Login audit log

Track user sign-in activity

You can use the Login audit log to track user sign-ins to your domain. All sign-ins from web browsers are logged. When users sign in from a mail client or non-browser application, only suspicious attempts are logged. 

Open the Login audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit, click Login.

  4. (Optional) To customize what you review, on the right, click Manage columns Manage columns, select the columns that you want to see or hide, and click Save.

  5. Review ways to filter and export log data and create alerts.

Data you can view

Data type Description
Event description Details of the event described in the Event Name field.
IP address IP address that the user used to sign in to the Admin console. This might reflect your physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.
Login type

Details of how the user signed in.

  • Exchange—When a user is authenticated by token exchange, such as via an OAuth login. It might also indicate the user was already signed into a session when they signed in to another, and the 2 sessions were merged.
  • Google Password—Used a Google password. Includes sign-ins to less secure apps (if allowed).
  • Reauth—Use a password re-authentication request.
  • SAML—Via single sign-on Security Assertion Markup Language (SAML).
  • Unknown—Use an unknown method.
Date Date and time of the event (displayed in your browser's default time zone).

Event names

Here are types of events that are available under the Event name column (see above):

Event name Description
Failed Login

Each time a user fails to sign in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. 
Government-backed attack Each time a government-backed attackers might have tried to compromise a user account or computer. Learn about government-backed attack alerts.
Leaked password Each time a password reset is required because Google detects compromised credentials.
Login challenge

Each time a user was asked an extra security question because we detected a suspicious sign-in attempt.

For details, see Verify a user’s identity with extra security.
Login verification Each time a user was asked an extra security question when we did not detect a suspicious sign-in attempt.
Logout Each time a user logged out.
Successful login Each time a user logged in.
Suspicious login

Each time a user logged in and the login had some unusual characteristics—for example, if the user logged in from an unfamiliar IP address.

Suspicious login events are shown with a red warning icon.
Suspicious login blocked Each time a suspicious login was blocked.
Suspicious login from less secure app blocked Each time a suspicious login from a less secure app was blocked.
Suspicious programmatic login blocked Each time a suspicious login with programmatic elements was blocked.
User suspended Each time a user was suspended.
User suspended (spam through relay) Each time a user was suspended due to spam relay.
User suspended (spam) Each time a user was suspended due to spam.
User suspended (suspicious activity) Each time a user was suspended due to suspicious activity.

When and how long is data available?

See Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?