Configure, view, and export Google Workspace audit logs

Overview

This page describes how to configure, view, and export Google Workspace and Cloud Identity audit logs to Google Cloud. By exporting Google Workspace and Cloud Identity audit logs to Google Cloud, you can diagnose and resolve common issues.

Google Workspace audit logs in Google Cloud

You can share audit logs from your Google Workspace, Cloud Identity, or Drive Enterprise account with your organization's Cloud Billing account. You can access the shared audit logs through Cloud Logging in Google Cloud.

You can access the following types of Google Workspace, Cloud Identity, and Drive Enterprise audit logs in Google Cloud:

  • Google Workspace Admin audit. Admin audit logs provide a record of actions performed in your Google Workspace Admin Console. For example, you can see when an administrator added a user or turned on a Google Workspace service. For more information about Google Workspace Admin audit logs, see the Admin Activity Report Event Names page.

  • Google Workspace Login audit. Login audit logs track user sign-ins to your domain. The login logs only record the login event. They do not record which system was used to perform the login action.

    Logins can occur from any of the following:

    • Google Workspace Admin Console

    • Google Cloud Console

    • Cloud Identity API

    • gcloud command-line tool

    • Google Accounts user interface

    For more information about Google Workspace Login audit logs, see the Login Audit Activity Events page.

  • Google Workspace Enterprise Groups audit. Enterprise Groups audit logs provide a record of actions performed on groups and group memberships. For example, you can see when an administrator added a user or when a group owner deleted their group.

    Group and group-membership actions can occur from any of the following:

    • Google Workspace Admin Console

    • Google Cloud Console

    • Admin SDK API

    • Cloud Identity API

    • Google Groups user interface

    For more information about Google Workspace Enterprise Groups audit logs, see the Enterprise Groups Audit Activity Events page.

Other types of Google Workspace audit logs are not shared with Google Cloud at this time.

Viewing Google Workspace audit logs in the Google Workspace Admin Console

You can view Google Workspace audit logs from the Google Workspace Admin Console. To learn how to view Google Workspace audit logs, see the following topics:

Configuring and viewing Google Workspace audit logs with Google Cloud

To view Google Workspace audit logs in Google Cloud, you must perform the following actions:

  1. Configure Google Workspace audit logs sharing with Google Cloud.

  2. Configure Google Cloud permissions to view Google Workspace audit logs.

Configuring Google Workspace audit logs sharing with Google Cloud

To enable sharing of Google Workspace data with Cloud Audit Logs from your Google Workspace, Cloud Identity, or Drive Enterprise account, follow the instructions in the Google Workspace Admin Help article Share data with Google Cloud services.

If you enable sharing of Google Workspace data with Google Cloud, then you can't selectively disable Google Workspace audit logs using the Google Cloud Console > IAM & Admin > Audit Logs page. This means that Google Cloud receives all Google Workspace audit logs. If you want to remove certain audit logs from Google Cloud, set up logs exclusions in Cloud Logging.

After you enable Google Workspace data sharing with Google Cloud, then Google Workspace audit logs are always sent to Google Cloud. Disabling Google Workspace data sharing stops new Google Workspace audit logs from being sent to Google Cloud. However, any existing logs in Google Cloud remain through their default retention periods, unless you configure the custom retention period to store your logs longer.

Configuring Google Cloud permissions to view Google Workspace audit logs

Google Workspace audit logs reside in Google Cloud organizations. Therefore, Identity and Access Management (IAM) permissions and roles determine which audit logs a user can view or export.

Viewing Google Workspace audit logs in Google Cloud Console

You can view Google Workspace audit logs in Google Cloud in the following ways:

Exporting Google Workspace audit logs from Google Cloud

After Google Workspace audit logs are in Google Cloud, they can be exported to other Google Cloud storage destinations or to storage destinations outside of Google Cloud. For example, you can create a sink to export logs to Splunk or BigQuery. For a conceptual overview of how logs are exported from Cloud Logging, see Overview of logs exports.

Because Google Workspace audit logs are organization-level logs, you can export them via Aggregated Exports at the organizational level to these destinations:

Customizing logs data retention period in Cloud Logging

Cloud Logging stores logs in two buckets: a _Default bucket and a _Required bucket. The _Default bucket holds Google Cloud and user-generated logs. The _Required bucket holds Admin Activity audit logs, System Event audit logs, and Access Transparency logs. For more information on Cloud Logging buckets, see Storing logs.

Google Workspace Login audit logs. Google Workspace audit logs are stored in the _Default bucket. You can configure Cloud Logging to retain the logs in the _Default logs bucket for a period ranging from 1 day to 3650 days. To update the retention period for the _Default logs bucket, see the Custom retention section on the Storing Logs page.

Google Workspace Admin and Google Workspace Enterprise Groups audit logs. Google Workspace Admin and Google Workspace Enterprise Groups audit logs are stored in the _Required bucket. You can't change the retention period on the _Required bucket.