You can review the activity of Vault users in Vault, either across all of Vault or in a specific matter. For example, audit all of Vault to learn which Vault users edited retention rules. Or, audit a specific matter to learn who downloaded export files from that matter.
Audit activity across all off Vault
- Sign in to vault.google.com.
- Click Reports.
- (Optional) Select a date range.
- (Optional) Enter the email addresses of the Vault users whose actions you want to audit. To audit the actions of all Vault users, leave the field empty.
- Select what types of Vault user actions you want to audit:
- To audit all actions, click Select All.
- To audit only some actions, check the box next to each action.
- Click Download CSV. A CSV file that contains audit information is downloaded to your device.
- Open the CSV file in a spreadsheet app, such as Google Sheets. For definitions of the values in the CSV, see What audits contain.
Audit activity in a specific matter
- Sign in to vault.google.com.
- Click Matters.
- In the list of matters, click the matter you want to audit.
- Click Audit.
- (Optional) Select a date range.
- (Optional) Enter the email addresses of the Vault users whose actions you want to audit. To audit the actions of all Vault users, leave the field empty.
- Select what types of Vault user actions you want to audit:
- To audit all actions, click Select All.
- To audit only some actions, check the box next to each action. Note: No retention rule-related actions are reported for matter-specific audits because retention rules are managed outside matters.
- Click Download CSV. A CSV file that contains audit information is downloaded to your device.
- Open the CSV file in a spreadsheet app, such as Google Sheets. For definitions of the values in the CSV, see What audits contain.
What audits contain
Each line of an audit provides information for one action. Each action has 11 values. Some values apply only to certain actions and are empty for other actions.
Epoch millisecondsThe time that an action occurred in epoch milliseconds—the number of milliseconds that have elapsed since January 1, 1970 (midnight UTC/GMT). You don't have to do any conversions of epoch milliseconds, as each action is also recorded in human-readable time in the Date value.
The time that an action occurred in human-readable time. The value includes the day of the week; the date; the hour, minute, and second. The time zone is always Pacific (–0700 or –0800).
The action that occurred. Possible values:
Action value | Description |
---|---|
ADD_COLLABORATOR_BEGIN ADD_COLLABORATOR_END |
Logged whenever someone shares a specific matter with other users. The ID number of the matter is recorded in the Matter. The email address of the user with whom that matter was shared is recorded in the Email value. |
ADD_LITIGATION_HOLD_BEGIN ADD_LITIGATION_HOLD_END |
Logged whenever someone creates a hold in a matter. The ID number of the matter is recorded in the Matter value. The email address of the user whose content is on hold is recorded in the Name value. |
ADD_RETENTION_RULE_BEGIN ADD_RETENTION_RULE_END |
Logged whenever someone creates a custom retention rule. The new rule is given a unique ID, which is recorded in the Name value. The retention period is recorded as "Period: # days" in the Details value. |
CLOSE_INVESTIGATION_BEGIN CLOSE_INVESTIGATION_END |
Logged whenever someone closes a matter. The matter ID is recorded in the Matter value. |
CREATE_EXPORT_BEGIN CREATE_EXPORT_END |
Deprecated–Replaced by EXPORT. Reported for exports run in February 2014 or earlier. Logged whenever someone exports documents that were searched for in a matter. The name of the export is recorded in the Name value. The search criteria are recorded in the Query string value. |
CREATE_INVESTIGATION_BEGIN CREATE_INVESTIGATION_END |
Logged whenever someone creates a matter. The ID number of the matter is recorded in the Matter value. The name of the matter is recorded in the Name value. |
CREATE_SAVED_QUERY_BEGIN CREATE_SAVE_QUERY_END |
Logged whenever someone saves a search query in a matter. The search criteria that were used are recorded in the Query string value. |
DELETE_RETENTION_RULE_BEGIN DELETE_RETENTION_RULE_END |
Logged whenever someone deletes a custom retention rule. The ID number of the custom retention rule is recorded in the Name value. |
DOWNLOAD_CROSS_MATTER_LITIGATION_HOLD_REPORT | Logged whenever someone downloads the list of holds from Domain Holds, User Holds, or Group Holds. |
DOWNLOAD_PER_MATTER_LITIGATION_HOLD_REPORT | Logged whenever someone downloads the list of holds within a matter. The ID number of the matter is recorded the Matter value. |
EXPORT | Logged whenever someone runs an export. The name of the export is recorded in the Name value. The search criteria are recorded in the Query string value. |
MODIFY_DEFAULT_RETENTION_PERIOD_BEGIN MODIFY_DEFAULT_RETENTION_PERIOD_END |
Logged whenever someone modifies the default retention rule. The modified retention period is recorded as "Period: # days" in the Details value. |
REMOVE_COLLABORATOR_BEGIN REMOVE_COLLABORATOR_END |
Logged whenever someone removes another user from a shared matter. The ID of the matter is recorded in the Matter value. The email address of the user with whom the matter is no longer shared is recorded in the Email value. |
REMOVE_LITIGATION_HOLD_BEGIN REMOVE_LITIGATION_HOLD_END |
Logged whenever someone removes a hold on an account. The ID number of the matter is recorded in the Matter value. The email address of the user whose content is no longer on hold is recorded in the Name value. |
SEARCH | Logged whenever someone runs a search from a matter. The ID number of the matter is recorded in the Matter value. The search criteria are recorded in the Query string value. |
UPDATE_RETENTION_RULE_BEGIN UPDATE_RETENTION_RULE_END |
Logged whenever someone modifies a custom retention rule. The ID number of the custom retention rule is recorded in the Name value. The modified retention period is recorded as "Period: # days" in the Details value. |
VIEW_CROSS_MATTER_LITIGATION_HOLD_REPORT | Logged whenever someone clicks User Holds to view which users are on hold. |
VIEW_CUSTODIAN_LITIGATION_HOLD_REPORT | Logged whenever someone clicks Domain Holds to view holds for organizational units or users. |
VIEW_DOCUMENT | Logged whenever someone views a document. A unique ID number for that document is recorded in the Name value. |
VIEW_INVESTIGATION | Logged whenever someone opens the Search or Export pages in a matter. |
VIEW_MATTER_AUDIT_LOG | Logged whenever someone runs an audit within a specific matter. The ID number of the matter is recorded in the Matter value. |
VIEW_PER_MATTER_LITIGATION_HOLD_REPORT | Logged whenever someone views holds in a matter. The ID number of the matter is recorded the Matter value. |
VIEW_RETENTION_POLICY | Logged whenever someone opens the Retention page. |
VIEW_SYSTEM_AUDIT_LOG | Logged whenever someone downloads an audit. |
The email address of the Vault user who performed the action in the Action value.
For actions in a specific matter, the unique ID of the matter. The matter ID is part of the Vault URL for the matter.
The information in this value depends on the action that the Vault user took:
- If the user viewed a document (VIEW_DOCUMENT action), the unique ID of the document.
Example: ACD7onr49fP6DqvgAvIDhboAqqth9q7ekwGc0xpC3xjhpylzQvvQoNKmBKyE9NL1Qdww4eA2SQSc5mOF0JJ_bV_tkVFU3TWIdIrBYOiZLw0eBA9-xL7A-pc
- If the user added or removed a collaborator (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END action), the email address of the user who was added or removed.
- If the user created an export in a matter (CREATE_EXPORT_BEGIN/END action), the name of export.
The email address of the collaborator who was added to or removed from a matter (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END action).
The URL of any document that the user viewed (VIEW_DOCUMENT action).
The search parameters the user entered for a specific search (SEARCH or SEARCH_COUNT action).
Example: query: "( Project X )"
The name of the organizational unit to which the action applies. For example, if the Vault user created a retention rule that applies to a specific organizational unit.
The retention period in days that a user set for a custom retention rule. The period is indicated as "Period: # days."
How long information in audit logs persists
Actions in audit reports can't be deleted or truncated by Google or by any Vault administrator or user as long as your organization continues to use Vault.
If your organization terminates its Vault service, audit data is deleted after approximately 30 days.