Login audit log
As a Google administrator, use the Login audit log to track user sign-ins to your domain. All sign-ins from web browsers are logged, including successful, unsuccessful, and suspicious attempts. Suspicious login events are shown with a red warning icon. When users sign in from a mail client or non-browser application, only suspicious attempts are logged.
Step 1: Open your Login audit log
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Reports.
To see Reports, you might have to click More controls at the bottom.
- On the left, under Audit, click Login.
- Optionally, at the top right, click Select columns
. Select the columns you want to see or hide:
- IP Address—Internet Protocol (IP) address used by the user to sign in.
- Date—Date the sign-in occurred (displayed in your default time zone).
- Login Type (SSO only)—Displays the way the user signed in.
. Select the columns you want to see or hide:
Step 2: Understand Login audit log data
Data you can view| Data Type | Description |
|---|---|
| Event name | The action that was logged, such as a login challenge or a failed sign-in attempt. See Event name descriptions for details. |
| Event description | Details of the event described in the Event name field. |
| IP address | Internet Protocol (IP) address that the user used to sign in to the Admin console. This might reflect your physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address. |
| Login Type |
Details of how the user signed in.
|
| Date and time range | Date and time the event occurred (displayed in your browser's default time zone). |
Here are types of events that are available under the Event name column (see above):
| Event name | Description |
|---|---|
| Failed Login |
Log entry for each time a user fails to log in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. |
| Government-backed attack | Log entry for each time government-backed attackers may have tried to compromise a user account or computer. Click here to learn more about government-backed attacks. |
| Login challenge |
Log entry for each time a user was asked an extra security question because we detected a suspicious sign-in attempt. For details, see Verify a user’s identity with extra security. |
| Login verification | Log entry for each time a user was asked an extra security question when we did not detect a suspicious sign-in attempt. |
| Logout | Log entry for each time a user logged out. |
| Successful login | Log entry for each time a user logged in. |
| Suspicious login | Log entry for each time a user logged in and the login had some unusual characteristics, for example the user logged in from an unfamiliar IP address. |
| Suspicious login blocked | Log entry for each time a login is blocked because Google detects a suspicious login. |
| Suspicious login from less secure app blocked |
Log entry for each time a login is blocked because Google detects a suspicious login from a less-secure app, which is an app that doesn’t meet Google’s security standards. |
| User suspended | Log entry for each time a user is suspended; for example, when Google detects suspicious activity that suggests an account has been compromised. |
| User suspended (spam) | Log entry for each time a user is suspended because Google detects an account compromise, such as evidence that the user is sending spam. |
| User suspended (spam through relay) | Log entry for each time a user is suspended because Google detects an account compromise, such as evidence that the user is sending spam through the SMTP relay service. |
| User suspended (suspicious activity) | Log entry when a user has been suspended due to suspicious activity |
| Leaked password | Log entry for each time a password reset is required because Google detects compromised credentials. |
Step 3: Customize and export your audit log data
Filter the audit log data by user or activity
You can narrow your audit log to show specific events or users. For example, find all log events for when a user was presented with a login challenge, or find all login activity for a particular user.
- Open your Login audit log as shown above.
- If you don't see the Filters section, click Filter
.
- Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
- Click Search.
.Export your audit log data
You can export your audit log data to Google Sheets or download it to a CSV file.
- Open your audit log as shown above.
- (Optional) To change the data to include in your export:
- On the toolbar, click Select columns
- Check the box next to the data you want to export and click Apply.
- On the toolbar, click Select columns
- On the toolbar, click Download
.
.You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.
How old is the data I'm seeing?
For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.
Step 4: Set up email alerts
You can receive email alerts for sign-in activity based on your filters.
- Open your Login audit log as shown above.
- If you don't see the Filters section, click Filter
.
- In the Filters section, select the criteria to filter. You can use any combination of filters, except IP Address and Date and time range.
- Click Set Alert.
- Enter an Alert name.
- Choose the recipients of the email alert:
- Check the box to deliver the email alert to super administrators.
- Enter the email addresses of any other email alert recipients.
- Click Save.
.To edit your custom alerts, refer to Administrator email alerts.
