G Suite audit logging information

This page describes the audit logs provided by G Suite as a part of Cloud Audit Logs.

Overview

Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?". You can share your G Suite audit logs with Google Cloud to store, search, analyze, monitor, and alert on your G Suite audit log data.

Cloud Audit Logs maintains three types of audit logs for Google Cloud resources:

  • Admin Activity audit logs: These logs record operations that modify the configuration or metadata of a resource.
  • Data Access audit logs: These logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs don't record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into G Suite, Cloud Identity, or Drive Enterprise account.
  • System Event audit logs: These logs contain log entries for Google Cloud administrative actions that modify the configuration of resources.

G Suite provides audit logs at the Google Cloud organization level as follows:

For a general overview of Cloud Audit Logs, go to Cloud Audit Logs. For a deeper understanding of Cloud Audit Logs, review Understanding audit logs.

Getting started: sharing G Suite data

To enable sharing of G Suite data with Cloud Audit Logs from your G Suite, Cloud Identity, or Drive Enterprise account, see the instructions in this G Suite Admin Help article.

If you enable sharing of G Suite data with Google Cloud, then you can't selectively disable G Suite audit logs using the Google Cloud Console IAM & Admin > Audit Logs page, though you can exclude these logs using logs exclusions.

If G Suite data sharing with Google Cloud is enabled, then G Suite audit logs are always enabled. Disabling G Suite data sharing stops new G Suite audit log events from being sent to Cloud Audit Logs, but any existing logs remain through their default retention periods, unless you have configured custom retention to retain your logs for a longer period.

Service-specific information

Details for each G Suite service's audit logs are as follows:

Audit log permissions

In Google Cloud, Identity and Access Management permissions and roles determine which audit logs you can view or export. G Suite audit logs reside in Google Cloud organizations.

To view Admin Activity audit logs, you must have one of the following IAM roles in the Google Cloud organization that contains your audit logs:

To view Data Access audit logs, you must have one of the following roles in the Google Cloud organization that contains your audit logs:

For more information, go to Understanding roles.

Audit log format

G Suite audit log entries, which can be viewed in Cloud Logging using the preview Logs Viewer, the Cloud Logging API, or the gcloud command-line tool, include the following objects:

  • The log entry itself, which is an object of type LogEntry. Useful fields include the following:

    • logName contains the project identification and audit log type
    • resource contains the target of the audited operation
    • timeStamp contains the time of the audited operation
    • protoPayload contains the audited information
  • The audit logging data, which is an AuditLog object held in the protoPayload field of the log entry.

  • Optional service-specific audit information, which is a service-specific object held in the serviceData field of the AuditLog object. For details, go to Service-specific audit data.

For other fields in these objects, plus how to interpret them, review Understanding audit logs.

Viewing logs

To find and view audit logs in Logging, you need to know the identifier of the Google Cloud organization for which you want to view audit logging information. You can further specify other indexed LogEntry fields, like resource.type; for details, review Finding log entries quickly.

Here are the audit log names for G Suite audit logs:

   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access

You have several options for viewing your audit log entries.

CLOUD CONSOLE

To retrieve the audit log entries for your Google Cloud organization using the Logs Viewer (Preview) in the Google Cloud Console, do the following:

  1. Go to the Logging > Logs (Logs Viewer) page:

    Go to the Logs Viewer page

  2. Select an existing Google Cloud project at the top of the page.

  3. From the version-picker menu, switch the Logs Viewer version from Classic to Preview.

    You're now in Logs Viewer (Preview).

  4. From the Project selector menu, select an organization.

  5. From the Resource drop-down menu, select the resource type whose audit logs you wish to see.

  6. In the Log name drop-down menu, select data_access for Data Access audit logs or activity for Admin Activity audit logs.

    If you don't see these options, then these audit logs aren't currently available in the organization.

Go to Logs Viewer (Preview) interface to learn more.

API

To look at your audit log entries using the Logging API, do the following:

  1. Go to the Try this API section in the documentation for the entries.list method.

  2. Put the following into the Request body part of the Try this API form. Clicking on this prepopulated form automatically fills the request body, but you need to supply a valid ORGANIZATION_ID in each of the log names.

          {
            "resourceNames": [
              "organizations/ORGANIZATION_ID"
            ],
            "pageSize": 5,
            "filter": "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"
          }
    
  3. Click Execute.

For more details about queries, see Logging query language.

GCLOUD

The gcloud command-line tool provides a command-line interface to the Cloud Logging API. To read your log entries, run the following command. Supply a valid ORGANIZATION_ID in each of the log names.

    gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"

See Reading log entries for more information about using gcloud command-line tool.

Managing audit logs

To keep audit logs longer than the default retention periods, you can configure custom retention.

You can also export G Suite audit logs from Cloud Logging in the same way you export other kinds of logs. For details about how to export your logs, go to Exporting logs.

Here are some applications of exporting audit logs:

  • To use more powerful search capabilities, you can export copies of your audit logs to Cloud Storage, BigQuery, or Pub/Sub. Using Pub/Sub, you can export to other applications, other repositories, and to third parties.

  • To manage your audit logs across an entire organization, you can create aggregated sinks that can export logs from any or all projects in the organization.

Pricing

G Suite's organization-level logs are currently free.