (Group Email(s): {access-gmail-testers@solarmora.com})

The access group is listed as Group Email(s):groupname. The log shows the change was made to the top-level organization. However, the change affected only the members of the access group, not the top-level organization.

If a service is unset for an access group, the change is shown as inherited from the top-level organization. However, members of the group receive the service on/off setting of any other access groups they belong to, and then their organization. 

Service Gmail changed to INHERIT_FROM_PARENT for Solarmora organization unit
in Solarmora.com (Group Email(s): {access-gmail-testers@solamora.com})

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or administrators. For example, find all log events for when an administrator changed a password, or find all activity for a particular administrator.

  1. Open your Admin audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. Click Search.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your report as shown above.
  2. On the left, under Filters, select an organizational unit from the list.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export:
    1. On the toolbar, click Select columns Select columns.
    2. Check the box next to the data you want to export and click Apply.
  3. On the toolbar, click Download Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.

Step 4: Set up email alerts

You can get email alerts for sign-in activity based on your filters.

  1. Open your Admin audit log as shown above.
  2. If you don't see the Filters section, click Filter filter .
  3. In the Filters section, select the criteria to filter. You can use any combination of filters, except IP Address and Date and time range.
  4. Click Set Alert.
  5. Enter an Alert name.
  6. Choose the recipients of the email alert:
    1. Check the box to deliver the email alert to super administrators.
    2. Enter the email addresses of any other email alert recipients.
  7. Click Save.

To edit your custom alerts, refer to Administrator email alerts.

 
Was this article helpful?
How can we improve it?