You can use the Login audit log to track user sign-ins to your domain. All sign-ins from web browsers are logged. When users sign in from a mail client or non-browser application, only suspicious attempts are logged.
From the Admin console Home page, go to Reports.
- On the left, under Audit, click Login.
(Optional) To customize what you review, on the right, click Manage columns , select the columns that you want to see or hide, and click Save.
Review ways to filter and export log data and create alerts.
Data you can view
|Event description||Details of the event described in the Event Name field.|
|IP address||IP address that the user used to sign in to the Admin console. This might reflect your physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address.|
Details of how the user signed in.
|Date||Date and time of the event (displayed in your browser's default time zone).|
Here are types of events that are available under the Event name column (see above):
Each time a user fails to sign in. You can use the Reports API to view the cause of the failure. For example, the user entered an incorrect password, didn't have access to the service, or their account was suspended.
|Government-backed attack||Each time a government-backed attackers might have tried to compromise a user account or computer. Learn about government-backed attack alerts.|
|Leaked password||Each time a password reset is required because Google detects compromised credentials.|
Each time a user was asked an extra security question because we detected a suspicious sign-in attempt.
For details, see Verify a user’s identity with extra security.
|Login verification||Each time a user was asked an extra security question when we did not detect a suspicious sign-in attempt.|
|Logout||Each time a user logged out.|
|Successful login||Each time a user logged in.|
Each time a user logged in and the login had some unusual characteristics—for example, if the user logged in from an unfamiliar IP address.
Suspicious login events are shown with a red warning icon.
|Suspicious login blocked||Each time a suspicious login was blocked.|
|Suspicious login from less secure app blocked||Each time a suspicious login from a less secure app was blocked.|
|Suspicious programmatic login blocked||Each time a suspicious login with programmatic elements was blocked.|
|User suspended||Each time a user was suspended.|
|User suspended (spam through relay)||Each time a user was suspended due to spam relay.|
|User suspended (spam)||Each time a user was suspended due to spam.|
|User suspended (suspicious activity)||Each time a user was suspended due to suspicious activity.|
When and how long is data available?
Go to Data retention and lag times.