Google Workspace audit logging information

This page describes the audit logs provided by Google Workspace as a part of Cloud Audit Logs.

Overview

Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?". You can share your Google Workspace audit logs with Google Cloud to store, search, analyze, monitor, and alert on your Google Workspace audit log data.

Cloud Audit Logs maintains three types of audit logs for Google Cloud resources:

  • Admin Activity audit logs: These logs record operations that modify the configuration or metadata of a resource.
  • Data Access audit logs: These logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs don't record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Workspace, Cloud Identity, or Drive Enterprise account.
  • System Event audit logs: These logs contain log entries for Google Cloud administrative actions that modify the configuration of resources.

Google Workspace provides audit logs at the Google Cloud organization level as follows:

For a general overview of Cloud Audit Logs, go to Cloud Audit Logs. For a deeper understanding of Cloud Audit Logs, review Understanding audit logs.

Getting started: sharing Google Workspace data

To enable sharing of Google Workspace data with Cloud Audit Logs from your Google Workspace, Cloud Identity, or Drive Enterprise account, see the instructions in this Google Workspace Admin Help article.

If you enable sharing of Google Workspace data with Google Cloud, then you can't selectively disable Google Workspace audit logs using the Google Cloud Console IAM & Admin > Audit Logs page, though you can exclude these logs using logs exclusions.

If Google Workspace data sharing with Google Cloud is enabled, then Google Workspace audit logs are always enabled. Disabling Google Workspace data sharing stops new Google Workspace audit log events from being sent to Cloud Audit Logs, but any existing logs remain through their default retention periods, unless you have configured custom retention to retain your logs for a longer period.

Service-specific information

Details for each Google Workspace service's audit logs are as follows:

Audit log permissions

In Google Cloud, Identity and Access Management permissions and roles determine which audit logs you can view or export. Google Workspace audit logs reside in Google Cloud organizations.

To view Admin Activity audit logs, you must have one of the following IAM roles in the Google Cloud organization that contains your audit logs:

To view Data Access audit logs, you must have one of the following roles in the Google Cloud organization that contains your audit logs:

For more information, go to Understanding roles.

Audit log format

Google Workspace audit log entries, which can be viewed in Cloud Logging using the Logs Explorer, the Cloud Logging API, or the gcloud command-line tool, include the following objects:

  • The log entry itself, which is an object of type LogEntry. Useful fields include the following:

    • logName contains the project identification and audit log type
    • resource contains the target of the audited operation
    • timeStamp contains the time of the audited operation
    • protoPayload contains the audited information
  • The audit logging data, which is an AuditLog object held in the protoPayload field of the log entry.

  • Optional service-specific audit information, which is a service-specific object held in the serviceData field of the AuditLog object. For details, go to Service-specific audit data.

For other fields in these objects, plus how to interpret them, review Understanding audit logs.

Viewing logs

To find and view audit logs in Logging, you need to know the identifier of the Google Cloud organization for which you want to view audit logging information. You can further specify other indexed LogEntry fields, like resource.type; for details, review Finding log entries quickly.

Here are the audit log names for Google Workspace audit logs:

   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access

You have several options for viewing your audit log entries.

CLOUD CONSOLE

To retrieve the audit log entries for your Google Cloud organization using the Logs Explorer in the Google Cloud Console, do the following.

  1. Go to the Logging > Logs Explorer:

    Go to the Logs Explorer page

  2. Select an existing Google Cloud project at the top of the page.

  3. Verify you are using the Logs Explorer and not the Legacy Logs Viewer.

  4. From the Project selector menu, select an organization.

  5. From the Resource drop-down menu, select the resource type whose audit logs you wish to see.

  6. In the Log name drop-down menu, select data_access for Data Access audit logs or activity for Admin Activity audit logs.

    If you don't see these options, then these audit logs aren't currently available in the organization.

Go to Using the Logs Explorer to learn more.

API

To look at your audit log entries using the Logging API, do the following:

  1. Go to the Try this API section in the documentation for the entries.list method.

  2. Put the following into the Request body part of the Try this API form. Clicking on this prepopulated form automatically fills the request body, but you need to supply a valid ORGANIZATION_ID in each of the log names.

          {
            "resourceNames": [
              "organizations/ORGANIZATION_ID"
            ],
            "pageSize": 5,
            "filter": "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"
          }
    
  3. Click Execute.

For more details about queries, see Logging query language.

GCLOUD

The gcloud command-line tool provides a command-line interface to the Cloud Logging API. To read your log entries, run the following command. Supply a valid ORGANIZATION_ID in each of the log names.

    gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com"

See Reading log entries for more information about using gcloud command-line tool.

Managing audit logs

To keep audit logs longer than the default retention periods, you can configure custom retention.

You can also export Google Workspace audit logs from Cloud Logging in the same way you export other kinds of logs. For details about how to export your logs, go to Exporting logs.

Here are some applications of exporting audit logs:

  • To use more powerful search capabilities, you can export copies of your audit logs to Cloud Storage, BigQuery, or Pub/Sub. Using Pub/Sub, you can export to other applications, other repositories, and to third parties.

  • To manage your audit logs across an entire organization, you can create aggregated sinks that can export logs from any or all projects in the organization.

Pricing

Google Workspace's organization-level logs are currently free.