OAuth log events

Audit and investigation page: Review 3rd-party application usage and data access requests
The audit log page has been replaced with a new audit and investigation page. For information about this change, go to Improved audit and investigation experience: What's new in Google Workspace

As your organization's administrator, you can use the audit and investigation page to run searches related to OAuth log events. There you can view a record of actions to review which users are using which third-party mobile or web applications in your domain. For example, when a user opens a Google Workspace Marketplace app, the log records the name of the app and the person using it. 

The log also records each time a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (Google Workspace only).

For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the data sources for the audit and investigation page.

Forward log event data to Google Cloud

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus, Voice Premier.  Compare your edition

You can opt in to share the log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.

Open the audit and investigation page

Access OAuth log event data

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. On the left, click Reportingand thenAudit and investigationand thenOAuth log events.

Filter the data

  1. Open the log events as described above in Access OAuth log event data.
  2. Click Add a filter, and then select an attribute.
  3. In the pop-up window, select an operatorand thenselect a valueand thenclick Apply.
  4. (Optional) To create multiple filters for your search:
    1. Click Add a filter and repeat step 3.
    2. (Optional) To add a search operator, above Add a filter, select AND or OR.
  5. Click Search.

Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Actor group name

Group name of the actor. For more information, see Filtering results by Google Group.

To add a group to your filtering groups allowlist:

  1. Select Actor group name.
  2. Click Filtering groups.
    The Filtering groups page displays.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group "".
  8. Click Save.
Actor organizational unit Organizational unit of the actor
API method Name of the API method that was called using the OAuth token
API name Name of the API that was called using the OAuth token
Application ID OAuth client ID of the application for which access was authorized or revoked
Application name The application for which access was granted or revoked
Client type Type of client—for example, Connected device, Native Android, or Native iOS
Date Date and time the event occurred (displayed in your browser's default time zone)
Event

The logged event action, such as API call or Grant

Note: API call events are available only for Enterprise Plus, Education Plus, Enterprise Standard, Education Standard, and Cloud Identity Premium.
IP address Internet Protocol (IP) address of the user for whom access was authorized or revoked. This might reflect their physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.

Note: If an event was not directly triggered by a user action (for example, token expiration), it's possible that an IP address will not be logged.
Number of response bytes Size of the response in bytes
Product Name of the Google product for which OAuth token was granted
Scope Scopes to which access was authorized or revoked
User User for whom access was authorized or revoked

Manage log event data

Manage search results column data

You can control which data columns appear in your search results.

  1. At the top-right of the search results table, click Manage columns "".
  2. (Optional) To remove current columns, click Remove "".
  3. (Optional) To add columns, next to Add new column, click the Down arrow "" and select the data column.
    Repeat as needed.
  4. (Optional) To change the order of the columns, drag the data column names.
  5. Click Save.

Export search result data

  1. At the top of the search results table, click Export all.
  2. Enter a name and then click Export.
    The export displays below the search results table under Export action results.
  3. To view the data, click the name of your export.
    The export opens in Google Sheets.

Create reporting rules

Go to Create and manage reporting rules.

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
4039594094086446592
true
Search Help Center
true
true
true
true
true
73010