You can use the audit and investigation page to run searches related to Chat log events. There you can view a record of actions to monitor conversation and discussion activity in your organization. For example, you can see when a user starts a direct message or creates a space.
For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the data sources for the audit and investigation page.
Open the audit and investigation page
Before you begin
If you have Google Chat history turned off for your users, you won't see data for users who send direct messages, and you won't see data for the Direct message started event. To check your settings, go to Turn history on or off.
- On the left, click ReportingAudit and investigationChat log events.
Filter the data
- Open the log events as described above in Access Chat log event data.
- Click Add a filter, and then select an attribute.
- In the pop-up window, select an operatorselect a valueclick Apply.
(Optional) To create multiple filters for your search:
- Click Add a filter and repeat step 3.
- (Optional) To add a search operator, above Add a filter, select AND or OR.
- Click Search.
Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.
For this data source, you can use the following attributes when searching log event data:
|Actor||Email address of the user who performed the action|
|Actor group name||Group name of the actor|
|Actor organizational unit||Organizational unit of the actor|
|Attachment hash||SHA-256 hash of the chat attachment|
|Attachment name||Name of the attachment sent in a Chat message|
|Attachment URL||Download URL of the attachment sent in a Chat message|
|Data loss prevention scan status||Using DLP for Chat , you can create data protection rules to prevent data leaks from Chat messages and attachments (uploaded files). DLP scan status includes values such as Failed, Partially scanned, and Scanned.|
|Date||Date and time of the event (displayed in your browser's default time zone)|
|Event||The logged event action, such as Message sent, Attachment uploaded, or Direct message started.|
|External room||Whether members outside the organization can be added to the chat room|
ID of the Chat message
Note: Google recently changed the Message ID format. This change might affect the search results for Chat log events. To avoid any impacts, we recommend that you change your search operators from Is to Contains, and from Is not to Does not contain.
|Recipients||Recipients of a chat message|
|Room history setting||Whether Chat room history is turned on or off|
|Room ID||Chat room ID|
|Room name||Chat room name|
Note: If you have the Chat data loss prevention beta, the DLP scan status can also be added to Chat log events for Attachment uploaded, Message edited, and Message sent.
Manage log event data
Manage search results column data
You can control which data columns appear in your search results.
- At the top-right of the search results table, click Manage columns.
- (Optional) To remove current columns, click Remove.
- (Optional) To add columns, next to Add new column, click the Down arrowand select the data column.
Repeat as needed.
- (Optional) To change the order of the columns, drag the data column names.
- Click Save.
Export search result data
- At the top of the search results table, click Export all.
- Enter a nameclick Export.
The export displays below the search results table under Export action results.
- To view the data, click the name of your export.
The export opens in Google Sheets.
Create reporting rules
When and how long is data available?
Go to Data retention and lag times.