This document describes how to configure, view, and route audit logs for Google Workspace to Google Cloud. By routing audit logs to Google Cloud, you can diagnose and resolve common issues related to data security and compliance.
For a conceptual discussion of Google Workspace audit logs, see Audit logs for Google Workspace.
Overview
You can share audit logs with your Google Cloud organization using your Google Workspace, Cloud Identity, or Google Drive Enterprise account. You can access the shared audit logs through Cloud Logging in Google Cloud.
You can access the following services' Google Workspace, Cloud Identity, and Google Drive Enterprise audit logs in Google Cloud:
- Admin Audit logs
- Enterprise Groups Audit logs
- Login Audit logs
- OAuth Token Audit logs
- SAML Audit logs
For more information about these services' audit logs, see Service-specific information.
Before you begin
To view audit logs for Google Workspace in Google Cloud, ensure you have the correct permissions to view audit logs for Google Workspace.
IAM permissions and roles determine your ability to access audit logs data in the Logging API, the Logs Explorer, and the Google Cloud CLI.
For detailed information about the organization-level IAM permissions and roles you might need, see Cloud Logging Access control with IAM.
View audit logs in the Google Admin console
You can view audit logs for Google Workspace directly in the Google Admin console. To learn how to view these audit logs, see the following topics:
- View Google Workspace Admin Audit logs in the Google Admin console. 
- View Google Workspace Enterprise Groups Audit logs in the Google Admin console. 
- View Google Workspace Login Audit logs in the Google Admin console. 
- View Google Workspace OAuth Token Audit logs in the Google Admin console 
- View Google Workspace SAML Audit logs in the Google Admin console 
- View other types of audit logs for Google Workspace in the Google Admin console. 
Share audit logs with Google Cloud
To enable sharing Google Workspace data with Google Cloud from your Google Workspace, Cloud Identity, or Google Drive Enterprise account, follow the instructions in Share data with Google Cloud services.
After you enable sharing Google Workspace data with Google Cloud, Google Cloud receives all audit logs for Google Workspace. To exclude certain audit logs from Google Cloud, set up sinks with exclusion filters. You can't use the IAM page in the Google Cloud console to selectively disable sharing the data.
View audit logs for Google Workspace in Google Cloud
To view audit logs for Google Workspace in
Logging, you use the
Logging query language to select
data. At a minimum, you need to know the identifier of your
Google Cloud organization.
You can further specify other indexed LogEntry fields, like
resource.type, and filter by event types.
Here are the audit log names that apply to Google Workspace:
- 
organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access 
- 
organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity 
In the preceding log names, ORGANIZATION_ID refers to the Google Cloud organization for which you want to view audit logs.
You have several options for viewing your audit log entries:
Console
To get the audit log entries for your Google Cloud organization using the Logs Explorer in the Google Cloud console, do the following:
- 
In the Google Cloud console, go to the Logs Explorer page: If you use the search bar to find this page, then select the result whose subheading is Logging. 
- From the Project selector menu, select an organization. 
- From the Resource drop-down menu, select the resource type whose audit logs you want to see. 
- In the Log name drop-down menu, select - data_accessfor Data Access audit logs or- activityfor Admin Activity audit logs.- If you don't see these options, then these audit logs aren't currently available in the organization. 
- Optional: You can build a filter in the Query Builder pane to further specify the logs you want to see. To learn more about querying logs, see Build queries. 
API
To read your audit log entries using the Logging API, do the following:
- Go to the Try this API section in the documentation for the - entries.listmethod.
- Put the following into the Request body part of the Try this API form. Clicking on this prepopulated form automatically fills the request body, but you need to supply a valid ORGANIZATION_ID in each of the log names. - { "resourceNames": [ "organizations/ORGANIZATION_ID" ], "pageSize": 5, "filter": "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com" }
- Click Execute. 
For more details about using the Logging API to read logs, see Logging query language.
gcloud
The Google Cloud CLI provides a command-line interface to the Cloud Logging API. To read your audit log entries, run the following command:
gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"
Replace ORGANIZATION_ID in each of the log names with the ID of the Google Cloud organization for which you want to read audit logs.
For more information about this command, see the
gcloud logging read reference.
Each Google Workspace service that provides audit logs captures events specific to the service. If you want to read logs for a particular audited event, such as a successful login or revoked access, add the following to your filter and supply a valid EVENT_NAME:
protoPayload.metadata.event.eventName="EVENT_NAME" resource.type="audited_resource"
For a list of valid event names and their parameters, see the Reports API documentation and select from the listed services.
For example, if you want to read logs for each time the Login service reports that an account password was changed, your filter would look like this:
protoPayload.metadata.event.eventName="password_edit" resource.type="audited_resource"
Route audit logs from Google Cloud
After audit logs for Google Workspace are in Google Cloud, you can route the logs to supported destinations. For example, you can create a sink to route logs to Splunk or BigQuery. For a conceptual overview of how logs are routed from Cloud Logging, see Routing and storage overview.
Because audit logs for Google Workspace are organization-level logs, you route them using aggregated sinks at the organizational level to these destinations:
For instructions about configuring sinks to route logs, see Collate and route organization-level logs to supported destinations.
Customize data retention period
Cloud Logging retention periods apply to the audit logs that you store in log buckets.
To keep audit logs longer than the default retention periods, you can configure custom retention.
What's next
- Troubleshoot issues with audit logs for Google Workspace.
- Review best practices for Cloud Audit Logs.
- Learn about Access Transparency logs for Google Workspace.