In your Google Admin console, you can use the audit and investigation page to review user and administrator activity in your organization. You can use the information to track users and admins, and for security purposes.
The availability of features on the audit and investigation page depends on your Google Workspace or Cloud Identity edition. See the sections below for details about the different data sources that are available.
Note: If you have a premium edition such as Enterprise Plus or Education Plus, you have access to the more advanced features of the security investigation tool. The investigation tool enables super admins to identify, triage, and take action on security and privacy issues. For more details, go to About the security investigation tool.
Choose a data source to get started
To access data about log events on the audit and investigation page, at the left of your Admin console, click ReportingAudit and investigationthen select your data source.
|Admin log events||View admin activity in the Google Admin console|
|Calendar log events||View and track changes to user events in Google Calendar|
|Chat log events||Track user conversations and room activity|
|Chrome log events||View Chrome events for your organization|
|Classroom log events||View common activities, such as who removed a student from a class or archived a class
Note: You must be a Google Workspace for Education admin to access Classroom log events
|Currents log events||Track Currents activity for your organization|
|Data Studio log events||View users' actions in Google Data Studio|
|Devices log events||Review activities on your organization’s devices|
|Directory Sync log events||View events related to Directory Sync|
|Drive log events||View user Google Drive activity|
|Graduation log events||Track user data transfer|
|Groups Enterprise log events||See Admin console actions on groups and group memberships|
|Groups log events||View user changes to groups in Google Groups|
|Jamboard log events||Track changes to Jamboards|
|Keep log events||Track activity on notes owned by users in your organization|
|Meet log events||Understand users' video-meeting activity|
|Meet recordings in Drive audit & export||Track users' Meet recording activity|
|OAuth log events||Track third-party app usage and data-access requests|
|Password Vaulted Apps log events||See admin and user activity related to password vaulted apps|
|Rule log events||Track your users' attempts to share sensitive data|
|SAML log events||View your users' sign-ins to SAML applications|
|Secure LDAP log events||Review LDAP operations for the Secure LDAP service|
|Takeout log events||View user Google Takeout activity|
|User log events||View user activity across their accounts. Note: The User log events data source provides data previously contained in the Login audit log and User accounts audit log.|
|Voice log events||Review user activity in Google Voice|
When and how long is data available?
Go to Data retention and lag times.