Login audit log

Track user sign-in activity

You can use the Login audit log to track user sign-ins to your domain. You can review all sign-ins from web browsers. If a user signs in from an email client or a non-browser application, you can only review reports of suspicious attempts.

Open the Login audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit log, click Login.

  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

  5. (Optional) Review ways to filter and export log data and create alerts.

Data you can view

The Login audit log provides the following information:

Data type Description
Event description Details of the user and sign-in attempt
IP address IP address that the user used to sign in. Usually the address is the user's physical location, but it can be a proxy server or a Virtual Private Network (VPN) address.
Login type

Authentication method the user used:

  • Exchange—When a user is authenticated by token exchange, such as via an OAuth login. It might also indicate the user was already signed into a session when they signed in to another, and the 2 sessions were merged
  • Google Password—Used a Google password. Includes sign-ins to less secure apps (if allowed)
  • Reauth—User authenticated with a password re-authentication request
  • SAML—Authentication by single sign-on Security Assertion Markup Language (SAML)
  • Unknown—User signed in using an unknown method
Date Date and time of the event (displayed in your browser's default time zone)

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Event names for the Login audit log include:

Event name Description
Failed Login

Each time a user fails to sign in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. 
Government-backed attack

Each time government-backed attackers might have tried to compromise a user account or computer
Leaked password When a password reset is required because Google detects compromised credentials
Login challenge

User asked an extra security question due to a suspicious sign-in attempt
Login verification User asked an extra security question when Google did not detect a suspicious sign-in attempt
Logout Each time a user logged out
Successful login Each time a user logged in
Suspicious login

Each time a user logged in and the login had some unusual characteristics. For example, if the user logged in from an unfamiliar IP address.

Suspicious login events are shown with a red warning icon.
Suspicious login blocked Each time a suspicious login was blocked
Suspicious login from less secure app blocked Each time a suspicious login from a less secure app was blocked
Suspicious programmatic login blocked Each time a suspicious login with programmatic elements was blocked
User suspended Each time a user was suspended
User suspended (spam through relay) Each time a user was suspended due to spam relay
User suspended (spam) Each time a user was suspended due to spam
User suspended (suspicious activity) Each time a user was suspended due to suspicious activity

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue