User log events

Audit and investigation page: Review user sign-in activity
The audit log page has been replaced with a new audit and investigation page. For information about this change, go to Improved audit and investigation experience: What's new in Google Workspace

You can use the audit and investigation page to run searches related to User log events. There you can check critical actions carried out by users on their own accounts. These actions include changes to passwords, account recovery details (telephone numbers, email addresses), and 2-Step Verification enrollment. A login from an email client or a non-browser application is not logged in this report unless it’s a programmatic login from a session that was considered suspicious.

Note: 

  • During a recent launch, the old Login audit log and User accounts audit log were combined into the User log events data source. For more details, see What's new: Improved audit and investigation experience.
  • If there’s no data for user log events during the previous 6 months, User log events might not be displayed in the left navigation menu.

For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the About the audit and investigation tool.

Forward log event data to Google Cloud

You can opt in to share the log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging where you can query and view your logs and control how you route and store your logs.

Open the audit and investigation page

Access User log event data

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. On the left, click Reportingand thenAudit and investigationand thenUser log events.

Filter the data

  1. Open the log events as described above in Access User log event data.
  2. Click Add a filter, and then select an attribute.
  3. In the pop-up window, select an operatorand thenselect a valueand thenclick Apply.
  4. (Optional) To create multiple filters for your search:
    1. Click Add a filter and repeat step 3.
    2. (Optional) To add a search operator, above Add a filter, select AND or OR.
  5. Click Search.

Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Actor group name

Group name of the actor. For more information, go to Filtering results by Google Group.

To add a group to your filtering groups allowlist:

  1. Select Actor group name.
  2. Click Filtering groups.
    The Filtering groups page displays.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group .
  8. Click Save.
Actor organizational unit Organizational unit of the actor
Affected user Email address of the affected user
Challenge type The type of challenge used to verify the user, such as Password or Security Key
Date Date and time of the event (displayed in your browser's default time zone)
Domain The domain where the action occurred
Email forwarding address Email address to forward the Gmail messages to

Event

The logged event action, such as 2-step verification enroll or Suspicious login

Note: For the Logout event, even if the user signed in with login types other than Google Password, (such as ExchangeReauthSAML, or Unknown), the Login type for Logout events is displayed as Google Password.

IP address IP address that the user used to sign in. Usually the address is the user's physical location, but it can be a proxy server or a Virtual Private Network (VPN) address.
Is second factor True if the user signed in with 2-factor authentication 
False if the user didn't sign in with 2-factor authentication
Is suspicious True if the sign-in attempt was suspicious, otherwise false. Applicable only to the login_success event
Login time Date and time the user signed in
Login type

Authentication method the user used:

  • Exchange—When a user is authenticated by token exchange, such as via an OAuth login. It might also indicate the user was already signed in to a session when they signed in to another, and the 2 sessions were merged
  • Google Password—Used a Google password. Includes sign-ins to less secure apps (if allowed)
  • OIDC—Authentication by single sign-on OpenID Connect (OIDC).
  • Reauth—User authenticated with a password re-authentication request
  • SAML—Authentication by single sign-on Security Assertion Markup Language (SAML)
  • Unknown—User signed in using an unknown method
User Email address of the user who performed the action

Manage log event data

Manage search results column data

You can control which data columns appear in your search results.

  1. At the top-right of the search results table, click Manage columns .
  2. (Optional) To remove current columns, click Remove .
  3. (Optional) To add columns, next to Add new column, click the Down arrow  and select the data column.
    Repeat as needed.
  4. (Optional) To change the order of the columns, drag the data column names.
  5. Click Save.

Export search result data

  1. At the top of the search results table, click Export all.
  2. Enter a name and then click Export.
    The export displays below the search results table under Export action results.
  3. To view the data, click the name of your export.
    The export opens in Google Sheets.

Create reporting rules

Go to Create and manage reporting rules.

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
14080860248933246373
true
Search Help Center
true
true
true
true
true
73010