Drive audit log

View user Drive file activity

This feature is available with G Suite Business, Education, Enterprise, and Drive Enterprise editions. Compare editions

As a G Suite administrator, you can use the Drive audit log to collect and see a list of your domain's user activity; for example, view, create, preview, print, update, delete, download, or share Drive content. The Drive audit log includes content your users create in Google Docs, Sheets, Slides, and other G Suite applications, as well as content created elsewhere that your users upload to Drive, such as PDFs and Word® files. 

Domains with any version of G Suite can use the Activity API to programmatically access basic G Suite reports data, while domains with G Suite Enterprise, G Suite Business, or Drive Enterprise can use a new Reports API to access advanced G Suite reports data.

IMPORTANT: Drive audit events are logged only for files owned by users with G Suite Business, Enterprise, or Drive Enterprise licenses.

Step 1: Open your Drive audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click Drive.

    You might have to scroll to see Audit.

  4. (Optional) On the toolbar, click Manage columns Manage columns and select the columns you want to see or hide.
  5. See below for how to interpret and customize log data.

Step 2: Understand Drive audit log data

Data you can view

The Google Admin console bases its Drive audit logs on the following user data:

Data Type Description Filtering within the Admin Console
Event name

User action such as View, Rename, Create, Edit, Preview, Print, Update, Delete, Upload, Download, or Share a Drive file.

Most actions are logged immediately. However, Preview events in the Drive viewer can be delayed 12 hours or more from the time of the event. Other events, such as uploading a file, are logged once they’re complete. 

Copying files 

When you copy files, the type of action that’s logged depends on the file type:

  • Docs, Sheets, or Slides— Create and Edit actions are logged for the new file.
  • Microsoft® Office® and non-Google format files—A Create event is logged for the new file.

If the user uses the "Make a copy" menu item in Docs, Sheets, or Slides, a View event is also logged for the new file because it is displayed to the user.

Shared drive files

Viewing Trash and Changing Theme on a shared drive is not logged.

Printing files

Print events are not recorded for Google file formats (Docs, Sheets, Slides, Drawings, Forms). Print events may be logged as Download events when printing files with the Drive app from Apple® iOS® or Android devices. 

Downloading files

Downloads from the following sources are not logged:

  • Google Takeout downloads
  • Downloads to offline browser caches
  • Photos that are synced to, downloaded from, or viewed through Google Photos
  • Drive items that are emailed as attachments and downloaded through the recipient's email client

Viewing files

Viewing files using the "/htmlview URL" parameters is not logged.

Publishing files

Publishing to the web for Google Docs, Sheets, Slides & Forms is not logged.

Anonymous users

Only the following actions are logged for anonymous users, who are not signed-in to a Google account, who are viewing a link-shared file:

  • Viewing or editing files in Docs, Sheets, Slides, Drawings, and Forms. Views for other file types in Drive are not logged.

Sync clients

Download events are logged when files are copied between Drive and a local device using Drive File Stream or Backup and Sync.

Event description Summary of the event, such as "Larry created an item." Not filterable
Item type File format that the activity involves, such as Google Docs, Sheets, Slides, JPEG, PDF, PNG, MP4, Microsoft®  Word®, Excel®, PowerPoint®, txt, HTML, MPEG audio, QuickTime® video, folder, or shared drives. Filterable
Item ID Unique Drive item identifier associated with the activity, as stored in the URL link for the file. Filterable
Visibility Visibility of the Drive item associated with the activity. Filterable
Prior Visibility Visibility of the Drive item prior to the activity. Filterable
User Primary email address of the user who performed the activity. Users external to the domain who initiate events are shown as anonymous, except when they view or edit a document explicitly shared with them (as an individual or as part of a specific group). Filterable; also works if only the domain name is entered
Owner User who owns the file. Filterable
Date and time range

Date and time the event occurred (displayed in your browser's default time zone).

Note: Most events are logged as soon as they’re complete. In some cases, such as with large uploads, this can take a while.

IP address

Address from where the user performed the activity. This might reflect the user's physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address. 

No IP addresses are logged for events:

  • Initiated by users external to the domain.
  • From services that don't log the IP address in their requests.
  • Relating to renaming or deleting a shared drive.
Not filterable
Billable (Drive Enterprise only) Whether the user action is a chargeable activity. Not filterable
File visibility and sharing permissions

When a user in your domain shares a file, a "User Sharing Permissions Change" event is added to the audit log.

To see files that are shared with users outside of a domain, under Visibility, select Shared Externally.

  • If you share a file with someone outside your domain who doesn’t have a Google account, the invitee must create a Google account to share the file. The sharing permissions change event won't appear in the audit log until the invitee creates an account and opens the file.
  • If you turn off external sharing and a user shares a resource with a group that allows external users, data will be marked Shared External in the log. However, any external users in the group can’t access the shared resource. And, you’ll see this even if the group doesn’t have any external users.

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when users updated or deleted a Drive file, or find all Sheets activity for a particular user.

  1. Open your Drive audit log as shown above.
  2. Click + Add Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. (Optional) Click Date range, select a period from the list, or enter a start and end date, and time.
  5. Click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your report as shown above.
  2. At the top, click Organization filter, search for a name or select an organizational unit from the list.
  3. (Optional) Click Date range, select a period from the list, or enter a start and end date, and time.

    Note: You can filter by any event at + Add a filter , and then filter the results by Organization filter or Date range.

  4. Click Apply.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or Comma-separated values (.csv).
  6. Click Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can easily track specific Drive activities by setting up alerts. For example, get an alert whenever someone creates or deletes a document.

  1. Open your Drive audit log as shown above.
  2. Click + Add Filter.
  3. Enter or select the criteria for your filter.

    To set up an alert, you can filter on any combination of the data you can view in the log except date and time range.

  4. Click Create Alert and enter a name for the alert.
  5. At Recipients, click Turn on Turn on to send the alert to a super administrator account.
  6. Enter the email addresses of any other alert recipients.Enter the email addresses of any other email alert recipients.
  7. Click Create.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?