You can use the Login audit log to track user sign-ins to your domain. You can review all sign-ins from web browsers. If a user signs in from an email client or a non-browser application, you can only review reports of suspicious attempts.
Forward log event data to the Google Cloud Platform
You can opt in to share the log event data with Google Cloud Platform. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.
Open the Login audit log
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Reports.
- On the left, click Audit
Login.
-
(Optional) To customize what data you see, on the right, click Manage columns
. Select the columns that you want to see or hide
-
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Login audit log provides the following information:
| Data type | Description |
|---|---|
| Event description | Details of the user and sign-in attempt |
| IP address | IP address that the user used to sign in. Usually the address is the user's physical location, but it can be a proxy server or a Virtual Private Network (VPN) address. |
| Login type |
Authentication method the user used:
|
| Date | Date and time of the event (displayed in your browser's default time zone) |
Event names
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Event names for the Login audit log include:
| Event name | Description |
|---|---|
| 2-step verification disable | Each time a user disables 2-Step verification |
| 2-step verification enroll | Each time a user enrolls in 2-Step verification |
| Account password change | Each time a user changes an account password
Note: This refers to users changing passwords at myaccount.google.com. It doesn’t include password changes when the admin forces users to change their password at the next sign in. |
| Account recovery email change | Each time a user changes a recovery email address |
| Account recovery phone change | Each time a user changes an account recovery phone number |
| Account recovery secret question/answer change | Each time a user changes an account recovery secret question and answer |
| Advanced Protection enroll | Each time a user enrolls in the Advanced Protection Program |
| Advanced Protection unenroll | Each time a user unenrolls in the Advanced Protection Program |
| Failed Login |
Each time a user fails to sign in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended. |
| Government-backed attack |
Each time government-backed attackers might have tried to compromise a user account or computer |
| Leaked password | When a password reset is required because Google detects compromised credentials |
| Login challenge |
User asked an extra security question due to a suspicious sign-in attempt |
| Login verification | User asked an extra security question when Google did not detect a suspicious sign-in attempt |
| Logout |
Each time a user logs out Note: Even if the user signed in with login types other than Google Password, (such as Exchange, Reauth, SAML, or Unknown), the Login type for Logout events is displayed as Google Password. |
| Out of domain email forwarding enabled | Each time a user enables the forwarding of emails outside of the domain |
| Successful login | Each time a user logged in |
| Suspicious login |
Each time a user logged in and the login had some unusual characteristics. For example, if the user logged in from an unfamiliar IP address. Suspicious login events are shown with a red warning icon. |
| Suspicious login blocked | Each time a suspicious login was blocked |
| Suspicious login from less secure app blocked | Each time a suspicious login from a less secure app was blocked |
| Suspicious programmatic login blocked | Each time a suspicious login with programmatic elements was blocked |
| User suspended | Each time a user was suspended |
| User suspended (spam through relay) | Each time a user was suspended due to spam relay |
| User suspended (spam) | Each time a user was suspended due to spam |
| User suspended (suspicious activity) | Each time a user was suspended due to suspicious activity |
When and how long is data available?
Go to Data retention and lag times.
