You can use the audit and investigation page to run searches related to Groups log events. There you can track changes to groups, group memberships, and group messages for users in your organization. You can also troubleshoot when users in your domain notice discrepancies and unexpected changes to their group activities. Entries usually appear within half an hour of the user action.
Note: To view actions performed within the Google Admin console, Google Cloud console, Admin SDK API, Cloud Identity API, and Google Groups user interface, go to Groups Enterprise log events.
For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the data sources for the audit and investigation page.
Types of changes you can track
- Group creation and deletion—You can verify that a group exists and was not recently deleted.
- Member addition, removal, and banning—If a user didn't receive a group message, you can check the log event data to see if the user is a group member. If the user was removed or banned, the data also shows who removed or banned them and when.
- User invitations and join request approvals—You can verify whether a user received an invitation to join a group and whether the invitation was accepted or denied. You can also track whether a user’s request to join a group was approved or denied.
- Group posting permission changes—Users may unexpectedly receive a bounce message saying that they're not permitted to post. Log event data shows any changes to the posting permissions that would prevent the user to post.
- Spam moderation settings—If messages are sent to the moderation queue instead of being posted, log event data will show if message moderation was a recent settings change.
- Other settings—When other settings are changed, log event data provides details about the changes.
Groups log events are only for the Google Groups interface. Event data tracks both user and admin actions executed using the Google Groups interface. Google Groups actions performed by administrators using the Admin console or the Admin SDK directory API are logged in Admin log events and Groups Enterprise log events.
Open the audit and investigation page
Access Groups log event data
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- On the left, click Reporting
Audit and investigation
Filter the data
- Open the log events as described above in Access Groups log event data.
- Click Add a filter, and then select an attribute.
- In the pop-up window, select an operator
-
(Optional) To create multiple filters for your search:
- Click Add a filter and repeat step 3.
- (Optional) To add a search operator, above Add a filter, select AND or OR.
- Click Search.
Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.
Attribute descriptions
For this data source, you can use the following attributes when searching log event data:
| Attribute | Description |
|---|---|
| Actor | Email address of the user who performed the action |
| Actor group name |
Group name of the actor. For more information, see Filtering results by Google Group. To add a group to your filtering groups allowlist:
|
| Actor organizational unit | Organizational unit of the actor |
| Date | Date and time the event occurred (displayed in your browser's default time zone) |
| Event | The logged event action, such as Create group, Invite user, or Reject join request. |
| Group email | Email address of the group |
| Group permission setting | Group permission setting for the actor—for example, Can add members, Can post, Can invite members, or Can delete topics |
| Info setting value | Value of an update to the Group info setting |
| Message ID | For messages sent by the actor, the unique message ID located in the message header |
| Message moderation | Action taken by the actor to approve or reject a post/message |
| New value | New setting value after an action is taken by the actor |
| Old value | Old setting value after an action is taken by the actor |
| Role | Actor's role in the group—for example, Manager, Member, or Owner |
| Setting | Action taken by the actor. For example, to allow external members, allow web posting, set the maximum message size, or specify the Group name. |
| Status | Status of the action taken by the author—Succeeded or Failed |
| Target | Email address of the target user |
Manage log event data
Manage search results column data
You can control which data columns appear in your search results.
- At the top-right of the search results table, click Manage columns
.
- (Optional) To remove current columns, click Remove
.
- (Optional) To add columns, next to Add new column, click the Down arrow
and select the data column.
Repeat as needed. - (Optional) To change the order of the columns, drag the data column names.
- Click Save.
Export search result data
- At the top of the search results table, click Export all.
- Enter a name
The export displays below the search results table under Export action results. - To view the data, click the name of your export.
The export opens in Google Sheets.
Create reporting rules
Go to Create and manage reporting rules.
When and how long is data available?
Go to Data retention and lag times.