G Suite Business plans and above allow you to use ‘audit logs’. I investigated what you can and cannot do specifically with audit logs, so I’ll introduce my findings.
Just recently, a business owner acquaintance consulted me saying, “Confidential information from inside the company was leaked outside, so can we search for evidence?”
Since G Suite allows audit logs to be used from Business plans and above, I thought that if they were managing documents on Google Drive, they could potentially find evidence of confidential information leaks by searching the ‘audit logs’. That was the background of investigating G Suite audit logs.
The audit logs that can be checked in G Suite are listed on the Login Audit Log - G Suite Admin Help page.
The following two points are convenient features common to all audit logs.
The maximum number of cells for export is 210,000. The maximum number of rows varies depending on the number of columns selected. Both exported Google Spreadsheets and downloaded CSV files display a maximum of 10,000 rows.
Since it states this, it seems you can’t save all audit log data unless you download it frequently.
I investigated some concerning points using G Suite Drive audit logs as an example, which could be a cause of confidential information leaks.
Drive Audit Logs - G Suite Admin Help
It appears that audit logs from before switching to G Suite Business plan cannot be viewed. So, if you think you might need audit logs, I recommend switching to a G Suite higher plan.
Data Retention Periods and Time Lag - G Suite Admin Help
Even when filtering, an error message appears saying “Please select a start time within 180 days from now.”
Audit logs can be downloaded from the admin console https://admin.google.com/AdminHome?fral=1#Reports:subtab=drive-audit.
Since audit logs become an enormous volume, downloading all audit logs from the admin console isn’t realistic.
If you want to download all audit logs and save them to online storage services like Amazon S3 or Glacier, I think using the Reports API for downloading would be efficient.
For example, you can download audit logs via API like GET https://www.googleapis.com/admin/reports/v1/activity/users/all /applications/drive?maxResults=1000&pageToken=nextPageToken.
That’s all from the Gemba on understanding the ‘audit logs’ available in G Suite and wanting to prepare for when confidential information leaks occur.