Troubleshooting and common questions

If you encounter problems when configuring Google Workspace audit logs with Google Cloud, refer to the troubleshooting tips below.

I don't see Google Workspace audit logs in Cloud Logging

When I go to the Logs Explorer, I don't see any audit logs.

Try the following steps:

  • Confirm the sharing and permissions are configured correctly and you're using the Logs Explorer.

  • Verify Google Cloud sharing is enabled.

  • Verify the user has permission to view the logs in Google Cloud. Set the IAM role Logging Private Logs Viewer at the organization level.

  • Make sure you are searching for logs at the organization level, and not at the project level. This requires using the Logs Explorer, gcloud tool, or the Cloud Logging API. For more information, see the Google Workspace audit logging information page.

I've verified sharing and permissions are correct, but I still can't see any Google Workspace audit logs in the Logs Explorer.

Try the following steps:

  • Confirm that these log entries exist in the Google Workspace Admin Console.

  • Verify that you are using the Logs Explorer instead of the Legacy Logs Viewer.

  • Search for logs at the organization level, not at the project level.

  • Use the Resource drop-down menu in the Logs Explorer to select Audited Resource. The Google Workspace audit logs field resource.type is equal to audited_resource.

    Audited resource is selected

  • Expand the time range of the query.

If these steps do not resolve the problem, open a support request with Google Cloud Support.

I can see Google Workspace audit logs in the Logs Explorer, but the gcloud tool commands are not returning them.

Try the following steps:

  • Verify that the correct logName is used. Supply a valid ORGANIZATION_ID in each of the log names. Here are the audit log names for Google Workspace audit logs:
    organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
    organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
  • Verify there are no errors in your ORGANIZATION_ID or logName.

If these steps do not resolve the problem, open a support request with Google Cloud Support.

I can see Google Workspace audit logs, but the data is delayed, missing, or incorrect

Reasons for delayed, missing, or incorrect log data include the following:

  • Log-entry delays. Google Cloud analyzes and indexes the login logs before emitting them. This can take between 24 and 48 hours, although it's usually less than four hours. This support page documents the lag time. The latency allows Google Cloud to analyze the logs for some event types, such as suspicious login and attack warning logs.

  • Missing log entry. An event is missing in both the Google Workspace Admin Console and the Logs Explorer. Open a support request with Google Workspace Support.

    An event is present in the Google Workspace Admin Console but is missing in the Logs Explorer. Open a support request with Google Cloud Support.

  • A user changed their Google account password from the Google Accounts user interface, but Google Cloud does not show this event. Because the change occurred in the Google Accounts UI, this action is recorded in the User Accounts audit activity type of Google Workspace logs, which is not imported into Google Cloud.

The log entry exists, but a field is missing or incorrect

For issues of missing or incorrect fields, open a Support request.

The following are examples of missing fields:

I can't create logs-based metrics for Google Workspace logs

Google Workspace logs are organization-level logs. Logs-based metrics for organization logs are not currently supported.

I can't create a sink for Google Workspace logs

Organization sinks can be created using either the Cloud Logging API or the gcloud command-line tool, but not with the Logs Explorer.

Common questions

Does this feature work for Cloud Identity customers?

Yes, this feature works for Cloud Identity, Cloud Identity Premium, and all Google Workspace customers. It's not limited to Google Workspace Enterprise SKUs.

To enable sharing of audit logs from your Google Workspace, Cloud Identity, or Drive Enterprise account to Google Cloud, go to your Google Workspace Admin Console and follow the instructions in the Google Workspace Admin help article titled Share data with Google Cloud services.

Can I choose a region where my Google Workspace logs are stored?

No, currently Google Workspace logs are not covered by the Google Workspace Data Region Policy.

What resource.type do I use?

Google Workspace audit logs have resource.type=audited_resource.

Are the Google Workspace logs Admin Activity or Data Access?

Admin Activity and Data Access are Cloud Audit Logs terms and are described in the Cloud Audit Logs page. The latest information for the Google Workspace audit logs is in the Google Workspace logging information page.

  • Google Workspace Enterprise Groups Audit writes Admin Activity audit logs only.

  • Google Workspace Admin Audit writes Admin Activity audit logs only.

  • Google Workspace Login Audit writes Data Access audit logs only.

Are these logs generated from administrator actions on Google Workspace, or for all users in the Google Workspace organization?

The Admin audit logs correspond to events from the Google Workspace Admin Console. They correspond to actions from administrators who are the only users with access to the console.

The Enterprise Groups audit logs actions could be performed by administrators or by group owners. Groups actions come from the Google Workspace Admin Console, the Google Cloud Console, the Admin SDK API, the Cloud Identity API, and the Google Groups user interface. For example, you can see when an administrator added a user or when a group owner deleted the group.

The Login audit logs correspond to any login events in your domain.

What do the different Google Workspace logs mean?

Google Workspace Admin audit. You can use the Admin audit logs to see a record of actions performed in your Google Workspace Admin Console. For example, you can see when an administrator added a user or turned on a Google Workspace service. In Google Cloud, the serviceName field is equal to admin.googleapis.com.

For more information about Google Workspace Admin audit logs, see the Admin Activity Report Event Names page.

Google Workspace Login audit. You can use the Login audit log to track logins or attempted logins to your domain. These logins can originate from the Google Workspace Admin Console, the Cloud Console, the Cloud Identity API, the gcloud command-line tool, or the Google Accounts user interface. The login logs only record the login event and do not record which system was used to perform the login action. In Google Cloud, the serviceName field is equal to login.googleapis.com.

For more information about Google Workspace Login audit logs, see the Login Audit Activity Events page.

Google Workspace Enterprise Groups audit. You can use the Enterprise Groups audit log to see a record of actions performed on groups and group memberships. These actions can originate from the Google Workspace Admin Console, the Cloud Console, the Admin SDK API, the Cloud Identity API, and the Google Groups user interface. For example, you can see when an administrator added a user or when a group owner deleted their group. In Google Cloud, the serviceName field is equal to cloudidentity.googleapis.com.

For more information about Google Workspace Enterprise Groups audit logs, see the Enterprise Groups Audit Activity Events page.

What are the types of events recorded by the Google Workspace audit logs?

See the list of audited operations. For more details, see the Google Workspace API docs for Admin audit logs, Login audit logs, and Enterprise Groups audit logs.

Will other types of Google Workspace audit logs be imported into Google Cloud?

Not at this time.

What is the default retention period of Google Workspace logs in Google Workspace and in Google Cloud?

Contacting Support

You can contact the proper support team if the troubleshooting steps do not resolve your issue.

Contacting Google Workspace support

For questions about logs in the Google Workspace Admin Console, please contact Google Workspace support.

Contacting Google Cloud Support

For questions about Logging, such as viewing, exporting, or creating sinks and metrics, please contact Google Cloud support: