Search
Clear search
Close search
Google apps
Main menu

OAuth Token audit log

The OAuth Token audit log records every time a third-party mobile or web application is authorized to access Google account data (such as Contacts, Calendar, and Drive files) for users in your organization.

For example, when a user starts a Google Marketplace app you've installed in your domain, the Token log records the name of the app, the person using it, and the scope of data access requested by the app. This lets you track which users are using which apps, and when.

To access the OAuth Token audit log, sign in to your Admin console and click Reports > Audit > Token. The page displays the following information:

  • Event Description—A summary of the event, such as "Super Admin David authorized access to Google Chrome for https://www.google.com/accounts/OAuthLogin scopes"
  • Event Name—The action performed: Authorize or Revoke.
  • Application Name—The application for which access was authorized or revoked.
  • Scope—Scopes to which access was authorized or revoked.
  • Date—The date the event occurred (displayed in your domain's default timezone).

Use the Filters section at the side to configure the page to only display data that meets certain criteria. For example, the page can show events of a particular type, or events that occurred during a specific date range. Once you've entered your criteria, click Search to filter. To clear your filters, click Reset.

You can also use the Filters section to create and configure a custom alert. Custom alerts do not use the Date Range. Choose an event name from the drop-down list and your other filters, then click the SET ALERT button. In the Set alert: window you can add a custom alert name, check the Super Administrator(s) box, or add additional recipient user emails. After you configure your custom alert click the SAVE button. To edit your custom alerts, refer to Account activity alerts.

Filter log entries

You can filter log entries by various criteria, say, to find all revoked tokens, authorized tokens for a particular application, or tokens authorized by specific users. At the top of the OAuth token audit log, click the Filters icon (next to the Select columns icon). Then filter by any of the following criteria:

  • Event name—The action the user performed, such as Authorize or Revoke.
  • User name—The ldap of the user for whom access was authorized or revoked.
  • Application name—The application for which access was authorized or revoked.
  • Client id—The OAuth client id of the application for which access was authorized or revoked.
  • Scope—Scopes to which access was authorized or revoked.
  • IP address—The IP address of the user for whom access was authorized or revoked.
  • Date and time range—A start and end date and time for listing events.

Note the following:

  • If you don't see the Filters section, click filter.
  • Each entry in the log is associated with a single event.
  • To change the columns the log displays, click Select columns. The page remembers the columns you choose and shows the same ones the next time you sign in.
  • The log shows data delayed by a few hours and keeps data from up to six months ago.

The Admin console reports show historical data generated for the last seven days, the last month, the last three months, or the last six months. The date in the upper right indicates the most recent day for which report data is available. The pulldown arrow next to the date opens a calendar page you can use to select another day to use. The latest date for which all data points are present has a green background. You can select another date beyond the full data date but any later date you choose may have partial data and may only show a subset of the expected reports.

How long is data saved?

You're able to access saved Admin console audit logs and reports data this far back:

Audit log or report name

Data retention time

Admin audit log 6 months
Calendar audit log 6 months
OAuth Token audit log 6 months
Mobile audit log (Google Apps Unlimited) 6 months
SAML audit log 6 months
Drive audit log (Google Apps Unlimited) 6 months
Email log search 30 days
Account activity reports 6 months
Security reports 6 months
Groups audit log 6 months
Audit data retrieved using the API 6 months
Reporting data retrieved using the API 15 months

For any audit log or report not mentioned above the retention time should be 6 months.

 

Keep in mind reports do not reflect real-time data, and some reports may take longer to display updated information.

Lag times

The lag times in this table reflect how long it takes before collected data tied to specific Admin console reports and audit logs is available to view.

Item name Report name Lag time
Highlights    
Gmail Gmail report 13 days
Drive Drive report 26 days
Hangouts Hangouts report 13 days
Google+ Google+ report 13 days
Calendar Calendar report 13 days
Document Link Shared Status Drive report 26 days
Security    
External Link Shared Files Drive report 26 days
External Link Shared Files Security report 13 days
2-Step Verification Enrollment 2SV report 13 days
Aggregate reports    
Accounts Accounts report 13 days
Gmail Gmail report 13 days
Drive Drive report 26 days
Google+ Google+ report 13 days
Mobile Mobile report 13 days
Apps usage activity    
Files owned Drive report 26 days
Total Emails Gmail report 13 days
Total Storage Used (MB) Quota report 13 days
Audit    
Admin Admin audit near real time (couple of minutes)
Login Login audit tens of minutes (can also go up to a couple of hours)
Drive Drive audit near real time (couple of minutes)
Calendar Calendar audit tens of minutes (can also go up to a couple of hours)
Mobile devices Mobile audit near real time (couple of minutes), up to 4 hours, if updated at next sync.
SAML SAML audit near real time (couple of minutes), up to 3 hours, if updated at next sync.
Token Token audit tens of minutes (can also go up to a couple of hours)
Groups Groups audit tens of minutes (can also go up to a couple of hours)
Email log search Email audit near real time (couple of minutes)

 

Retrieving report or audit log data for very old dates or large time ranges may take so much time that once results are available the most recent log entry may no longer be fresh. For applications that require real-time log monitoring use a small time range.

Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.