Vault audits provide details about actions that Vault users have taken during a specified period of time. Vault users are those people who have privileges to sign in to Vault and perform actions (for example, setting retention rules or searching in matters). Learn more about Vault privileges.
You can run and export Vault audits as CSV files. These files can be viewed in any spreadsheet viewer, including Google Sheets.
How to run a Vault audit report
- In Vault, go to Reports > Audit.
- In Select date range, include start and end dates for the audit.
- In Select Vault users, include users on whom you want to run the audit. The Vault users you enter here have Vault privileges; you are auditing their actions in Vault (for example, if they've set retention rules, searched in matters, modified holds, or performed any other administrative actions).
- In Select action types, check the boxes next to actions about which you want audit information.
- Click Download CSV. A CSV file that contains audit information will be downloaded to your device.
What audits contain
What you see in the CSV file depends on which action types you selected when you ran the audit. For example, you might have selected Retention policy because you want to audit a Vault user's actions related to retention (which retention rules a Vault user created or modified).
Each line of an audit is for one action. Each action consists of 11 categories of information:Epoch milliseconds
This category indicates the time that an action occurred in epoch milliseconds—the number of milliseconds that have elapsed since January 1, 1970 (midnight UTC/GMT). You don't have to do any conversions of epoch milliseconds, as each action is also recorded in human-readable time in the Date category.
This category indicates the time that an action occurred in human-readable time. The category includes the day of the week; the date; the hour, minute, and second. The time zone is always Pacific (–0700 or –0800).
This category indicates an action that occurred. This table includes the various actions and what they mean:
|Action as identified in the audit||Description|
|VIEW_SYSTEM_AUDIT_LOG||Logged whenever someone downloads an audit.|
|VIEW_MATTER_AUDIT_LOG||Logged whenever someone runs an audit within a specific matter. The ID number of the matter is recorded in the Matter category.|
|VIEW_RETENTION_POLICY||Logged whenever someone navigates to the Retention page.|
|Logged whenever someone modifies the default retention rule. The newly modified retention period is recorded as "Period: # days" in the Details category.|
|Logged whenever someone creates a new custom retention rule. The new rule is given a unique ID number, which is recorded in the Name category. The retention period is recorded as "Period: # days" in the Details category.|
|Logged whenever someone modifies a custom retention rule. The ID number of the custom retention rule is recorded in the Name category. The newly modified retention period is recorded as "Period: # days" in the Details category.|
|Logged whenever someone deletes a custom retention rule. The ID number of the custom retention rule is recorded in the Name category.|
|Logged whenever someone creates a new matter. The ID number of the matter is recorded in the Matter category. The name of the matter is recorded in the Name category.|
|VIEW_CUSTODIAN_LITIGATION_HOLD_REPORT||Logged whenever someone clicks Domain Holds to view holds for the domain or users.|
|VIEW_PER_MATTER_LITIGATION_HOLD_REPORT||Logged whenever someone views holds within a matter. The ID number of the matter is recorded the Matter category.|
|VIEW_CROSS_MATTER_LITIGATION_HOLD_REPORT||Logged whenever someone clicks User Holds to view which users are on hold.|
|VIEW_INVESTIGATION||Logged whenever someone views the Search or Export pages in a matter.|
|Logged whenever someone shares a specific matter with other users. The ID number of the matter is recorded in the Matter. The email address of the user with whom that matter was shared is recorded in the Email category.|
|Logged whenever someone removes another user from a shared matter. The ID of the matter is recorded in the Matter category. The email address of the user with whom the matter is no longer shared is recorded in the Email category.|
|Logged whenever someone creates a new hold in a matter. The ID number of the matter is recorded in the Matter category. The email address of the user whose content is on hold is recorded in the Name category.|
|Logged whenever someone removes a hold on an account. The ID number of the matter is recorded in the Matter category. The email address of the user whose content is no longer on hold is recorded in the Name category.|
|SEARCH||Logged when someone conducts a search in a matter. The ID number of the matter is recorded in the Matter category. The search criteria are recorded in the Query string category.|
|Logged when someone saves a search query within a matter. The search criteria that were used are recorded in the Query search category.|
|VIEW_DOCUMENT||Logged when someone views a document. A unique ID number for that document is recorded in the Name category.|
|Logged when someone exports documents that were searched for in a matter. The name of the export is recorded in the Name category. The search criteria are recorded in the Query string category.|
|Logged when someone closes a matter. The matter ID is recorded in the Matter category.|
This category contains the email address of the Vault user who performed the action that was identified in the Action category.
When the Vault user interacts with a matter, a unique ID number for that matter appears in this category. This ID number appears in the Vault URL for the matter.
The information in this category depends on the action that the Vault user took:
- If the action involves viewing a document (VIEW_DOCUMENT), the Name category contains the unique ID number for that document.
- If the action involves the addition or removal of a collaborator (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END), the NAME category contains the email address of the user who was added or removed.
- If the action involves the export of documents in a matter (CREATE_EXPORT_BEGIN/END), the NAME category contains the name of export.
The Email category contains the email address of a collaborator who was added to or removed from a matter (seen with action ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END).
The Resource url category contains the URL of any document that the user viewed (seen with action VIEW_DOCUMENT).
This category contains the search parameters that the user entered for a specific search.
Example: query: "( Project X )"
This category contains the name of the organizational unit (OU) in your domain to which the action applies (for example, if the Vault user created a retention rule that applies to a specific OU).
This category contains the period of time in days that a user has specified for a custom retention rule. The period is indicated as "Period: # days."
How long the actions logged in audits persist
Actions logged in audits cannot be deleted or truncated by Google or by any Vault administrator as long as your organization continues to use Vault.
If your organization terminates its Vault service, audit data is deleted after approximately 30 days.