Audit Login Reports
Google Administrators can track the login details of the respective domain. All sign-ins from web browsers are logged, including successful, unsuccessful, and suspicious attempts.
In this Article, we will discuss about the process to track the login details of users and how to export the audit log data from the Google Admin console.
Step 1: Open your Login audit log:
In your Google Admin console (at admin.google.com)...
Go to Reports.
Click Login.
Optionally, at the top right, click Select Columns. Select the columns you want to see or hide:
IP Address—Internet Protocol (IP) address used by the user to sign in.
Date—Date the sign-in occurred (displayed in your default time zone).
Login Type (SSO only)—Displays the ways the user signed in:
Exchange - by providing an existing credential and exchanging it with one of another type. For example, exchanging an OAuth token for a security identifier (SID)
Google Password - with a Google password
Reauth - with a password re-authentication request
SAML - via single sign-on Security Assertion Markup Language (SAML)
Unknown - using an unknown method
Step 2: Understand Login audit log data
Data you can view:
Data Type | Description |
Event name | The action that was logged, such as a login challenge or a failed login attempt. |
Event description | Details of the event described in the Event name field. |
IP address | Internet Protocol (IP) address that the user used to sign in to the Admin console. This might reflect your physical location, but it can be something else like a proxy server or a Virtual Private Network (VPN) address. |
Login Type | Details of how the user signed in. |
Date and time range | Date and time the event occurred (displayed in your browser's default time zone). |
Event name descriptions:
Here are types of events that are available under the Event name column:
Event name | Description |
Failed Login | Log entry for each time a user fails to log in. |
Government-backed attack | Log entry for each time government-backed attackers may have tried to compromise a user account or computer. Click here to learn more about government-backed attacks. |
Login challenge | Log entry for each time a user was presented with a login challenge. |
Logout | Log entry for each time a user logged out. |
Successful Login | Log entry for each time a user logged in. |
Suspicious Login | Log entry for each time a user logged in and the login had some unusual characteristics, for example, the user logged in from an unfamiliar IP address. |
Step 3: Customize and export your audit log data:
Filter the audit log data by user or activity.
You can narrow your audit log to show specific events or users. For example, find all log events for when a user was presented with a login challenge, or find all login activity for a particular user.
Open your Login audit log as shown above.
If you don't see the Filters section, click Filter.
Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
Click Search.
Export your audit log data:
You can export your Login audit log data to a Google Sheet, or download it to a CSV file.
Open your Login audit log as shown above.
(Optional) To change the data to include in your export, on the toolbar, click Select Columns.
On the toolbar, click Download.
