OAuth Token audit log

The OAuth Token audit log records every time a third-party mobile or web application is authorized to access Google account data (such as Contacts, Calendar, and Drive files) for users in your organization.

For example, when a user starts a Google Marketplace app you've installed in your domain, the Token log records the name of the app, the person using it, and the scope of data access requested by the app. This lets you track which users are using which apps, and when.

To access the OAuth Token audit log, sign in to your Admin console and click Reports > Audit > Token. The page displays the following information:

  • Event Description—A summary of the event, such as "Super Admin David authorized access to Google Chrome for https://www.google.com/accounts/OAuthLogin scopes"
  • Event Name—The action performed: Authorize or Revoke.
  • Application Name—The application for which access was authorized or revoked.
  • Scope—Scopes to which access was authorized or revoked.
  • Date—The date the event occurred (displayed in your domain's default timezone).

Use the Filters section at the side to configure the page to only display data that meets certain criteria. For example, the page can show events of a particular type, or events that occurred during a specific date range. Once you've entered your criteria, click Search to filter. To clear your filters, click Reset.

You can also use the Filters section to create and configure a custom alert. Custom alerts do not use the Date Range. Choose an event name from the drop-down list and your other filters, then click the SET ALERT button. In the Set alert: window you can add a custom alert name, check the Super Administrator(s) box, or add additional recipient user emails. After you configure your custom alert click the SAVE button. To edit your custom alerts, refer to Account activity alerts.

Filter log entries

You can filter log entries by various criteria, say, to find all revoked tokens, authorized tokens for a particular application, or tokens authorized by specific users. At the top of the OAuth token audit log, click the Filters icon (next to the Select columns icon). Then filter by any of the following criteria:

  • Event name—The action the user performed, such as Authorize or Revoke.
  • User name—The ldap of the user for whom access was authorized or revoked.
  • Application name—The application for which access was authorized or revoked.
  • Client id—The OAuth client id of the application for which access was authorized or revoked.
  • Scope—Scopes to which access was authorized or revoked.
  • IP address—The IP address of the user for whom access was authorized or revoked.
  • Date and time range—A start and end date and time for listing events.

Note the following:

  • If you don't see the Filters section, click filter.
  • Each entry in the log is associated with a single event.
  • To change the columns the log displays, click Select columns. The page remembers the columns you choose and shows the same ones the next time you sign in.
  • The log shows data delayed by a few hours and keeps data from up to six months ago.

The Admin console reports show historical data generated for the last seven days, the last month, the last three months, or the last six months. The date in the upper right indicates the most recent day for which report data is available. The pulldown arrow next to the date opens a calendar page you can use to select another day to use. The latest date for which all data points are present has a green background. You can select another date beyond the full data date but any later date you choose may have partial data and may only show a subset of the expected reports.

Data retention times

Name of Log or Report

Retention Time

Admin audit Log 6 months
Calendar audit log 6 months
OAuth Token audit log 6 months
Mobile audit log (Google Apps Unlimited) 6 months
Drive audit log (Google Apps Unlimited) 6 months
Email log search 30 days
Account activity reports 6 months
Security reports 6 months
Groups audit log 6 months
Audit data retrieved using the API 6 months
Reporting data retrieved using the API 15 months

For other audit logs and reports not mentioned above the retention time should be 6 months.

 

Keep in mind reports do not reflect real-time data, and some reports may take longer to display updated information.

Lag times

Item Name Report Name Lag Time
Highlights    
Gmail gmail report 1 day to 3 days
Drive drive report 2 days to 6 days
Hangouts hangouts report 1 day to 3 days
G+ g+ report 1 day to 3 days
Calendar calendar report 1 day to 3 days
Document Link Shared Status drive report 2 days to 6 days
Security    
External Link Shared Files drive report 2 days to 6 days
External Link Shared Files security report 1 day to 3 days
2-Step Verification Enrollment 2sv report 1 day to 3 days
Aggregate Reports    
Accounts accounts report 1 day to 3 days
Gmail gmail report 1 day to 3 days
Drive drive report 2 days to 6 days
G+ g+ report 1 day to 3 days
Mobile mobile report 1 day to 3 days
Apps Usage Activity    
Files Owned drive report 2 days to 6 days
Total Emails gmail report 1 day to 3 days
Total Storage Used quota report 1 day to 3 days
Audit    
Admin admin audit near real time (couple of minutes)
Login login audit tens of minutes (can also go up to a couple of hours)
Drive drive audit near real time (couple of minutes)
Calendar calendar audit tens of minutes (can also go up to a couple of hours)
Mobile devices mobile audit near real time (couple of minutes), up to 3 hours, if updated at next sync.
Token token audit tens of minutes (can also go up to a couple of hours)
Groups groups audit tens of minutes (can also go up to a couple of hours)
Email log search email audit near real time (couple of minutes)

 

If you run backfills for very old dates there is no absolute upper cap on the lag time.

Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.