This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs.
For information about managing your Google Workspace audit logs, see View and manage audit logs for Google Workspace.
Overview
Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?". You can share your Google Workspace audit logs with Google Cloud to store, analyze, monitor, and alert on your Google Workspace data.
Audit logs for Google Workspace are available for Cloud Identity, Cloud Identity Premium, and all Google Workspace customers.
If you've enabled Google Workspace data sharing with Google Cloud, then audit logs are always enabled for Google Workspace.
Disabling Google Workspace data sharing stops new Google Workspace audit log events from being sent to Google Cloud. Any existing logs remain through their default retention periods, unless you have configured custom retention to retain your logs for a longer period.
If you don't enable Google Workspace data sharing with Google Cloud, then you can't see audit logs for Google Workspace in Google Cloud.
Types of audit logs
Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management (IAM) permissions.
Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs don't record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud, Google Workspace, Cloud Identity, or Drive Enterprise account.
Google Workspace services forwarding audit logs to Google Cloud
Google Workspace provides the following audit logs at the Google Cloud organization level:
- Access Transparency: Access Transparency logs provide a record of actions when Google personnel access customer content in your Google Workspace resources. In contrast to Access Transparency, Cloud Audit Logs record the actions that members of your Google Cloud organization have taken in your Google Cloud resources. - For more information about the structure of Access Transparency logs and the types of accesses that are logged, see Log field descriptions. 
- Google Workspace Admin Audit: Admin Audit logs provide a record of actions performed in your Google Admin console. For example, you can see when an administrator added a user or turned on a Google Workspace service. - Admin Audit writes Admin Activity audit logs only. 
- Google Workspace Enterprise Groups Audit: Enterprise Groups Audit logs provide a record of actions performed on groups and group memberships. For example, you can see when an administrator added a user or when a group owner deleted their group. - Enterprise Groups Audit writes Admin Activity audit logs only. 
- Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action. - Login Audit writes Data Access audit logs only. 
- Google Workspace OAuth Token Audit: OAuth Token Audit logs track which users are using which third-party mobile or web applications in your domain. For example, when a user opens a Google Workspace Marketplace app, the log records the name of the app and the person using it. The log also records each time a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (Google Workspace only). - OAuth Token Audit writes both Admin Activity and Data Access audit logs. 
- Google Workspace SAML Audit: SAML Audit logs track users' successful and failed sign-ins to SAML applications. Entries usually appear within an hour of the user action. - SAML Audit writes Data Access audit logs only. 
Service-specific information
Details for each Google Workspace service's audit logs are as follows:
Google Workspace Admin Audit
Google Workspace Admin Audit audit logs use the resource type
audited_resource for all audit logs.
