Clear search
Close search
Google apps
Main menu

    Drive audit log

    View user Drive file activity

    This feature is available with G Suite Business, Education, and Enterprise editions. Compare editions

    As a G Suite administrator, you'll want to get a list of every time your domain's users view, create, preview, print, update, delete, download, or share Drive content. You'll use the Drive audit log to collect this information. The Drive audit log includes content your users create in Google Docs, Sheets, Slides, and other G Suite applications, as well as content created elsewhere that your users upload to Drive, such as PDFs and Word files.

    Step 1: Open your Drive audit log

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in

    2. From the Admin console dashboard, go to Reports.

      To see Reports, you might have to click More controls at the bottom.

    3. Click Drive.
    4. On the toolbar, click Select columns Select columns. Then select the data you want to show in your log. 
    5. See below for how to interpret and customize log data.

    Step 2: Understand Drive audit log data

    Data you can view

    Drive audit logs surfaces the following information:

    Data Type Description Filtering within the Admin Console
    Event name Action the user performed, such as View, Rename, Create, Edit, Preview, Print, Update, Delete, Download, or Share. Filterable
    Event description Summary of the event, such as "Larry created an item." Not filterable
    Item type The file format that the Activity involves, such as Google Docs, Sheets and Slides, or folder, or Team Drive. Not filterable
    Item ID The unique identifier Drive item the activity involves, as stored in the URL link for the file. Filterable
    Team Drive ID The unique identifier for the Team Drive, as stored in the URL link for the Team Drive. Filterable
    User Email address of the user who performed the activity. Filterable; also works if the only the domain name is entered
    Owner User who owns the file. Filterable
    Date and time range Date and time the event occurred (displayed in your browser's default time zone). Filterable
    IP address Internet Protocol (IP) address from where the user performed the activity. This might reflect the user's physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address. Not filterable

    Step 3: Customize and export your audit log data

    Filter the audit log data by user or activity

    You can narrow your audit log to show specific events or users. For example, find all log events for when users updated or deleted a Drive file, or find all Sheets activity for a particular user.

    1. Open your Drive audit log as shown above.
    2. If you don't see the Filters section, click Filter Filter.
    3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
    4. Click Search.

    Export your audit log data

    You can export your Drive audit log data to a Google Sheet, or download it to a CSV file.

    1. Open your Drive audit log as shown above.
    2. (Optional) To change the data to include in your export, on the toolbar, click Select columns Select columns.
    3. On the toolbar, click Download Download.

    You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select.

    How old is the data I'm seeing?

    You won’t see complete data up to the present day. Instead, under the graph heading you'll see the latest date for the column data. 

    Occasionally, you'll see an asterisk "*" next to a column name. This indicates that the data in this particular column might be stale compared to the data in other columns on the same page.

    For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

    Step 4: Set up email alerts

    You can easily track specific Drive activities by setting up alerts. For example, get an alert whenever someone creates or deletes a document.

    1. Open your Drive audit log as shown above.
    2. If you don't see the Filters section, click Filter Filter.
    3. Enter or select the criteria for your filter. To set up an alert, you can filter on any combination of the data you can view in the log except date and time range.
    4. Click Set Alert.
    5. In the Set alert: Drive box, enter a name for the alert.
    6. Check the box to deliver the alert to in your super administrator account.
    7. Enter the email addresses of any other alert recipients.
    8. Click Save.

    To edit your custom alerts, see Administrator email alerts.

    Known Issues

    • Each entry in the log links to the file associated with the event.
    • No IP addresses are logged for events initiated by users external to the domain.
    • Even if the request is initiated by users internal to the domain not all events will be logged with IP addresses.
    • Users external to the domain who initiate events are shown as anonymous, except when they view or edit a document explicitly shared with them (as an individual or as part of a specific group).
    • No IP addresses are logged for events from services that don't log the IP address in their requests.
    • When you copy files, the type of action logged in the Drive audit logs depends on the file type:
      • Copy Google Docs: "Create", "Edit", and "View" are logged
      • Copy Google Sheets: "Create", and "Edit" are logged
      • Copy Google Slides: "Create", and "Edit" are logged
      • Copy any MS Office format or non Google format files: only "Create" is logged
    • Exported Google Sheets and downloaded CSV files both show a maximum of 10,000 rows.
    • Domains with any version of G Suite can use the Activity API to programmatically access basic G Suite reports data, while domains with G Suite Business can use a new Reports API to access advanced G Suite reports data.
    • The log shows preview events that occurred in the Drive viewer and print events that occurred in the Drive viewer and the Google Docs editors, but reports on these events may be delayed up to 12 hours from the time of the event.
    • The log may show print events as download events when printing files with the Drive application from iOS or Android devices or when printing slide or sheet files with the Drive web UI.
    • Downloads from the following sources are not logged:
      • Google Drive for Mac/PC sync client downloads
      • Google Takeout downloads
      • Downloads to offline browser caches
      • Docs printed from the Drive web UI
      • Photos that are synced to, downloaded from, or viewed through Google Photos
      • Drive items that are emailed as attachments and downloaded through the recipient's email client
    Was this article helpful?
    How can we improve it?
    Sign in to your account

    Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.