Introduction
Google Cloud services write audit logs to answer questions such as, "Who, where, did what, and when?". You can also share your Google Workspace audit logs with Google Cloud to monitor, store, analyze, and alert on your Google Workspace data.
Audit logs for Google Workspace are available for Cloud Identity Premium, Cloud Identity, and all Google Workspace customers.
If you have enabled Google Workspace data sharing with Google Cloud, then audit logs are always enabled for Google Workspace.
Disabling Google Workspace data sharing controls new Google Workspace audit log events from being sent to Google Cloud. Any existing logs remain through their default retention periods unless and until you have configured custom retention to retain your logs for a more extended period.
Suppose you don't enable Google Workspace data sharing with Google Cloud. In that case, you can't see audit logs for Google Workspace in Google Cloud.
Google Workspace services forwarding audit logs to Google Cloud
Google Workspace provides the following audit logs at the Google Cloud organization level:
- Google Workspace Admin Audit: Admin Audit logs give a record of actions performed in your Google Workspace Admin Console. For eg, you can view if an administrator turned on a Google Workspace service or added a user. Admin Audit writes Admin Activity audit logs only.
- Google Workspace Enterprise Groups Audit: They provide a record of actions performed on groups and group memberships. For eg, you can see when an administrator added a user or a group owner deleted their group.
- Google Workspace Login Audit: Login Audit logs are used to track user sign-ins to your domain. These logs only record the login event. They do not record which system was used to perform the login action.
- Google Workspace OAuth Token Audit: They logs track which users are using which web applications or third-party mobile in your domain. For example, if a user opens a Google Workspace Marketplace app, the log keep a record of the app's name and the person using it. The log also records when a third-party application is authorized to access Google Account data, such as Google Calendar, Contacts, and Drive files (Google Workspace only).
- Google Workspace SAML Audit: SAML Audit logs is used to track users' successful and unsuccessful sign-ins attempts to SAML applications. Entries usually appear in an hour of the user action.