Google Workspace Admin Audit audit logs use the service name
admin.googleapis.com.
Google Workspace Admin Audit writes Admin Activity audit logs only. The following are the audited operations:
| Activity type | AuditLog.method_name | 
|---|---|
| AI_CLASSIFICATION_SETTINGS | google.admin.AdminService.aiClassificationInsufficientTrainingExamplesgoogle.admin.AdminService.aiClassificationModelLowScoregoogle.admin.AdminService.aiClassificationNewModelReady | 
| ALERT_CENTER | google.admin.AdminService.alertCenterBatchDeleteAlertsgoogle.admin.AdminService.alertCenterBatchUndeleteAlertsgoogle.admin.AdminService.alertCenterCreateAlertgoogle.admin.AdminService.alertCenterCreateFeedbackgoogle.admin.AdminService.alertCenterDeleteAlertgoogle.admin.AdminService.alertCenterGetAlertMetadatagoogle.admin.AdminService.alertCenterGetCustomerSettingsgoogle.admin.AdminService.alertCenterGetSitLinkgoogle.admin.AdminService.alertCenterListChangegoogle.admin.AdminService.alertCenterListFeedbackgoogle.admin.AdminService.alertCenterListRelatedAlertsgoogle.admin.AdminService.alertCenterUndeleteAlertgoogle.admin.AdminService.alertCenterUpdateAlertgoogle.admin.AdminService.alertCenterUpdateAlertMetadatagoogle.admin.AdminService.alertCenterUpdateCustomerSettingsgoogle.admin.AdminService.alertCenterView | 
| APPLICATION_SETTINGS | google.admin.AdminService.changeApplicationSettinggoogle.admin.AdminService.createApplicationSettinggoogle.admin.AdminService.deleteApplicationSettinggoogle.admin.AdminService.reorderGroupBasedPoliciesEventgoogle.admin.AdminService.gplusPremiumFeaturesgoogle.admin.AdminService.createManagedConfigurationgoogle.admin.AdminService.deleteManagedConfigurationgoogle.admin.AdminService.updateManagedConfigurationgoogle.admin.AdminService.flashlightEduNonFeaturedServicesSelected | 
| CALENDAR_SETTINGS | google.admin.AdminService.createBuildinggoogle.admin.AdminService.deleteBuildinggoogle.admin.AdminService.updateBuildinggoogle.admin.AdminService.createCalendarResourcegoogle.admin.AdminService.deleteCalendarResourcegoogle.admin.AdminService.createCalendarResourceFeaturegoogle.admin.AdminService.deleteCalendarResourceFeaturegoogle.admin.AdminService.updateCalendarResourceFeaturegoogle.admin.AdminService.renameCalendarResourcegoogle.admin.AdminService.updateCalendarResourcegoogle.admin.AdminService.changeCalendarSettinggoogle.admin.AdminService.cancelCalendarEventsgoogle.admin.AdminService.releaseCalendarResources | 
| CHAT_SETTINGS | google.admin.AdminService.meetInteropCreateGatewaygoogle.admin.AdminService.meetInteropDeleteGatewaygoogle.admin.AdminService.meetInteropModifyGatewaygoogle.admin.AdminService.changeChatSetting | 
| CHROME_OS_SETTINGS | google.admin.AdminService.changeChromeOsAndroidApplicationSettinggoogle.admin.AdminService.changeChromeOsApplicationSettinggoogle.admin.AdminService.sendChromeOsDeviceCommandgoogle.admin.AdminService.changeChromeOsDeviceAnnotationgoogle.admin.AdminService.changeChromeOsDeviceSettinggoogle.admin.AdminService.changeChromeOsDeviceStategoogle.admin.AdminService.changeChromeOsPublicSessionSettinggoogle.admin.AdminService.insertChromeOsPrintergoogle.admin.AdminService.deleteChromeOsPrintergoogle.admin.AdminService.updateChromeOsPrintergoogle.admin.AdminService.changeChromeOsSettinggoogle.admin.AdminService.changeChromeOsUserSettinggoogle.admin.AdminService.removeChromeOsApplicationSettings | 
| CONTACTS_SETTINGS | google.admin.AdminService.changeContactsSetting | 
