This feature is available with G Suite Business, Education, Enterprise, and G Suite Essentials editions. Compare editions
You can use the Google Drive audit log to record your organization's user activity. The Google Drive audit log includes content your users create in Google Docs, Sheets, Slides, and other G Suite applications, as well as content created elsewhere that your users upload to Drive, such as PDFs and Microsoft® Word® files.
Organizations with any version of G Suite can use the Activity API to programmatically access basic G Suite reports data, while organizations with G Suite Enterprise, G Suite Business, or G Suite Essentials can use a new Reports API to access advanced G Suite reports data.
- For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.
- Drive audit events are logged only for files owned by users with G Suite Business, Education, Enterprise, and G Suite Essentials editions.
From the Admin console Home page, go to Reports.
- On the left, under Audit, click Drive.
You might have to scroll to see Audit.
(Optional) To customize what you review, on the right, click Manage columns , select the columns that you want to see or hide, and click Save.
Review ways to filter and export log data and create alerts.
Understand Drive audit log dataData you can view
The Google Admin console bases its Drive audit logs on the following user data:
|Data Type||Description||Filtering within the Admin Console|
User action such as View, Rename, Create, Edit, Preview, Print, Update, Delete, Upload, Download, or Share a Drive file.
Most actions are logged immediately. However, Preview events in the Drive viewer can be delayed 12 hours or more from the time of the event. Other events, such as uploading a file, are logged once they’re complete.
When you copy files, the type of action that’s logged depends on the file type:
If the user uses the "Make a copy" menu item in Docs, Sheets, or Slides, a View event is also logged for the new file because it is displayed to the user.
Shared drive files
Viewing Trash and Changing Theme on a shared drive is not logged.
Print events are not recorded for Google file formats (Docs, Sheets, Slides, Drawings, Forms). Print events may be logged as Download events when printing files with the Drive app from Apple® iOS® or Android devices.
Downloads from the following sources are not logged:
Viewing files using the /htmlview, /embed, /revisions, and other special URLs are now logged as view events.
Publishing to the web for Google Docs, Sheets, Slides & Forms is not logged.
Only the following actions are logged for anonymous users, who are not signed-in to a Google Account, who are viewing a link-shared file:
Download events are logged when files are copied between Drive and a local device using Drive File Stream or Backup and Sync.
|Event description||Summary of the event, such as "Larry created an item."||Not filterable|
|Item type||File format that the activity involves, such as Google Docs, Sheets, Slides, JPEG, PDF, PNG, MP4, Microsoft Word, Excel®, PowerPoint®, txt, HTML, MPEG audio, QuickTime® video, folder, or shared drives.||Filterable|
|Item ID||Unique Drive item identifier associated with the activity, as stored in the URL link for the file.||Filterable|
|Visibility||Visibility of the Drive item associated with the activity.||Filterable|
|Prior Visibility||Visibility of the Drive item prior to the activity.||Filterable|
|User||Primary email address of the user who performed the activity. Users external to the domain who initiate events are shown as anonymous, except when they view or edit a document explicitly shared with them (as an individual or as part of a specific group).||Filterable; also works if only the domain name is entered|
|Owner||User who owns the file.||Filterable|
|Date and time range||
Date and time the event occurred (displayed in your browser's default time zone).
Note: Most events are logged as soon as they’re complete. In some cases, such as with large uploads, this can take a while.
Address from where the user performed the activity. This might reflect the user's physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.
No IP addresses are logged for events:
|Billable||(G Suite Essentials only) Whether the user action is a chargeable activity.||Not filterable|
File visibility and sharing permissions
When a user in your domain shares a file, a "User Sharing Permissions Change" event is added to the audit log.
To see files that are shared with users outside of a domain, under Visibility, select Shared Externally.
- If you share a file with someone outside your domain who doesn’t have a Google account, the invitee must create a Google account to share the file. The sharing permissions change event won't appear in the audit log until the invitee creates an account and opens the file.
- If you turn off external sharing and a user shares a resource with a group that allows external users, data will be marked Shared External in the log. However, any external users in the group can’t access the shared resource. And, you’ll see this even if the group doesn’t have any external users.