Table of contents
1.
Introduction
2.
Google Workspace services forwarding audit logs to Google Cloud
3.
View and manage audit logs for Google Workspace
3.1.
View audit logs in the Google Workspace Admin Console
3.2.
Share audit logs with Google Cloud.
3.3.
View audit logs for Google Workspace in Google Cloud
3.4.
Route audit logs from Google Cloud
4.
Samples for Google Workspace Login Audit 
4.1.
Available Login Audit logs
5.
Troubleshooting and common questions
5.1.
I can see audit logs for Google Workspace in Logs Explorer, but the Google Cloud CLI commands are not returning them.
5.2.
I can see audit logs for Google Workspace, but logs are delayed.
5.3.
I can see log entries, but a field is missing or incorrect.
6.
Frequently Asked Questions
6.1.
What exactly is a bucket of Google Cloud Storage?
6.2.
What is Google Cloud Platform?
6.3.
What are audit logs used for?
7.
Conclusion
Last Updated: Mar 27, 2024

Google Workspace Audit Logs

Introduction

Google Cloud services write audit logs to answer questions such as, "Who, where, did what, and when?". You can also share your Google Workspace audit logs with Google Cloud to monitor, store, analyze, and alert on your Google Workspace data.

Audit logs for Google Workspace are available for Cloud Identity Premium,  Cloud Identity, and all Google Workspace customers.

If you have enabled Google Workspace data sharing with Google Cloud, then audit logs are always enabled for Google Workspace.

Disabling Google Workspace data sharing controls new Google Workspace audit log events from being sent to Google Cloud. Any existing logs remain through their default retention periods unless and until you have configured custom retention to retain your logs for a more extended period.

Suppose you don't enable Google Workspace data sharing with Google Cloud. In that case, you can't see audit logs for Google Workspace in Google Cloud.

Google Workspace services forwarding audit logs to Google Cloud

Google Workspace provides the following audit logs at the Google Cloud organization level:

  • Google Workspace Admin Audit: Admin Audit logs give a record of actions performed in your Google Workspace Admin Console. For eg, you can view if an administrator turned on a Google Workspace service or added a user. Admin Audit writes Admin Activity audit logs only.
  • Google Workspace Enterprise Groups Audit: They provide a record of actions performed on groups and group memberships. For eg, you can see when an administrator added a user or a group owner deleted their group.
  • Google Workspace Login Audit: Login Audit logs are used to track user sign-ins to your domain. These logs only record the login event. They do not record which system was used to perform the login action.
  • Google Workspace OAuth Token Audit: They logs track which users are using which web applications or third-party mobile in your domain. For example, if a user opens a Google Workspace Marketplace app, the log keep a record of the app's name and the person using it. The log also records when a third-party application is authorized to access Google Account data, such as Google Calendar, Contacts, and Drive files (Google Workspace only).
  • Google Workspace SAML Audit: SAML Audit logs is used to track users' successful and unsuccessful sign-ins attempts to SAML applications. Entries usually appear in an hour of the user action.

View and manage audit logs for Google Workspace

It describes configuring, viewing, and routing audit logs for Google Workspace to Google Cloud. You can analyze and solve common data security and compliance issues by routing audit logs to Google Cloud.

View audit logs in the Google Workspace Admin Console

It is used to view audit logs for Google Workspace directly in the console of Google Workspace Admin.

Share audit logs with Google Cloud.

First enable sharing Google Workspace data with Google Cloud from your Cloud Identity, Google Workspace, or Drive Enterprise account.

After you allow sharing Google Workspace data with Google Cloud, Google Cloud receives all audit logs for Google Workspace. After this, set up sinks with exclusion filters to exclude certain audit logs from Google Cloud. You cannot use the IAM page in the Google Cloud console to selectively disable data sharing.

View audit logs for Google Workspace in Google Cloud

You use the Logging query language to view audit logs for Google Workspace in Logging to select data. At least, you need to know the identifier of your Google Cloud organization. You can specify other indexed LogEntry fields, like resource.type, and filter by event types.

Route audit logs from Google Cloud

After audit logs for Google Workspace are in Google Cloud, you can route the logs to supported destinations. For e.g., you can create a sink to route logs to Splunk or BigQuery. See Routing and storage overview for a conceptual overview of how logs are routed from Cloud Logging.

Because audit logs for Google Workspace are organization-level logs, you route them using aggregated sinks at the organizational level to these destinations:

  • Cloud storage buckets
  • Pub/Sub topics
  • BigQuery tables

Samples for Google Workspace Login Audit 

This provides samples of audit logs sent to Google Cloud by Google Workspace Login Audit.

Available Login Audit logs

The following table lists the audit logs produced by Login Audit and their corresponding AuditLog.method_name:

Login Audit logs
Login Audit logs
Login Audit logs

Troubleshooting and common questions

See the following information if you encounter issues with your audit logs for Google Workspace.

I can see audit logs for Google Workspace in Logs Explorer, but the Google Cloud CLI commands are not returning them.

You can try the following steps:

  • Check that the correct logName is used. Supply a valid ORGANIZATION_ID in every log name. Here are the audit log names for Google Workspace:
organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
  • Check there are no errors in your logName or ORGANIZATION_ID.

I can see audit logs for Google Workspace, but logs are delayed.

Your log data might be missing or delayed due to latency.

I can see log entries, but a field is missing or incorrect.

The following are examples of missing fields:

  • The same log record exists in the Logs Explorer and Google Workspace Admin Console, but a field is missing from both. For e.g., the IP address is missing in both.
  • The same log record exists in the Logs Explorer and the Google Workspace Admin Console. However, a field exists in the Google Workspace Admin Console and is either incorrect or missing in the Logs Explorer.

Frequently Asked Questions

What exactly is a bucket of Google Cloud Storage?

Google Cloud Storage is based on the same slashing technology that powers Google products worldwide, making it simple to store, access, and secure your data. With Google Cloud Storage, you can save and control access to any amount of data, whether for an individual or a group.

What is Google Cloud Platform?

Google Cloud Platform is a Google cloud platform that allows users to access cloud systems and computing services. It provides a wide range of cloud computing services in the storage, computes, database, migration, and networking domains.

What are audit logs used for?

Audit logs are used to

  • record the occurrence of an event
  • the time at which it occurred
  • the responsible user or service
  • the impacted entity

Conclusion

I hope this article gave you insights into the workspace audit logs provided by Google.

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, System Design, JavaScript, etc. Enroll in our courses, refer to the mock test and problems available, interview puzzles, and look at the interview bundle and interview experiences for placement preparations.

We hope this blog has helped you increase your knowledge regarding AWS Step functions, and if you liked this blog, check other links. Do upvote our blog to help other ninjas grow. Happy Coding!"

Grammarly report: Report

Live masterclass