| DELEGATED_ADMIN_SETTINGS | google.admin.AdminService.assignRolegoogle.admin.AdminService.createRolegoogle.admin.AdminService.deleteRolegoogle.admin.AdminService.addPrivilegegoogle.admin.AdminService.removePrivilegegoogle.admin.AdminService.renameRolegoogle.admin.AdminService.updateRolegoogle.admin.AdminService.unassignRole | 
| DEVICE_SETTINGS | google.admin.AdminService.deleteDevicegoogle.admin.AdminService.moveDeviceToOrgUnit | 
| DOCS_SETTINGS | google.admin.AdminService.transferDocumentOwnershipgoogle.admin.AdminService.driveDataRestoregoogle.admin.AdminService.changeDocsSetting | 
| DOMAIN_SETTINGS | google.admin.AdminService.changeAccountAutoRenewalgoogle.admin.AdminService.addApplicationgoogle.admin.AdminService.addApplicationToWhitelistgoogle.admin.AdminService.changeAdvertisementOptiongoogle.admin.AdminService.createAlertgoogle.admin.AdminService.changeAlertCriteriagoogle.admin.AdminService.deleteAlertgoogle.admin.AdminService.alertReceiversChangedgoogle.admin.AdminService.renameAlertgoogle.admin.AdminService.alertStatusChangedgoogle.admin.AdminService.addDomainAliasgoogle.admin.AdminService.removeDomainAliasgoogle.admin.AdminService.skipDomainAliasMxgoogle.admin.AdminService.verifyDomainAliasMxgoogle.admin.AdminService.verifyDomainAliasgoogle.admin.AdminService.toggleOauthAccessToAllApisgoogle.admin.AdminService.toggleAllowAdminPasswordResetgoogle.admin.AdminService.enableApiAccessgoogle.admin.AdminService.authorizeApiClientAccessgoogle.admin.AdminService.removeApiClientAccessgoogle.admin.AdminService.chromeLicensesRedeemedgoogle.admin.AdminService.toggleAutoAddNewServicegoogle.admin.AdminService.changePrimaryDomaingoogle.admin.AdminService.changeWhitelistSettinggoogle.admin.AdminService.communicationPreferencesSettingChangegoogle.admin.AdminService.changeConflictAccountActiongoogle.admin.AdminService.enableFeedbackSolicitationgoogle.admin.AdminService.toggleContactSharinggoogle.admin.AdminService.createPlayForWorkTokengoogle.admin.AdminService.toggleUseCustomLogogoogle.admin.AdminService.changeCustomLogogoogle.admin.AdminService.changeDataLocalizationForRussiagoogle.admin.AdminService.changeDataLocalizationSettinggoogle.admin.AdminService.changeDataProtectionOfficerContactInfogoogle.admin.AdminService.deletePlayForWorkTokengoogle.admin.AdminService.viewDnsLoginDetailsgoogle.admin.AdminService.changeDomainDefaultLocalegoogle.admin.AdminService.changeDomainDefaultTimezonegoogle.admin.AdminService.changeDomainNamegoogle.admin.AdminService.toggleEnablePreReleaseFeaturesgoogle.admin.AdminService.changeDomainSupportMessagegoogle.admin.AdminService.addTrustedDomainsgoogle.admin.AdminService.removeTrustedDomainsgoogle.admin.AdminService.changeEduTypegoogle.admin.AdminService.toggleEnableOauthConsumerKeygoogle.admin.AdminService.toggleSsoEnabledgoogle.admin.AdminService.toggleSslgoogle.admin.AdminService.changeEuRepresentativeContactInfogoogle.admin.AdminService.generateTransferTokengoogle.admin.AdminService.changeLoginBackgroundColorgoogle.admin.AdminService.changeLoginBorderColorgoogle.admin.AdminService.changeLoginActivityTracegoogle.admin.AdminService.playForWorkEnrollgoogle.admin.AdminService.playForWorkUnenrollgoogle.admin.AdminService.mxRecordVerificationClaimgoogle.admin.AdminService.toggleNewAppFeaturesgoogle.admin.AdminService.toggleUseNextGenControlPanelgoogle.admin.AdminService.uploadOauthCertificategoogle.admin.AdminService.regenerateOauthConsumerSecretgoogle.admin.AdminService.toggleOpenIdEnabledgoogle.admin.AdminService.changeOrganizationNamegoogle.admin.AdminService.toggleOutboundRelaygoogle.admin.AdminService.changePasswordMaxLengthgoogle.admin.AdminService.changePasswordMinLengthgoogle.admin.AdminService.updateDomainPrimaryAdminEmailgoogle.admin.AdminService.enableServiceOrFeatureNotificationsgoogle.admin.AdminService.removeApplicationgoogle.admin.AdminService.removeApplicationFromWhitelistgoogle.admin.AdminService.changeRenewDomainRegistrationgoogle.admin.AdminService.changeResellerAccessgoogle.admin.AdminService.ruleActionsChangedgoogle.admin.AdminService.createRulegoogle.admin.AdminService.changeRuleCriteriagoogle.admin.AdminService.deleteRulegoogle.admin.AdminService.renameRulegoogle.admin.AdminService.ruleStatusChangedgoogle.admin.AdminService.addSecondaryDomaingoogle.admin.AdminService.removeSecondaryDomaingoogle.admin.AdminService.skipSecondaryDomainMxgoogle.admin.AdminService.verifySecondaryDomainMxgoogle.admin.AdminService.verifySecondaryDomaingoogle.admin.AdminService.updateDomainSecondaryEmailgoogle.admin.AdminService.changeSsoSettingsgoogle.admin.AdminService.generatePingoogle.admin.AdminService.updateRule | 
| EMAIL_SETTINGS | google.admin.AdminService.dropFromQuarantinegoogle.admin.AdminService.emailLogSearchgoogle.admin.AdminService.emailUndeletegoogle.admin.AdminService.changeEmailSettinggoogle.admin.AdminService.changeGmailSettinggoogle.admin.AdminService.createGmailSettinggoogle.admin.AdminService.deleteGmailSettinggoogle.admin.AdminService.rejectFromQuarantinegoogle.admin.AdminService.releaseFromQuarantine | 
| GROUP_SETTINGS | google.admin.AdminService.createGroupgoogle.admin.AdminService.deleteGroupgoogle.admin.AdminService.changeGroupDescriptiongoogle.admin.AdminService.groupListDownloadgoogle.admin.AdminService.addGroupMembergoogle.admin.AdminService.removeGroupMembergoogle.admin.AdminService.updateGroupMembergoogle.admin.AdminService.updateGroupMemberDeliverySettingsgoogle.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverridegoogle.admin.AdminService.groupMemberBulkUploadgoogle.admin.AdminService.groupMembersDownloadgoogle.admin.AdminService.changeGroupEmailgoogle.admin.AdminService.changeGroupNamegoogle.admin.AdminService.changeGroupSettinggoogle.admin.AdminService.whitelistedGroupsUpdated | 
| LABELS | google.admin.AdminService.labelDeletedgoogle.admin.AdminService.labelDisabledgoogle.admin.AdminService.labelReenabledgoogle.admin.AdminService.labelPermissionUpdatedgoogle.admin.AdminService.labelPermissionDeletedgoogle.admin.AdminService.labelPublishedgoogle.admin.AdminService.labelCreatedgoogle.admin.AdminService.labelUpdated | 
| LICENSES_SETTINGS | google.admin.AdminService.orgUsersLicenseAssignmentgoogle.admin.AdminService.orgAllUsersLicenseAssignmentgoogle.admin.AdminService.userLicenseAssignmentgoogle.admin.AdminService.changeLicenseAutoAssigngoogle.admin.AdminService.userLicenseReassignmentgoogle.admin.AdminService.orgLicenseRevokegoogle.admin.AdminService.userLicenseRevokegoogle.admin.AdminService.updateDynamicLicensegoogle.admin.AdminService.licenseUsageUpdate | 
| MOBILE_SETTINGS | google.admin.AdminService.actionCancelledgoogle.admin.AdminService.actionRequestedgoogle.admin.AdminService.addMobileCertificategoogle.admin.AdminService.companyDevicesBulkCreationgoogle.admin.AdminService.companyOwnedDeviceBlockedgoogle.admin.AdminService.companyDeviceDeletiongoogle.admin.AdminService.companyOwnedDeviceUnblockedgoogle.admin.AdminService.companyOwnedDeviceWipedgoogle.admin.AdminService.changeMobileApplicationPermissionGrantgoogle.admin.AdminService.changeMobileApplicationPriorityOrdergoogle.admin.AdminService.removeMobileApplicationFromWhitelistgoogle.admin.AdminService.changeMobileApplicationSettingsgoogle.admin.AdminService.addMobileApplicationToWhitelistgoogle.admin.AdminService.mobileDeviceApprovegoogle.admin.AdminService.mobileDeviceBlockgoogle.admin.AdminService.mobileDeviceDeletegoogle.admin.AdminService.mobileDeviceWipegoogle.admin.AdminService.changeMobileSettinggoogle.admin.AdminService.changeAdminRestrictionsPingoogle.admin.AdminService.changeMobileWirelessNetworkgoogle.admin.AdminService.addMobileWirelessNetworkgoogle.admin.AdminService.removeMobileWirelessNetworkgoogle.admin.AdminService.changeMobileWirelessNetworkPasswordgoogle.admin.AdminService.removeMobileCertificategoogle.admin.AdminService.enrollForGoogleDeviceManagementgoogle.admin.AdminService.useGoogleMobileManagementgoogle.admin.AdminService.useGoogleMobileManagementForNonIosgoogle.admin.AdminService.useGoogleMobileManagementForIosgoogle.admin.AdminService.mobileAccountWipegoogle.admin.AdminService.mobileDeviceCancelWipeThenApprovegoogle.admin.AdminService.mobileDeviceCancelWipeThenBlock | 
| ORG_SETTINGS | google.admin.AdminService.chromeLicensesEnabledgoogle.admin.AdminService.chromeApplicationLicenseReservationCreatedgoogle.admin.AdminService.chromeApplicationLicenseReservationDeletedgoogle.admin.AdminService.chromeApplicationLicenseReservationUpdatedgoogle.admin.AdminService.assignCustomLogogoogle.admin.AdminService.unassignCustomLogogoogle.admin.AdminService.createEnrollmentTokengoogle.admin.AdminService.revokeEnrollmentTokengoogle.admin.AdminService.chromeLicensesAllowedgoogle.admin.AdminService.createOrgUnitgoogle.admin.AdminService.removeOrgUnitgoogle.admin.AdminService.editOrgUnitDescriptiongoogle.admin.AdminService.moveOrgUnitgoogle.admin.AdminService.editOrgUnitNamegoogle.admin.AdminService.toggleServiceEnabled | 
| SECURITY_INVESTIGATION | google.admin.AdminService.securityInvestigationActiongoogle.admin.AdminService.securityInvestigationActionCancellationgoogle.admin.AdminService.securityInvestigationActionCompletiongoogle.admin.AdminService.securityInvestigationActionRetrygoogle.admin.AdminService.securityInvestigationActionVerificationConfirmationgoogle.admin.AdminService.securityInvestigationActionVerificationRequestgoogle.admin.AdminService.securityInvestigationActionVerificationRequestExpirationgoogle.admin.AdminService.securityInvestigationChartCreategoogle.admin.AdminService.securityInvestigationContentAccessgoogle.admin.AdminService.securityInvestigationDownloadAttachmentgoogle.admin.AdminService.securityInvestigationExportActionResultsgoogle.admin.AdminService.securityInvestigationExportQuerygoogle.admin.AdminService.securityInvestigationObjectCreateDraftInvestigationgoogle.admin.AdminService.securityInvestigationObjectDeleteInvestigationgoogle.admin.AdminService.securityInvestigationObjectDuplicateInvestigationgoogle.admin.AdminService.securityInvestigationObjectOwnershipTransfergoogle.admin.AdminService.securityInvestigationObjectSaveInvestigationgoogle.admin.AdminService.securityInvestigationObjectUpdateDirectSharinggoogle.admin.AdminService.securityInvestigationObjectUpdateLinkSharinggoogle.admin.AdminService.securityInvestigationQuerygoogle.admin.AdminService.securityInvestigationSettingUpdate | 
