Chrome audit log

View Chrome events in the Admin console

You can use the Chrome audit log to see events related to managed Chrome browsers and Chrome OS devices. For example, you can see when there has been an unsafe site visit.

For other services and activities, such as Google Drive and user activity, go to the list of available audit logs.

Before you begin

To see all Chrome events:

  • The browser needs to be managed by either Chrome Browser Cloud Management or a Chrome OS device that has been enrolled into a domain.
  • For Chrome Threat and Chrome Data Protection events, BeyondCorp Enterprise needs to be set up. For more information, go to Protect Chrome users with BeyondCorp Threat and Data Protection.

Open the Chrome audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit log, click Chrome management.

  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

  5. (Optional) Review ways to filter and export log data and create alerts.

Data you can view

The Chrome audit log provides the following information:

Data type Description
Event name The action that was logged, such as Content unscanned or Unsafe site visit
Date Date and time of the event (displayed in your browser's default time zone)
Event reason Details about the action, such as File is password protected
Device name The name of the device
Device user The user's name as reported by the OS
Profile user name The Chrome browser profile username
URL The URL that generated the event
Device platform The OS that the browser is running on
Device ID The ID of the device. The value is platform-specific.
Browser version Number assigned to the version of Chrome browser, such as 69.0.3497.23
Triggered rules reason The name of the DLP rule that was triggered as a result of the event
Event result The result of the event based on the policies and rules set. Can be one of the following: Bypassed, Blocked, Warned, or Allowed.
Content name The name of the content downloaded, could be a filename
Content size The size of the downloaded content, in bytes
Content hash The SHA256 hash of the content
Content type The media (MIME) type of content downloaded, such as text/html
Trigger type The user action that triggered the event, such as:
  • File upload
  • File download
  • Web content upload
Trigger user The username relating to the event:
  • Password reuse—The username that the password belongs to
  • Password reset—The username that the password is reset for
User agent The user agent string of the browser used to access the content. For example, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4140.0 Safari/537.36.
Client type

Event names

At Add a filter, select an Event name to filter data for that event. The Chrome audit log shows various events related to Chrome. 

Chrome Threat events

Chrome Threat events are available only for customers who have purchased BeyondCorp Enterprise. For more information about BeyondCorp and how to set it up, go to Protect Chrome users with BeyondCorp Threat and Data Protection.

Event name Description
Malware transfer The content uploaded or downloaded by the user is considered to be malicious, dangerous, or unwanted
Unsafe site visit The URL visited by the user is considered to be deceptive or malicious
Password reuse The user has entered a password into a URL that’s outside of the list of allowed enterprise login URLs
Password changed The user resets their password for the first-signed-in user account

Chrome Data Protection events

Chrome Data Protection events are available only for customers who have purchased BeyondCorp Enterprise. For more information about BeyondCorp and how to set it up, go to Protect Chrome users with BeyondCorp Threat and Data Protection.

Event name Description
Sensitive data transfer The content uploaded, downloaded, or pasted by the user is considered to contain sensitive data, as detected by the Data Protection rules
Content unscanned There are multiple reasons why a file is unscanned, including
  • File is password protected
  • File is too large
  • DLP scan was unsuccessful
  • Malware scan was unsuccessful
  • Malware scan unsupported file type
  • Service unavailable

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue