You can use the Admin audit log to see a record of actions performed in your Google Admin console. For example, you can see when an administrator added a user or turned on a Google Workspace service.
For other services and activities, such as Google Drive and user activity, go to the list of available audit logs.
From the Admin console Home page, go to Reports.
- On the left, under Audit log, click Admin.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The Admin audit log provides the following information:
|Event name||The action that was logged, such as revoking a security key or deleting a user|
|Date||Date and time of the event (displayed in your browser's default time zone)|
|Event description||Details about the action, such as the name of the deleted user and the name (or email address for service account admins) of the admin that initiated the action|
|Admin||Name of the admin who performed the action. Instead of an admin’s name, you might see:
|IP address||IP address of the admin. Usually reflects the admin's physical location, but could be a proxy server or VPN address.|
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time that event occurred during the time range that you set. Most event names are self-explanatory. For example, Add application shows when an application was added to your organization or a domain. However, you might see more detailed log data, such as:
|Admin role assignment||If you assign the Super Admin role to a user, the log shows the Event description as Role_SEED_ADMIN_ROLE|
|Groups||Logs actions performed in the Admin console, in Google Groups, and more. To track changes by users in Groups, go to the Groups audit log.|
|Marketplace services||Logs when an admin adds or removes an app, turns an app on or off, and authorizes or removes API client access. Some apps might not have IP address details.|
|Access groups||Logs when a service is turned on or unset for an access group|
|Auto provisioning automatically disabled||
Logs when auto provisioning is turned off because syncing with a service was failing for a long time.
Auto provisioning was disabled because sync failed for 15 consecutive days. Sync may fail for a variety of reasons.
Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.
When and how long is data available?
Go to Data retention and lag times.