| SECURITY_SETTINGS | google.admin.AdminService.addToTrustedOauth2Appsgoogle.admin.AdminService.allowAspWithout2Svgoogle.admin.AdminService.allowServiceForOauth2Accessgoogle.admin.AdminService.allowStrongAuthenticationgoogle.admin.AdminService.blockOnDeviceAccessgoogle.admin.AdminService.changeAllowedTwoStepVerificationMethodsgoogle.admin.AdminService.changeAppAccessSettingsCollectionIdgoogle.admin.AdminService.changeCaaAppAssignmentsgoogle.admin.AdminService.changeCaaDefaultAssignmentsgoogle.admin.AdminService.changeCaaErrorMessagegoogle.admin.AdminService.changeSessionLengthgoogle.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDurationgoogle.admin.AdminService.changeTwoStepVerificationFrequencygoogle.admin.AdminService.changeTwoStepVerificationGracePeriodDurationgoogle.admin.AdminService.changeTwoStepVerificationStartDategoogle.admin.AdminService.disallowServiceForOauth2Accessgoogle.admin.AdminService.enableNonAdminUserPasswordRecoverygoogle.admin.AdminService.enforceStrongAuthenticationgoogle.admin.AdminService.removeFromTrustedOauth2Appsgoogle.admin.AdminService.sessionControlSettingsChangegoogle.admin.AdminService.toggleCaaEnablementgoogle.admin.AdminService.trustDomainOwnedOauth2Appsgoogle.admin.AdminService.unblockOnDeviceAccessgoogle.admin.AdminService.untrustDomainOwnedOauth2Appsgoogle.admin.AdminService.updateErrorMsgForRestrictedOauth2Appsgoogle.admin.AdminService.weakProgrammaticLoginSettingsChanged | 
| SITES_SETTINGS | google.admin.AdminService.addWebAddressgoogle.admin.AdminService.deleteWebAddressgoogle.admin.AdminService.changeSitesSettinggoogle.admin.AdminService.changeSitesWebAddressMappingUpdatesgoogle.admin.AdminService.viewSiteDetails | 
| USER_SETTINGS | google.admin.AdminService.delete2SvScratchCodesgoogle.admin.AdminService.generate2SvScratchCodesgoogle.admin.AdminService.revoke3LoDeviceTokensgoogle.admin.AdminService.revoke3LoTokengoogle.admin.AdminService.addRecoveryEmailgoogle.admin.AdminService.addRecoveryPhonegoogle.admin.AdminService.grantAdminPrivilegegoogle.admin.AdminService.revokeAdminPrivilegegoogle.admin.AdminService.revokeAspgoogle.admin.AdminService.toggleAutomaticContactSharinggoogle.admin.AdminService.bulkUploadgoogle.admin.AdminService.bulkUploadNotificationSentgoogle.admin.AdminService.cancelUserInvitegoogle.admin.AdminService.changeUserCustomFieldgoogle.admin.AdminService.changeUserExternalIdgoogle.admin.AdminService.changeUserGendergoogle.admin.AdminService.changeUserImgoogle.admin.AdminService.enableUserIpWhitelistgoogle.admin.AdminService.changeUserKeywordgoogle.admin.AdminService.changeUserLanguagegoogle.admin.AdminService.changeUserLocationgoogle.admin.AdminService.changeUserOrganizationgoogle.admin.AdminService.changeUserPhoneNumbergoogle.admin.AdminService.changeRecoveryEmailgoogle.admin.AdminService.changeRecoveryPhonegoogle.admin.AdminService.changeUserRelationgoogle.admin.AdminService.changeUserAddressgoogle.admin.AdminService.createEmailMonitorgoogle.admin.AdminService.createDataTransferRequestgoogle.admin.AdminService.grantDelegatedAdminPrivilegesgoogle.admin.AdminService.deleteAccountInfoDumpgoogle.admin.AdminService.deleteEmailMonitorgoogle.admin.AdminService.deleteMailboxDumpgoogle.admin.AdminService.changeFirstNamegoogle.admin.AdminService.gmailResetUsergoogle.admin.AdminService.changeLastNamegoogle.admin.AdminService.mailRoutingDestinationAddedgoogle.admin.AdminService.mailRoutingDestinationRemovedgoogle.admin.AdminService.addNicknamegoogle.admin.AdminService.removeNicknamegoogle.admin.AdminService.changePasswordgoogle.admin.AdminService.changePasswordOnNextLogingoogle.admin.AdminService.downloadPendingInvitesListgoogle.admin.AdminService.removeRecoveryEmailgoogle.admin.AdminService.removeRecoveryPhonegoogle.admin.AdminService.requestAccountInfogoogle.admin.AdminService.requestMailboxDumpgoogle.admin.AdminService.resendUserInvitegoogle.admin