Login audit log

Track user sign-in activity

You can use the Login audit log to track user sign-ins to your domain. All sign-ins from web browsers are logged. When users sign in from a mail client or non-browser application, only suspicious attempts are logged. 

Note: For details on when log data becomes available and how long it's retained, see Data retention and lag times.

Step 1: Open your Login audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit, click Login.
  4. (Optional) Next to the columns, click Manage columns Manage columns and select the columns that you want to see or hide.

Step 2: Understand Login audit log data

Data you can view
Data Type Description
Event name The action that was logged, such as a login challenge or a failed sign-in attempt. See Event name descriptions for details.
Event description Details of the event described in the Event name field.
IP address Internet Protocol (IP) address that the user used to sign in to the Admin console. This might reflect your physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.
Login Type

Details of how the user signed in.

  • Exchange - when a user is authenticated by token exchange, such as via an OAuth login. It might also indicate the user was already signed into a session when they signed into another, and the two sessions were merged.
  • Google Password - with a Google password. Includes logins to less secure apps (if allowed). 
  • Reauth - with a password re-authentication request
  • SAML - via single sign-on Security Assertion Markup Language (SAML)
  • Unknown - using an unknown method
Date and time range Date and time of the event (displayed in your browser's default time zone).
Event name descriptions

Here are types of events that are available under the Event name column (see above):

Event name Description
Failed Login

Log entry for each time a user fails to log in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. 
Government-backed attack Log entry for each time government-backed attackers may have tried to compromise a user account or computer. Click here to learn more about government-backed attacks.
Login challenge

Log entry for each time a user was asked an extra security question because we detected a suspicious sign-in attempt.

For details, see Verify a user’s identity with extra security.
Login verification Log entry for each time a user was asked an extra security question when we did not detect a suspicious sign-in attempt.
Logout Log entry for each time a user logged out.
Successful login Log entry for each time a user logged in.
Suspicious login Log entry for each time a user logged in and the login had some unusual characteristics, for example the user logged in from an unfamiliar IP address.
Suspicious login events are shown with a red warning icon.
Leaked password Log entry for each time a password reset is required because Google detects compromised credentials.

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when a user was presented with a login challenge, or find all login activity for a particular user.

  1. Open your audit log as shown above.
  2. Click Add a filter.
  3. Select and enter the criteria for your filter and if needed, click Apply.
  4. (Optional) To filter by organizational unit, at the top right, click Organization filter, select the organizational unit, and click Apply.
  5. (Optional) To specify a date range to search, click Date range and select a period from the list or enter a start and end date and time. If needed, click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between parent and child organizational units in a domain.

  1. Open your report as shown above.
  2. At the top, click Organization filter.
  3. Select an organizational unit and click Apply.

Filter by date

  1. Open your report as shown above.
  2. At the top, click Date range.
  3. Select a period from the list or enter a start and end date and time.
  4. If needed, click Apply.

You can only filter the current organizational unit hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or comma-separated values (CSV).
  6. Click Download.

You can export a maximum of 100,000 rows to Sheets or CSV.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can receive email alerts for sign-in activity based on your filters.

  1. Open your Login audit log as shown above.
  2. Click Add a filter.
  3. Enter or select the criteria for your filter and click Create Alert.
  4. Enter a name for the alert.
  5. (Optional) To send the alert to all super administrators, under Recipients, click Turn on Turn on.
  6. Enter the email addresses of alert recipients.
  7. Click Create.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?