G Suite Business plans and above allow you to use ‘audit logs’. I investigated what you can and cannot do specifically with audit logs, so I’ll introduce my findings.
Background of Investigating G Suite Audit Logs
Just recently, a business owner acquaintance consulted me saying, “Confidential information from inside the company was leaked outside, so can we search for evidence?”
Since G Suite allows audit logs to be used from Business plans and above, I thought that if they were managing documents on Google Drive, they could potentially find evidence of confidential information leaks by searching the ‘audit logs’. That was the background of investigating G Suite audit logs.
Various G Suite Audit Logs
The audit logs that can be checked in G Suite are listed on the Login Audit Log - G Suite Admin Help page.
Convenient Features Common to All Audit Logs
The following two points are convenient features common to all audit logs.
- Customize and export audit log data
- Set up email alerts
The maximum number of cells for export is 210,000. The maximum number of rows varies depending on the number of columns selected. Both exported Google Spreadsheets and downloaded CSV files display a maximum of 10,000 rows.
Since it states this, it seems you can’t save all audit log data unless you download it frequently.
G Suite Drive Audit Logs
I investigated some concerning points using G Suite Drive audit logs as an example, which could be a cause of confidential information leaks.
Drive Audit Logs - G Suite Admin Help
Audit Logs Before Implementation Cannot Be Viewed
It appears that audit logs from before switching to G Suite Business plan cannot be viewed. So, if you think you might need audit logs, I recommend switching to a G Suite higher plan.
Audit Logs from 180 Days Before Implementation Cannot Be Viewed
Data Retention Periods and Time Lag - G Suite Admin Help
Even when filtering, an error message appears saying “Please select a start time within 180 days from now.”
Download and Save Audit Logs
Audit logs can be downloaded from the admin console https://admin.google.com/AdminHome?fral=1#Reports:subtab=drive-audit.
Since audit logs become an enormous volume, downloading all audit logs from the admin console isn’t realistic.
If you want to download all audit logs and save them to online storage services like Amazon S3 or Glacier, I think using the Reports API for downloading would be efficient.
- Get Started | Reports API | Google Developers
- Reports API: Drive Activity Report | Reports API | Google Developers
- Activities: list | Reports API | Google Developers
For example, you can download audit logs via API like GET https://www.googleapis.com/admin/reports/v1/activity/users/all /applications/drive?maxResults=1000&pageToken=nextPageToken.
That’s all from the Gemba on understanding the ‘audit logs’ available in G Suite and wanting to prepare for when confidential information leaks occur.