.AdminService.resetSigninCookiesgoogle.admin.AdminService.securityKeyRegisteredForUsergoogle.admin.AdminService.revokeSecurityKeygoogle.admin.AdminService.userInvitegoogle.admin.AdminService.viewTempPasswordgoogle.admin.AdminService.turnOff2StepVerificationgoogle.admin.AdminService.unblockUserSessiongoogle.admin.AdminService.unenrollUserFromTitaniumgoogle.admin.AdminService.archiveUsergoogle.admin.AdminService.updateBirthdategoogle.admin.AdminService.createUsergoogle.admin.AdminService.deleteUsergoogle.admin.AdminService.downgradeUserFromGplusgoogle.admin.AdminService.userEnrolledInTwoStepVerificationgoogle.admin.AdminService.downloadUserlistCsvgoogle.admin.AdminService.moveUserToOrgUnitgoogle.admin.AdminService.userPutInTwoStepVerificationGracePeriodgoogle.admin.AdminService.renameUsergoogle.admin.AdminService.unenrollUserFromStrongAuthgoogle.admin.AdminService.suspendUsergoogle.admin.AdminService.unarchiveUsergoogle.admin.AdminService.undeleteUsergoogle.admin.AdminService.unsuspendUsergoogle.admin.AdminService.upgradeUserToGplusgoogle.admin.AdminService.usersBulkUploadgoogle.admin.AdminService.usersBulkUploadNotificationSent | 
Google Workspace Enterprise Groups Audit
Google Workspace Enterprise Groups Audit audit logs use the resource type audited_resource for
all audit logs.
Google Workspace Enterprise Groups Audit audit logs use the service name
cloudidentity.googleapis.com.
Google Workspace Enterprise Groups Audit writes Admin Activity audit logs only. The following are the audited operations:
| 
Audit logs category
 | AuditLog.method_name | 
|---|---|
| Admin Activity audit logs | google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroupgoogle.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership | 
Google Workspace Login Audit
All Google Workspace Login Audit audit logs use the resource type audited_resource.
Google Workspace Login Audit audit logs use the service name
login.googleapis.com.
Google Workspace Login Audit writes Data Access audit logs only. The following are the audited operations; log samples for each operation are available.
| Audit logs category | AuditLog.method_name | 
|---|---|
| Data Access audit logs | google.login.LoginService.2svDisablegoogle.login.LoginService.2svEnrollgoogle.login.LoginService.accountDisabledPasswordLeakgoogle.login.LoginService.accountDisabledGenericgoogle.login.LoginService.accountDisabledSpammingThroughRelaygoogle.login.LoginService.accountDisabledSpamminggoogle.login.LoginService.accountDisabledHijackedgoogle.login.LoginService.emailForwardingOutOfDomaingoogle.login.LoginService.govAttackWarninggoogle.login.LoginService.loginChallengegoogle.login.LoginService.loginFailuregoogle.login.LoginService.loginVerificationgoogle.login.LoginService.logoutgoogle.login.LoginService.loginSuccessgoogle.login.LoginService.passwordEditgoogle.login.LoginService.recoveryEmailEditgoogle.login.LoginService.recoveryPhoneEditgoogle.login.LoginService.recoverySecretQaEditgoogle.login.LoginService.riskySensitiveActionAllowedgoogle.login.LoginService.riskySensitiveActionBlockedgoogle.login.LoginService.suspiciousLogingoogle.login.LoginService.suspiciousLoginLessSecureAppgoogle.login.LoginService.suspiciousProgrammaticLogingoogle.login.LoginService.titaniumEnrollgoogle.login.LoginService.titaniumUnenroll | 
Google Workspace OAuth Token Audit
Google Workspace OAuth Token Audit audit logs use the resource type audited_resource for
all audit logs.
Google Workspace OAuth Token Audit audit logs use the service name
oauth2.googleapis.com.
