Admin audit log

View administrator activity in the Admin console

You can use the Admin audit log to see a record of actions performed in your Google Admin console. For example, you can see when an administrator added a user or turned on a Google Workspace service. 

Forward log event data to the Google Cloud Platform

You can opt in to share the log event data with Google Cloud Platform. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.

For other services and activities, such as Google Drive and user activity, go to the list of available audit logs.

Open the Admin audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, click Auditand thenAdmin.
  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

Data you can view

The Admin audit log provides the following information:

Data type Description
Event name The action that was logged, such as revoking a security key or deleting a user
Date Date and time of the event (displayed in your browser's default time zone)
Event description Details about the action, such as the name of the deleted user and the name (or email address for service account admins) of the admin that initiated the action
Admin Name of the admin who performed the action. Instead of an admin’s name, you might see: 
  • License manager—If an admin action triggers a change to a user’s license
  • Service account—If the action was performed by a service account admin
  • Anonymous—If the action was performed by a service account admin
IP address

IP address of the admin. Usually reflects the admin's physical location, but could be a proxy server or VPN address.

Note: When you delete a user and transfer their data, the IP address doesn't show for the User Deletion event, only for the Data transfer request created event.

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Most event names are self-explanatory. For example, Add application shows when an application was added to your organization or a domain. However, you might see more detailed log data, such as:

Event name Description
Admin privileges grant If you assign the Super Admin role to a user, the log shows the Event description as Role_SEED_ADMIN_ROLE
Groups events Logs actions performed in the Admin console, in Google Groups, and more. To track changes by users in Groups, go to the Groups audit log.
Marketplace login audit change Logs when an admin adds or removes an app, turns an app on or off, and authorizes or removes API client access. Some apps might not have IP address details.
Auto provisioning automatically disabled

Logs when auto provisioning is turned off because syncing with a service was failing for a long time.

OR

Auto provisioning was disabled because sync failed for 15 consecutive days. Sync may fail for a variety of reasons. 


Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false