User log events

Audit and investigation page: Review user sign-in action

You tin use the inspect and investigation page to run searches related to User log events. At that place you lot can check critical deportment carried out by users on their ain accounts. These actions include changes to passwords, account recovery details (telephone numbers, email addresses), and 2-Stride Verification enrollment. If a user signs in from an electronic mail customer or a non-browser awarding, you can also review reports of suspicious attempts.

Annotation:

  • During a recent launch, the old Login audit log andUser accounts inspect log were combined into the User log events information source. For more than details, see What'due south new: Improved audit and investigation feel.
  • If there's no information for user log events during the previous half dozen months, User log events might non be displayed in the left navigation card.

For a full listing of services and activities that you can investigate, such as Google Drive or user action, read through the data sources for the audit and investigation page.

Open the audit and investigation page

Admission User log event data

  2. On the left, click Reporting and then Audit and investigation and then User log events.

Filter the information

  1. Open the log events as described above in Access User log consequence data.
  2. Click Add a filter, and then select an attribute.
  3. In the popular-upwards window, select an operatorand thenselect a valueand thenclickUse.

  4. (Optional) To create multiple filters for your search:

    1. Click Add together a filter and echo step 3.
    2. (Optional) To add a search operator, above Add a filter, selectAND or OR.
  5. Click Search.

Notation: Using theFilter tab, you can include uncomplicated parameter and value pairs to filter the search results. You tin besides use theCondition architect tab, where the filters are represented equally conditions with AND/OR operators.

Attribute descriptions

For this information source, you can use the following attributes when searching log consequence data:

Aspect Clarification
Actor Email address of the user who performed the action
Actor grouping name Group proper noun of the actor
Actor organizational unit of measurement Organizational unit of the histrion
Afflicted user Email address of the affected user
Claiming type The blazon of challenge used to verify the user, such as Password or Security Key.
Date Appointment and time of the consequence (displayed in your browser's default time zone)
Domain The domain where the action occurred
E-mail forwarding accost E-mail accost to forward the Gmail letters to

Issue

The logged issue activeness, such as two-step verification enroll or Suspicious login
IP address IP address that the user used to sign in. Usually the address is the user'south physical location, merely it can be a proxy server or a Virtual Private Network (VPN) accost.
Is 2d factor True if the user signed in with two-gene authentication. False if the user didn't sign in with ii-factor authentication.
Is suspicious True if the sign-in attempt was suspicious, otherwise false. Applicable just to the login_success event
Login time Appointment and time the user signed in
Login type

Hallmark method the user used:

  • Substitution—When a user is authenticated by token exchange, such as via an OAuth login. Information technology might too indicate the user was already signed in to a session when they signed in to some other, and the ii sessions were merged
  • Google Password—Used a Google password. Includes sign-ins to less secure apps (if allowed)
  • Reauth—User authenticated with a password re-authentication request
  • SAML—Authentication by single sign-on Security Exclamation Markup Linguistic communication (SAML)
  • Unknown—User signed in using an unknown method
User E-mail accost of the user who performed the action

Manage log event data

Manage search results column information

You lot can control which data columns appear in your search results.

  1. At the meridian-right of the search results table, click Manage columns"".
  2. (Optional) To remove electric current columns, click Remove"".
  3. (Optional) To add columns, side by side to Add together new column, click the Downwards arrow""and select the data column.
    Repeat every bit needed.
  4. (Optional) To modify the order of the columns, drag the data column names.
  5. Click Save.

Export search consequence data

  1. At the height of the search results table, click Export all.
  2. Enter a nameand thenclick Consign.
    The consign displays beneath the search results table under Export action results.
  3. To view the data, click the proper name of your export.
    The consign opens in Google Sheets.

Create reporting rules

Become to Create and manage reporting rules.

When and how long is data available?

Go to Data retentivity and lag times.

Related topics

  • Data sources for the audit and investigation page

Was this helpful?

How can nosotros meliorate it?