In this article, we will know how to Audit Admin logs in Google Workspace. Auditing Admin logs help to record, track, and create documentation about the Admin activities in Google Workspace. The process helps to identify unauthorized activities and inform about the security loopholes. As an Admin, you can download the CSV of Admin logs from the Admin Console. But Foresight makes this process easier by automating it.
What are admin logs in Google Admin, and why do they exist?
Admin logs are a feature in the Google Admin Console that allows you to audit, investigate, and identify the admins and users, their activities, and much more. The data helps you to track the Admin and users’ activity and ensure there are no malpractices. When you enable audit logs, they let your security, compliance, and auditing entities examine Google Cloud data and systems for any possible security threat. In this way, it maintains data consistency.
Which information do the logs include?
There are four types of audit logs – Admin Activity audit logs, Data Access audit logs, System Event audit logs, and Policy Denied audit logs. Let’s know what kind of information they consist of:
- Google Admin audit logs include the log entries for API calls to modify resource metadata or configuration.
- Data Access logs include API calls for reading the metadata or configuration of resources. It also contains user-driven API calls to create, read, or update user-provided resource data.
- System event logs consist of Google Cloud action entries. They help to modify the resource configuration.
- Policy denied logs record violation of security policy. These logs have been recorded when a user or service account doesn’t get access permission from a Google Cloud service.
How to find Admin logs in Google Admin?
To find the Activity logs in Google Admin, you should follow these steps –
- Sign in to your Google Admin Console.
- Click Reporting >Audit and investigation>Admin log events. From the left-hand side.
Then, filter the data with –
- Click Add a filter. Select an attribute/column.
- Select an operator > select a value > Apply from the pop-up window.
- To create multiple filters, you can Add a filter and repeat the above step. Or, if you want to add a search operator, select AND or OR above the Add a filter option.
- Click Search.
What do you mean by 'columns' in log event data?
The columns are nothing but attributes that help to search log event data from the data source. There are multiple columns or attributes in this regard. For example –
- Actor: It’s the email address of a user who performs the log event data searching.
- Event: It’s the logged event action like Activity Rule Creation or Investigation Query. The event attributes are grouped by type – Domain Settings or User Settings, under the Event value.
- IP address: IP or Internet Protocol address associated with the user’s physical location. Also, it can be a virtual private network or proxy server.
- Actor organizational unit: This attribute reveals the OU of the actor.
Automate auditing and exporting Admin logs with Foresight
Foresight is a sophisticated automation platform that provides customized use cases for Google Admin and users. With the help of Foresight, Admin can efficiently automate their regular business workflows. Its automated solution helps you to remove problematic manual tasks and boost productivity. Now, let’s talk about this use case. Google Admin Console has the feature to audit Admin logs. But Foresight provides a more advanced option for this use case. First of all, it automates the process of auditing Admin logs and then stores them in Google Drive for future reference. Moreover, it enhances customizations, real-time alerts, advanced reporting, and analysis capabilities.
This use case is divided into two parts –
- Rule 1: Exporting the Admin logs to Google Drive
- Rule 2: Create a calendar event for exporting Admin logs weekly to Google Drive
- Sign in to your Foresight account. Start creating the rule with the New Rule (+) button.
- Select the Data Uploaded trigger. Click Next after uploading your CSV file.
3. Select the List admin activity logs action.
4. Now, select the Start datetime variable in the Start time and End Datetime variable in the End time field. You can leave the rest of the fields as default.
5. Click Add Next Action. Select the Upload data to Drive action.
6. Now, create a Drive folder for this action. Then, select the Admin Logs CSV Download Link in the CSV file link and the Admin Log File folder in the Google Drive Folder. Click Review.
7. Give a Rule Name (Bulk Export Admin Logs to Google Drive). Click Create.
8. Now, the first part of the rule has been created. So, trigger the rule and export the same CSV file.
9. Now, check the successful rule execution from the Logs page. You will find the date range for admin logs. Check the log file from the Google Drive folder.
10. Then create the Second Part of the rule. For the second part, you need to create a calendar event. Here, we are creating the calendar event on the same date of rule creation. But you can select the date as per your requirement.
11. Click on the (+) icon and select the Calendar event started trigger.
12. Select Primary Calendar in the Calendars and Admin Activity in the Event title.
13. Then, select the Convert datetime action.
14. Select Current Datetime in the Source datetime field.
15. Select these steps in the Time change steps - Subtract 1 Week, Set the Day of week to 1, and Set to the Start of Day.
16. Enter Start Datetime as the Variable name.
Repeat the action-
17. Again, click Add Next Action. Again select the Convert datetime action.
18. Again, select Current Datetime in the Source datetime field.
19. Select Subtract 1 Week in the Time Change steps. Then, click Add Step to Set the Day of Week to 5. Again, click Add Step to Set to the End of Day.
20. Enter End Datetime as the Variable name.
21. Click Add Next Action. Select the List admin activity logs action.
22. Then select the Start Datetime and End Datetime.
23. Again, click Add Next Action and select Upload data to Drive.
24. Select Admin Logs CSV Download Link in the CSV file URL. Then, select the Admin Log file in the Google Drive Folder. Click Review.
25. Give the Rule Name (Export admin logs weekly to Google Drive). Click Create. The rule has been created successfully.
Verifying the Result
- Check the successful rule execution through the Logs page.
2. You can check the weekly report has been exported to Google Drive.
So now you understand the process of Admin audit logs in Google Workspace. It enables transparency within your organizational activities. In this way, it helps you to stay safe and secure. Foresight’s advanced automated solution helps you to perform this action easily.