Search
Clear search
Close search
Google apps
Main menu
true

Understand audits

Vault audits provide details about actions that Vault users have taken during a specified period of time. Vault users are those people who have privileges to sign in to Vault and perform actions (for example, setting retention rules or searching in matters). Learn more about Vault privileges.

You can run and export Vault audits as CSV files. These files can be viewed in any spreadsheet viewer, including Google Sheets.

How to run a Vault audit report

  1. In Vault, go to Reports > Audit.
  2. In Select date range, include start and end dates for the audit.
  3. In Select Vault users, include users on whom you want to run the audit. The Vault users you enter here have Vault privileges; you are auditing their actions in Vault (for example, if they've set retention rules, searched in matters, modified holds, or performed any other administrative actions).
  4. In Select action types, check the boxes next to actions about which you want audit information.
  5. Click Download CSV. A CSV file that contains audit information will be downloaded to your device.

What audits contain

What you see in the CSV file depends on which action types you selected when you ran the audit. For example, you might have selected Retention policy because you want to audit a Vault user's actions related to retention (which retention rules a Vault user created or modified).

Each line of an audit is for one action. Each action consists of 11 categories of information: 

Epoch milliseconds

This category indicates the time that an action occurred in epoch milliseconds—the number of milliseconds that have elapsed since January 1, 1970 (midnight UTC/GMT). You don't have to do any conversions of epoch milliseconds, as each action is also recorded in human-readable time in the Date category.

Date

This category indicates the time that an action occurred in human-readable time. The category includes the day of the week; the date; the hour, minute, and second. The time zone is always Pacific (–0700 or –0800).

Action

This category indicates an action that occurred. This table includes the various actions and what they mean:

Action as identified in the audit Description
VIEW_SYSTEM_AUDIT_LOG Logged whenever someone downloads an audit.
VIEW_MATTER_AUDIT_LOG Logged whenever someone runs an audit within a specific matter. The ID number of the matter is recorded in the Matter category.
VIEW_RETENTION_POLICY Logged whenever someone navigates to the Retention page.

MODIFY_DEFAULT_RETENTION_PERIOD_BEGIN

MODIFY_DEFAULT_RETENTION_PERIOD_END

Logged whenever someone modifies the default retention rule. The newly modified retention period is recorded as "Period: # days" in the Details category.

ADD_RETENTION_RULE_BEGIN

ADD_RETENTION_RULE_END

Logged whenever someone creates a new custom retention rule. The new rule is given a unique ID number, which is recorded in the Name category. The retention period is recorded as "Period: # days" in the Details category.

UPDATE_RETENTION_RULE_BEGIN

UPDATE_RETENTION_RULE_END

Logged whenever someone modifies a custom retention rule. The ID number of the custom retention rule is recorded in the Name category. The newly modified retention period is recorded as "Period: # days" in the Details category.

DELETE_RETENTION_RULE_BEGIN

DELETE_RETENTION_RULE_END

Logged whenever someone deletes a custom retention rule. The ID number of the custom retention rule is recorded in the Name category.

CREATE_INVESTIGATION_BEGIN

CREATE_INVESTIGATION_END

Logged whenever someone creates a new matter. The ID number of the matter is recorded in the Matter category. The name of the matter is recorded in the Name category.
VIEW_CUSTODIAN_LITIGATION_HOLD_REPORT Logged whenever someone clicks Domain Holds to view holds for the domain or users.
VIEW_PER_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone views holds within a matter. The ID number of the matter is recorded the Matter category.
VIEW_CROSS_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone clicks User Holds to view which users are on hold.  
VIEW_INVESTIGATION Logged whenever someone views the Search or Export pages in a matter.

ADD_COLLABORATOR_BEGIN

ADD_COLLABORATOR_END

Logged whenever someone shares a specific matter with other users. The ID number of the matter is recorded in the Matter. The email address of the user with whom that matter was shared is recorded in the Email category.

REMOVE_COLLABORATOR_BEGIN

REMOVE_COLLABORATOR_END

Logged whenever someone removes another user from a shared matter. The ID of the matter is recorded in the Matter category. The email address of the user with whom the matter is no longer shared is recorded in the Email category.

ADD_LITIGATION_HOLD_BEGIN

ADD_LITIGATION_HOLD_END

Logged whenever someone creates a new hold in a matter. The ID number of the matter is recorded in the Matter category. The email address of the user whose content is on hold is recorded in the Name category.

REMOVE_LITIGATION_HOLD_BEGIN

REMOVE_LITIGATION_HOLD_END

Logged whenever someone removes a hold on an account. The ID number of the matter is recorded in the Matter category. The email address of the user whose content is no longer on hold is recorded in the Name category.
SEARCH Logged when someone conducts a search in a matter. The ID number of the matter is recorded in the Matter category. The search criteria are recorded in the Query string category.

CREATE_SAVED_QUERY_BEGIN

CREATE_SAVE_QUERY_END

Logged when someone saves a search query within a matter. The search criteria that were used are recorded in the Query search category.
VIEW_DOCUMENT Logged when someone views a document. A unique ID number for that document is recorded in the Name category.
VIEW_DOCUMENT_INFORMATION Logged with VIEW_DOCUMENT. The search terms that were used to find the document are recorded in the Query string category.

CREATE_EXPORT_BEGIN

CREATE_EXPORT_END

Logged when someone exports documents that were searched for in a matter. The name of the export is recorded in the Name category. The search criteria are recorded in the Query string category.

CLOSE_INVESTIGATION_BEGIN

CLOSE_INVESTIGATION_END

Logged when someone closes a matter. The matter ID is recorded in the Matter category.
User

This category contains the email address of the Vault user who performed the action that was identified in the Action category.

Matter

When the Vault user interacts with a matter, a unique ID number for that matter appears in this category. This ID number appears in the Vault URL for the matter.

Name

The information in this category depends on the action that the Vault user took:

  • If the action involves viewing a document (VIEW_DOCUMENT or VIEW_DOCUMENT_INFORMATION), the Name category contains the unique ID number for that document.

    Example: ACD7onr49fP6DqvgAvIDhboAqqth9q7ekwGc0xpC3xjhpylzQvvQoNKmBKyE9NL1Qdww4eA2SQSc5mOF0JJ_bV_tkVFU3TWIdIrBYOiZLw0eBA9-xL7A-pc

  • If the action involves the addition or removal of a collaborator (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END), the NAME category contains the email address of the user who was added or removed.
  • If the action involves the export of documents in a matter (CREATE_EXPORT_BEGIN/END), the NAME category contains the name of export.
Email

The Email category contains the email address of a collaborator who was added to or removed from a matter (seen with action ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END).

Resource url

The Resource url category contains the URL of any document that the user viewed (seen with action VIEW_DOCUMENT or VIEW_DOCUMENT_INFORMATION).

Query string

This category contains the search parameters that the user entered for a specific search.

Example: query: "( Project X )"

Organization

This category contains the name of the organizational unit (OU) in your domain to which the action applies (for example, if the Vault user created a retention rule that applies to a specific OU).

Details

This category contains the period of time in days that a user has specified for a custom retention rule. The period is indicated as "Period: # days."

How long the actions logged in audits persist

Actions logged in audits cannot be deleted or truncated by Google or by any Vault administrator as long as your organization continues to use Vault.

If your organization terminates its Vault service, audit data is deleted after approximately 30 days.

Was this article helpful?
How can we improve it?