Login audit log

Track user sign-in activity

You can use the Login audit log to track user sign-ins to your domain. You can review all sign-ins from web browsers. If a user signs in from an email client or a non-browser application, you can only review reports of suspicious attempts.

You can opt in to share the audit log data with Google Cloud Platform (GCP). If you turn on sharing, data is forwarded to GCP Cloud Logging, where you can query and view your logs, and control how you route and store your logs.

Open the Login audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit log, click Login.
  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

Data you can view

The Login audit log provides the following information:

Data type Description
Event description Details of the user and sign-in attempt
IP address IP address that the user used to sign in. Usually the address is the user's physical location, but it can be a proxy server or a Virtual Private Network (VPN) address.
Login type

Authentication method the user used:

  • Exchange—When a user is authenticated by token exchange, such as via an OAuth login. It might also indicate the user was already signed into a session when they signed in to another, and the 2 sessions were merged
  • Google Password—Used a Google password. Includes sign-ins to less secure apps (if allowed)
  • Reauth—User authenticated with a password re-authentication request
  • SAML—Authentication by single sign-on Security Assertion Markup Language (SAML)
  • Unknown—User signed in using an unknown method
Date Date and time of the event (displayed in your browser's default time zone)

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Event names for the Login audit log include:

Event name Description
2-step verification disable Each time a user disables 2-Step verification
2-step verification enroll Each time a user enrolls in 2-Step verification
Account password change Each time a user changes an account password

Note: This refers to users changing passwords at myaccount.google.com. It doesn’t include password changes when the admin forces users to change their password at the next sign in.

Account recovery email change Each time a user changes a recovery email address
Account recovery phone change Each time a user changes an account recovery phone number
Account recovery secret question/answer change Each time a user changes an account recovery secret question and answer
Advanced Protection enroll Each time a user enrolls in the Advanced Protection Program
Advanced Protection unenroll Each time a user unenrolls in the Advanced Protection Program
Failed Login

Each time a user fails to sign in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. 

Government-backed attack

Each time government-backed attackers might have tried to compromise a user account or computer

Leaked password When a password reset is required because Google detects compromised credentials
Login challenge

User asked an extra security question due to a suspicious sign-in attempt

Login verification User asked an extra security question when Google did not detect a suspicious sign-in attempt
Logout

Each time a user logs out

Note: Even if the user signed in with login types other than Google Password, (such as Exchange, Reauth, SAML, or Unknown), the Login type for Logout events is displayed as Google Password.

Out of domain email forwarding enabled Each time a user enables the forwarding of emails outside of the domain
Successful login Each time a user logged in
Suspicious login

Each time a user logged in and the login had some unusual characteristics. For example, if the user logged in from an unfamiliar IP address.

Suspicious login events are shown with a red warning icon.

Suspicious login blocked Each time a suspicious login was blocked
Suspicious login from less secure app blocked Each time a suspicious login from a less secure app was blocked
Suspicious programmatic login blocked Each time a suspicious login with programmatic elements was blocked
User suspended Each time a user was suspended
User suspended (spam through relay) Each time a user was suspended due to spam relay
User suspended (spam) Each time a user was suspended due to spam
User suspended (suspicious activity) Each time a user was suspended due to suspicious activity

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue