Know How to Audit Admin logs in Google Workspace

Shweta Shukla
Last update: October 24, 2023
No Comments

Introduction

In this article, we will know how to Audit Admin logs in Google Workspace. Auditing Admin logs help to record, track, and create documentation about the Admin activities in Google Workspace. The process helps to identify unauthorized activities and inform about the security loopholes. As an Admin, you can download the CSV of Admin logs from the Admin Console. But Foresight makes this process easier by automating it.

What are admin logs in Google Admin, and why do they exist?

Admin logs are a feature in the Google Admin Console that allows you to audit, investigate, and identify the admins and users, their activities, and much more. The data helps you to track the Admin and users’ activity and ensure there are no malpractices. When you enable audit logs, they let your security, compliance, and auditing entities examine Google Cloud data and systems for any possible security threat. In this way, it maintains data consistency.

Which information do the logs include?

There are four types of audit logs – Admin Activity audit logs, Data Access audit logs, System Event audit logs, and Policy Denied audit logs. Let’s know what kind of information they consist of:

Google Admin audit logs include the log entries for API calls to modify resource metadata or configuration.
Data Access logs include API calls for reading the metadata or configuration of resources. It also contains user-driven API calls to create, read, or update user-provided resource data.
System event logs consist of Google Cloud action entries. They help to modify the resource configuration.
Policy denied logs record violation of security policy. These logs have been recorded when a user or service account doesn’t get access permission from a Google Cloud service.

How to find Admin logs in Google Admin?

To find the Activity logs in Google Admin, you should follow these steps –

Sign in to your Google Admin Console.
Click Reporting >Audit and investigation>Admin log events. From the left-hand side.

Then, filter the data with –

Click Add a filter. Select an attribute/column.
Select an operator > select a value > Apply from the pop-up window.
To create multiple filters, you can Add a filter and repeat the above step. Or, if you want to add a search operator, select AND or OR above the Add a filter option.
Click Search.

What do you mean by 'columns' in log event data?

The columns are nothing but attributes that help to search log event data from the data source. There are multiple columns or attributes in this regard. For example –

Actor: It’s the email address of a user who performs the log event data searching.
Event: It’s the logged event action like Activity Rule Creation or Investigation Query. The event attributes are grouped by type – Domain Settings or User Settings, under the Event value.
IP address: IP or Internet Protocol address associated with the user’s physical location. Also, it can be a virtual private network or proxy server.
Actor organizational unit: This attribute reveals the OU of the actor.

Automate auditing and exporting Admin logs with Foresight

Foresight is a sophisticated automation platform that provides customized use cases for Google Admin and users. With the help of Foresight, Admin can efficiently automate their regular business workflows. Its automated solution helps you to remove problematic manual tasks and boost productivity. Now, let’s talk about this use case. Google Admin Console has the feature to audit Admin logs. But Foresight provides a more advanced option for this use case. First of all, it automates the process of auditing Admin logs and then stores them in Google Drive for future reference. Moreover, it enhances customizations, real-time alerts, advanced reporting, and analysis capabilities.

Instruction

This use case is divided into two parts –

Rule 1: Exporting the Admin logs to Google Drive
Rule 2: Create a calendar event for exporting Admin logs weekly to Google Drive

Rule Creation

Sign in to your Foresight account. Start creating the rule with the New Rule (+) button.
Select the Data Uploaded trigger. Click Next after uploading your CSV file.

3. Select the List admin activity logs action.

4. Now, select the Start datetime variable in the Start time and End Datetime variable in the End time field. You can leave the rest of the fields as default.

5. Click Add Next Action. Select the Upload data to Drive action.

6. Now, create a Drive folder for this action. Then, select the Admin Logs CSV Download Link in the CSV file link and the Admin Log File folder in the Google Drive Folder. Click Review.

7. Give a Rule Name (Bulk Export Admin Logs to Google Drive). Click Create.

8. Now, the first part of the rule has been created. So, trigger the rule and export the same CSV file.

9. Now, check the successful rule execution from the Logs page. You will find the date range for admin logs. Check the log file from the Google Drive folder.

10. Then create the Second Part of the rule. For the second part, you need to create a calendar event. Here, we are creating the calendar event on the same date of rule creation. But you can select the date as per your requirement.

11. Click on the (+) icon and select the Calendar event started trigger.

12. Select Primary Calendar in the Calendars and Admin Activity in the Event title.

13. Then, select the Convert datetime action.

14. Select Current Datetime in the Source datetime field.

15. Select these steps in the Time change steps - Subtract 1 Week, Set the Day of week to 1, and Set to the Start of Day.

16. Enter Start Datetime as the Variable name.

Repeat the action-

17. Again, click Add Next Action. Again select the Convert datetime action.

18. Again, select Current Datetime in the Source datetime field.

19. Select Subtract 1 Week in the Time Change steps. Then, click Add Step to Set the Day of Week to 5. Again, click Add Step to Set to the End of Day.

20. Enter End Datetime as the Variable name.

21. Click Add Next Action. Select the List admin activity logs action.

22. Then select the Start Datetime and End Datetime.

23. Again, click Add Next Action and select Upload data to Drive.

24. Select Admin Logs CSV Download Link in the CSV file URL. Then, select the Admin Log file in the Google Drive Folder. Click Review.

25. Give the Rule Name (Export admin logs weekly to Google Drive). Click Create. The rule has been created successfully.

Verifying the Result

Check the successful rule execution through the Logs page.

2. You can check the weekly report has been exported to Google Drive.

Conclusion

So now you understand the process of Admin audit logs in Google Workspace. It enables transparency within your organizational activities. In this way, it helps you to stay safe and secure. Foresight’s advanced automated solution helps you to perform this action easily.

So, try a 14-day free trial with Foresight. You can learn other related topics like – Improved audit and investigation experience, etc.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments

Inline Feedbacks

View all comments

Unleash the power of automation and shape the future of intelligent digital workspace.

Products & Services

Company

Contact

xFanatical, Inc.

8780 19th St

Ste 458

Rancho Cucamonga, CA 91701

United States

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. This cookie is installed the first time a visitor enters the website through a browser. When the visitor comes back to the website through the same browser, the cookie will consider them to be the same visitor. Only in the event that the visitor changes browser, will they be deemed to be a different visitor.
_gat_gtag-###	1 minute	This cookie is installed by Google Analytics. It is used to analyze visitor browsing habits, flow, source and other information.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__Secure-1PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising
__Secure-1PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
_gcl_au	3 months	This cookie is set by Google Analytics to take information in advert clicks and store it in a 1st party cookie so that conversions can be attributed outside of the landing page.
1P_JAR	1 month	This cookie is installed by Google Ads. This cookie is used to collect site statistics and track conversion rates.
APISID	2 years	This cookie is used by Google to store user preferences and information while viewing Youtube videos on this site.
HSID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
LOGIN_INFO	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
PREF	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
SID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
SIDCC	1 year	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
SSID	2 years	This cookie is used to save the user's preferences and other information.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	This cookie is used by YouTube to remember user input and associate a user’s actions. This cookie lasts for as long as the user keeps their browser open.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.