As an administrator, you can use the Google Drive audit log to record your organization's user activity. The Google Drive audit log includes content your users create in Google Docs, Sheets, Slides, and other Google Workspace apps, and content that your users upload to Drive, such as PDFs and Microsoft Word files.
You can use the Activity API to programmatically access basic reports data. If your Google Workspace edition supports it, you can use a new Reports API to access advanced Google Workspace reports data.
- For details on when data becomes available and how long it's retained, go to Data retention and lag times.
- Drive audit events are logged only for files owned by users with supported editions.
From the Admin console Home page, go to Reports.
- On the left, under Audit log, click Drive.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Understand Drive audit log dataData you can view
The Google Admin console bases its Drive audit logs on the following user data:
|Data type||Description||Filtering within the Admin Console|
User action such as View, Rename, Create, Edit, Preview, Print, Update, Delete, Upload, Download, or Share a Drive file.
Most actions are logged immediately. However, Preview events in the Drive viewer can be delayed 12 hours or more from the time of the event. Files that are automatically deleted by Google Drive or emptied from Trash are logged. Other events, such as uploading a file, are logged once they’re complete.
When you copy files, the type of action that’s logged depends on the file type:
If the user uses the "Make a copy" menu item in Docs, Sheets, or Slides, a View event is also logged for the new file because it is displayed to the user
Shared drive files
Viewing Trash and Changing Theme on a shared drive is not logged
Print events are not recorded for Google file formats (Docs, Sheets, Slides, Drawings, Forms). Print events may be logged as Download events when printing files with the Drive app from Apple iPhone and iPad or Android devices.
Downloads from the following sources are not logged:
Viewing files using the /htmlview, /embed, /revisions, and other special URLs are now logged as view events
Publishing to the web for Google Docs, Sheets, Slides & Forms is not logged
Only the following actions are logged for anonymous users, who are not signed-in to a Google Account, who are viewing a link-shared file:
Download events are logged when files are copied between Drive and a local device using Google Drive for desktop or Backup and Sync
|Event description||Summary of the event, such as "Larry created an item"||Not filterable|
|Item type||File format that the activity involves, such as Google Docs, Sheets, Slides, JPEG, PDF, PNG, MP4, Microsoft Word, Excel, PowerPoint, txt, HTML, MPEG audio, QuickTime video, folder, or shared drives||Filterable|
|Item ID||Unique Drive item identifier associated with the activity, as stored in the URL link for the file||Filterable|
|Visibility||Visibility of the Drive item associated with the activity||Filterable|
|Prior Visibility||Visibility of the Drive item prior to the activity||Filterable|
|User||Primary email address of the user who performed the activity. Users external to the domain who initiate events are shown as anonymous, except when they view or edit a document explicitly shared with them (as an individual or as part of a specific group)||Filterable; also works if only the domain name is entered|
|Visitor||Yes means that the activity is by a non-Google user. No means that the activity is by a Google user. Learn more about sharing documents with visitors.||Filterable|
|Owner||User who owns the file||Filterable|
Date and time the event occurred (displayed in your browser's default time zone)
Note: Most events are logged when they’re complete. Sometimes, like with large uploads, this can take a while.
Address from where the user performed the activity. This might reflect the user's physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.
No IP addresses are logged for events:
|Billable||(Essentials edition only) Whether the user action is a chargeable activity||Not filterable|
File visibility and sharing permissions
When a user in your domain shares a file, a "User Sharing Permissions Change" event is added to the audit log.
To see files that are shared with users outside of a domain, under Visibility, select Shared Externally.
- If you share a file with someone outside your domain who doesn’t have a Google Account, the invitee must create a Google Account to share the file. The sharing permissions change event won't appear in the audit log until the invitee creates an account and opens the file.
- If you turn off external sharing and a user shares a resource with a group that allows external users, data is marked Shared Externally in the log. However, any external users in the group can’t access the shared resource. And, you’ll see this even if the group doesn’t have any external users.
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. Event names are self-explanatory.
When and how long is data available?
Go to Data retention and lag times.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.