View and manage audit logs for Google Workspace

This document describes how to configure, view, and route audit logs for Google Workspace to Google Cloud. By routing audit logs to Google Cloud, you can diagnose and resolve common issues related to data security and compliance.

For a conceptual discussion of Google Workspace audit logs, see Audit logs for Google Workspace.

Overview

You can share audit logs with your Google Cloud organization using your Google Workspace, Cloud Identity, or Google Drive Enterprise account. You can access the shared audit logs through Cloud Logging in Google Cloud.

You can access the following services' Google Workspace, Cloud Identity, and Google Drive Enterprise audit logs in Google Cloud:

  • Admin Audit logs
  • Enterprise Groups Audit logs
  • Login Audit logs
  • OAuth Token Audit logs
  • SAML Audit logs

For more information about these services' audit logs, see Service-specific information.

Before you begin

To view audit logs for Google Workspace in Google Cloud, ensure you have the correct permissions to view audit logs for Google Workspace.

IAM permissions and roles determine your ability to access audit logs data in the Logging API, the Logs Explorer, and the Google Cloud CLI.

For detailed information about the organization-level IAM permissions and roles you might need, see Cloud Logging Access control with IAM.

View audit logs in the Google Admin console

You can view audit logs for Google Workspace directly in the Google Admin console. To learn how to view these audit logs, see the following topics:

Share audit logs with Google Cloud

To enable sharing Google Workspace data with Google Cloud from your Google Workspace, Cloud Identity, or Google Drive Enterprise account, follow the instructions in Share data with Google Cloud services.

After you enable sharing Google Workspace data with Google Cloud, Google Cloud receives all audit logs for Google Workspace. To exclude certain audit logs from Google Cloud, set up sinks with exclusion filters. You can't use the IAM page in the Google Cloud console to selectively disable sharing the data.

View audit logs for Google Workspace in Google Cloud

To view audit logs for Google Workspace in Logging, you use the Logging query language to select data. At a minimum, you need to know the identifier of your Google Cloud organization. You can further specify other indexed LogEntry fields, like resource.type, and filter by event types.

Here are the audit log names that apply to Google Workspace:

In the preceding log names, ORGANIZATION_ID refers to the Google Cloud organization for which you want to view audit logs.

You have several options for viewing your audit log entries:

Console

To get the audit log entries for your Google Cloud organization using the Logs Explorer in the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the Logs Explorer page:

    Go to Logs Explorer

    If you use the search bar to find this page, then select the result whose subheading is Logging.

  2. From the Project selector menu, select an organization.

  3. From the Resource drop-down menu, select the resource type whose audit logs you want to see.

  4. In the Log name drop-down menu, select data_access for Data Access audit logs or activity for Admin Activity audit logs.

    If you don't see these options, then these audit logs aren't currently available in the organization.

  5. Optional: You can build a filter in the Query Builder pane to further specify the logs you want to see. To learn more about querying logs, see Build queries.

API

To read your audit log entries using the Logging API, do the following:

  1. Go to the Try this API section in the documentation for the entries.list method.

  2. Put the following into the Request body part of the Try this API form. Clicking on this prepopulated form automatically fills the request body, but you need to supply a valid ORGANIZATION_ID in each of the log names.

          {
            "resourceNames": [
              "organizations/ORGANIZATION_ID"
            ],
            "pageSize": 5,
            "filter": "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"
          }
  3. Click Execute.

For more details about using the Logging API to read logs, see Logging query language.

gcloud

The Google Cloud CLI provides a command-line interface to the Cloud Logging API. To read your audit log entries, run the following command:

    gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"

Replace ORGANIZATION_ID in each of the log names with the ID of the Google Cloud organization for which you want to read audit logs.

For more information about this command, see the gcloud logging read reference.

Each Google Workspace service that provides audit logs captures events specific to the service. If you want to read logs for a particular audited event, such as a successful login or revoked access, add the following to your filter and supply a valid EVENT_NAME:

protoPayload.metadata.event.eventName="EVENT_NAME"
resource.type="audited_resource"

For a list of valid event names and their parameters, see the Reports API documentation and select from the listed services.

For example, if you want to read logs for each time the Login service reports that an account password was changed, your filter would look like this:

protoPayload.metadata.event.eventName="password_edit"
resource.type="audited_resource"

Route audit logs from Google Cloud

After audit logs for Google Workspace are in Google Cloud, you can route the logs to supported destinations. For example, you can create a sink to route logs to Splunk or BigQuery. For a conceptual overview of how logs are routed from Cloud Logging, see Routing and storage overview.

Because audit logs for Google Workspace are organization-level logs, you route them using aggregated sinks at the organizational level to these destinations:

For instructions about configuring sinks to route logs, see Collate and route organization-level logs to supported destinations.

Customize data retention period

Cloud Logging retention periods apply to the audit logs that you store in log buckets.

To keep audit logs longer than the default retention periods, you can configure custom retention.

What's next