Search
Clear search
Close search
Google apps
Main menu

Google Apps is now G Suite. Same service, new name. More about the name change.

Drive audit log

View user Drive file activity

This feature is available only with G Suite Business or G Suite for Education.

As a G Suite administrator, you'll want to get a list of every time your domain's users view, create, preview, print, update, delete, download, or share Drive content. You'll use the Drive audit log to collect this information. The Drive audit log includes content your users create in Google Docs, Sheets, Slides, and other G Suite applications, as well as content created elsewhere that your users upload to Drive, such as PDFs and Word files.

Step 1: Open your Drive audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. Click Drive.
  4. On the toolbar, click Select columns Select columns. Then select the data you want to show in your log.
  5. See below for how to interpret and customize log data.

Step 2: Understand Drive audit log data

Data you can view

The Admin console bases its Drive audit logs on the following user data:

Data Type Description
Event name Action the user performed, such as View, Rename, Create, Edit, Preview, Print, Update, Delete, Download, or Share.
Event description Summary of the event, such as "Larry created an item."
User Email address of the user who performed the activity
Document type Type of Drive file the activity involves.
Document ID ID number of the Drive file the activity involves.
Owner User who owns the file.
Date Date and time the event occurred (displayed in your browser's default time zone).
IP address Internet Protocol (IP) address from where the user performed the activity. This might reflect your physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when users updated or deleted a Drive file, or find all Sheets activity for a particular user.

  1. Open your Drive audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. Click Search.

Export your audit log data

You can export your Drive audit log data to a Google Sheet, or download it to a CSV file.

  1. Open your Drive audit log as shown above.
  2. (Optional) To change the data to include in your export, on the toolbar, click Select columns Select columns.
  3. On the toolbar, click Download Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select.

Change how much data you show

You won’t see complete data up to the present day. Instead, activity in recent days might only be partially reported while it’s still being collected. To choose an end date for collecting data and see the most recent date full data is available:

  1. At the top, next to the calendar, click the Down arrow Down Arrow.
  2. In the calendar, choose an end date for collecting data in your report.

    A green background marks the latest date when all data are collected. You can select a date after that, but later days might report only partial data.

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can easily track specific Drive activities by setting up alerts. For example, get an alert whenever someone creates or deletes a document.

  1. Open your Drive audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. To set up an alert, you can filter on any combination of the data you can view in the log except date and time range.
  4. Click Set Alert.
  5. In the Set alert: Drive box, enter a name for the alert.
  6. Check the box to deliver the alert to the account super administrators.
  7. Enter the email addresses of any other alert recipients.
  8. Click Save.

To edit your custom alerts, see Administrator email alerts.

Note the following:

  • Each entry in the log links to the file associated with the event.
  • No IP addresses are logged for events initiated by users external to the domain.
  • Even if the request is initiated by users internal to the domain not all events will be logged with IP addresses.
  • Users external to the domain who initiate events are shown as anonymous, except when they view or edit a document explicitly shared with them (as an individual or as part of a specific group).
  • No IP addresses are logged for events from services that don't log the IP address in their requests.
  • When you copy files, the type of action logged in the Drive audit logs depends on the file type:
    • Copy Google Docs: "Create", "Edit", and "View" are logged
    • Copy Google Sheets: "Create", and "Edit" are logged
    • Copy Google Slides: "Create", and "Edit" are logged
    • Copy any MS Office format or non Google format files: only "Create" is logged
  • Exported Google Sheets and downloaded CSV files both show a maximum of 10,000 rows.
  • Domains with any version of G Suite can use the Activity API to programmatically access basic G Suite reports data, while domains with G Suite Business can use a new Reports API to access advanced G Suite reports data.

Known Issues

  • The log shows preview events that occurred in the Drive viewer and print events that occurred in the Drive viewer and the Google Docs editors, but reports on these events may be delayed up to 12 hours from the time of the event.
  • The log may show print events as download events when printing files with the Drive application from iOS or Android devices or when printing slide or sheet files with the Drive web UI.
  • Downloads from the following sources are not logged:
    • Google Drive for Mac/PC sync client downloads
    • Google Takeout downloads
    • Downloads to offline browser caches
    • Docs printed from the Drive web UI
    • Photos that are synced to, downloaded from, or viewed through Google Photos
    • Drive items that are emailed as attachments and downloaded through the recipient's email client
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.