Google Workspace OAuth Token Audit writes both Admin Activity and Data Access audit logs. The following are the audited operations:
| 
Audit logs category
 | AuditLog.method_name | 
|---|---|
| Admin Activity audit logs | google.identity.oauth2.Denygoogle.identity.oauth2.GetTokengoogle.identity.oauth2.Requestgoogle.identity.oauth2.RevokeToken | 
| Data Access audit logs | google.identity.oauth2.GetTokenInfo | 
Google Workspace SAML Audit
Google Workspace SAML Audit audit logs use the resource type audited_resource for
all audit logs.
Google Workspace SAML Audit audit logs use the service name
login.googleapis.com.
Google Workspace SAML Audit writes Data Access audit logs only. The following are the audited operations:
| 
Audit logs category
 | AuditLog.method_name | 
|---|---|
| Data Access audit logs | google.apps.login.v1.SamlLoginFailed | 
| google.apps.login.v1.SamlLoginSucceeded | 
Audit log permissions
IAM permissions and roles determine your ability to access audit logs data in the Logging API, the Logs Explorer, and the Google Cloud CLI.
For detailed information about the organization-level IAM permissions and roles you might need, see the Access control with IAM.
Audit log format
Google Workspace audit log entries include the following objects:
- The log entry itself, which is an object of type - LogEntry. When examining audit logging data, you might find the following useful:- logNamecontains the organization ID and audit log type.
- resourcecontains the target of the audited operation.
- timeStampcontains the time of the audited operation.
- protoPayloadcontains the Google Workspace audit log in its- metadatafield.
 
The protoPayload.metadata field holds the audited Google Workspace
information. The following is an example of a Login Audit log:
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "test-user@example.net" }, "requestMetadata": { "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "login.googleapis.com", "methodName": "google.login.LoginService.loginFailure", "resourceName": "organizations/123", "metadata": { "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { "value": "google_password", "type": "TYPE_STRING", "name": "login_type", }, { "name": "login_challenge_method", "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" ] }, ] } ], "activityId": { "uniqQualifier": "358068855354", "timeUsec": "1632500217183212" }, "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "-nahbepd4l1x", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2021-09-24T16:16:57.183212Z", "severity": "NOTICE", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2021-09-24T17:51:25.034361197Z" }
For information about service-specific audit logging fields, and how to interpret them, select from the services listed in Available audit logs.
View logs
For information on viewing your Google Workspace audit logs, see View and manage audit logs for Google Workspace.
Route audit logs
You can route Google Workspace audit logs from Cloud Logging to supported destinations, including other Logging buckets.
Here are some applications for routing audit logs:
- To use more powerful search capabilities, you can route copies of your audit logs to Cloud Storage, BigQuery, or Pub/Sub. Using Pub/Sub, you can route to other applications, other repositories, and to third parties. 
- To manage your audit logs across an entire organization, you can create aggregated sinks that combine and route logs from all the Google Cloud projects, billing accounts, and folders contained by your organization. For instance, you might aggregate and route audit log entries from an organization's folders to a Cloud Storage bucket. 
For instructions on routing logs, see Route logs to supported destinations.
Regionalization
You can't choose a region where your Google Workspace logs are stored. Google Workspace logs aren't covered by the Google Workspace Data Region Policy.
Retention periods
The following retention periods apply to your audit logs data:
For each organization, Cloud Logging automatically stores logs in two
buckets: a _Default bucket and a _Required bucket. The _Required bucket
holds Admin Activity audit logs, System Event audit logs, and Access Transparency logs.
The _Default bucket holds all other log entries that aren't stored in the
_Required bucket. For more information on Logging buckets, see
Routing and storage overview.
You can configure Cloud Logging to retain the logs in the _Default logs
bucket for a period ranging from 1 day to
3650 days.
To update the retention period for the _Default logs bucket, see
Custom retention.
You can't change the retention period on the _Required bucket.
Quotas and limits
The same quotas apply to audit logs for Google Workspace and Cloud Audit Logs.
For details about these usage limits, including the maximum sizes of audit logs, see Quotas and limits.
Pricing
For pricing information, see Google Cloud Observability pricing.
What's next
- Learn how to configure and manage Google Workspace audit logs.
- Review best practices for Cloud Audit Logs.
- Learn how to view and understand Access Transparency logs for Google Workspace.