You can use the Login audit log to track user sign-ins to your domain. You can review all sign-ins from web browsers. If a user signs in from an email client or a non-browser application, you can only review reports of suspicious attempts.
Open the Login audit log
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Reports.
- On the left, under Audit log, click Login.
-
(Optional) To customize what data you see, on the right, click Manage columns
. Select the columns that you want to see or hide
click Save.
-
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Login audit log provides the following information:
Data type | Description |
---|---|
Event description | Details of the user and sign-in attempt |
IP address | IP address that the user used to sign in. Usually the address is the user's physical location, but it can be a proxy server or a Virtual Private Network (VPN) address. |
Login type |
Authentication method the user used:
|
Date | Date and time of the event (displayed in your browser's default time zone) |
Event names
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Event names for the Login audit log include:
Event name | Description |
---|---|
Failed Login |
Each time a user fails to sign in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. |
Government-backed attack |
Each time government-backed attackers might have tried to compromise a user account or computer |
Leaked password | When a password reset is required because Google detects compromised credentials |
Login challenge |
User asked an extra security question due to a suspicious sign-in attempt |
Login verification | User asked an extra security question when Google did not detect a suspicious sign-in attempt |
Logout | Each time a user logged out |
Successful login | Each time a user logged in |
Suspicious login |
Each time a user logged in and the login had some unusual characteristics. For example, if the user logged in from an unfamiliar IP address. Suspicious login events are shown with a red warning icon. |
Suspicious login blocked | Each time a suspicious login was blocked |
Suspicious login from less secure app blocked | Each time a suspicious login from a less secure app was blocked |
Suspicious programmatic login blocked | Each time a suspicious login with programmatic elements was blocked |
User suspended | Each time a user was suspended |
User suspended (spam through relay) | Each time a user was suspended due to spam relay |
User suspended (spam) | Each time a user was suspended due to spam |
User suspended (suspicious activity) | Each time a user was suspended due to suspicious activity |
When and how long is data available?
Go to Data retention and lag times.