User Accounts audit log

View user activity 

As your organization's administrator, you can check critical actions carried out by users on their own accounts. These actions include changes to passwords, account recovery details (telephone numbers, email addresses), and 2-Step Verification enrollment.

Step 1: Open your User Accounts audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left under Audit, click User Accounts.
  4. On the toolbar, click Select columns Select reports and select the data you want to show in your log.
  5. See below for how to interpret, customize and export the log data.

Step 2: Understand audit data

Data you can view
Data type Description
Event description

Summary of the event

Examples:

Account password changeUsername has changed Account password

Account recovery email changeUsername has changed Account recovery email

Date

Date and time the event occurred (browser default time zone).

IP address IP address associated with the logged action. The address can reflect the user’s physical location, a proxy server, or a Virtual Private Network (VPN) address.
Event name descriptions
Event name Description
2-step verification disable Log entry for each time a user disables 2-Step Verification.
2-step verification enroll Log entry for each time a user enrolls for 2-Step Verification.
Account password change Log entry for each time a user changes an account password.
Account recovery email change Log entry for each time a user changes a recovery email address.
Account recovery phone change Log entry for each time a user changes an account recovery phone number.
Account recovery secret question/answer change Log entry for each time a user changes an account recovery secret question and answer.

Step 3: Customize and export your audit data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when users changed account passwords or disabled 2-Step Verification.

  1. Open your User Accounts audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. Click Search.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a comma-separated (CSV) file.

  1. Open your User Accounts audit log as shown above.
  2. (Optional) To change the data to include in your export:
    1. On the toolbar, click Select columns Select reports.
    2. Check the box next to the data you want to export and click Apply.
  3. On the toolbar, click DownloadDownload.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Exported Google Sheets and downloaded CSV files both show a maximum of 10,000 rows.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can easily track specific user-account activities by setting up alerts. For example, get an alert whenever someone changes a password.

  1. Open your User Accounts audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter any combination of the data you can view in the log except IP address and Date and time range.
  4. Click Set Alert.
  5. In the Set alert: User Accounts box, enter a name for the alert.
  6. (Optional) To deliver the alert to all super administrators, check the Super Administrator(s) box.
  7. Enter the email addresses of any other alert recipients.
  8. Click Save.

To edit your custom alerts, see Administrator email alerts.

Was this article helpful?
How can we improve it?