Skip to content

Workspace Log Filters

You can choose to create a sink for each Google Workspace service's audit logs, or below are two filters for Alerts and Activities. To use the filters, create the sinks and copy/paste the below into the inclusion filter section.

Alerts/Investigations

(resource.type="audited_resource" AND
google.admin.AdminService.alertCenterBatchDeleteAlerts OR
google.admin.AdminService.alertCenterBatchUndeleteAlerts OR
google.admin.AdminService.alertCenterCreateAlert OR
google.admin.AdminService.alertCenterCreateFeedback OR
google.admin.AdminService.alertCenterDeleteAlert OR
google.admin.AdminService.alertCenterGetAlertMetadata OR
google.admin.AdminService.alertCenterGetCustomerSettings OR
google.admin.AdminService.alertCenterGetSitLink OR
google.admin.AdminService.alertCenterListChange OR
google.admin.AdminService.alertCenterListFeedback OR
google.admin.AdminService.alertCenterListRelatedAlerts OR
google.admin.AdminService.alertCenterUndeleteAlert OR
google.admin.AdminService.alertCenterUpdateAlert OR
google.admin.AdminService.alertCenterUpdateAlertMetadata OR
google.admin.AdminService.alertCenterUpdateCustomerSettings OR
google.admin.AdminService.alertCenterView OR
google.admin.AdminService.toggleServiceEnabled OR
google.admin.AdminService.securityInvestigationAction OR
google.admin.AdminService.securityInvestigationActionCancellation OR
google.admin.AdminService.securityInvestigationActionCompletion OR
google.admin.AdminService.securityInvestigationActionRetry OR
google.admin.AdminService.securityInvestigationActionVerificationConfirmation OR
google.admin.AdminService.securityInvestigationActionVerificationRequest OR
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration OR
google.admin.AdminService.securityInvestigationChartCreate OR
google.admin.AdminService.securityInvestigationContentAccess OR
google.admin.AdminService.securityInvestigationDownloadAttachment OR
google.admin.AdminService.securityInvestigationExportActionResults OR
google.admin.AdminService.securityInvestigationExportQuery OR
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation OR
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation OR
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation OR
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer OR
google.admin.AdminService.securityInvestigationObjectSaveInvestigation OR
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing OR
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing OR
google.admin.AdminService.securityInvestigationQuery OR
google.admin.AdminService.securityInvestigationSettingUpdate)

Workspace Activities

(resource.type="audited_resource" AND
google.admin.AdminService.changeApplicationSetting OR
google.admin.AdminService.createApplicationSetting OR
google.admin.AdminService.deleteApplicationSetting OR
google.admin.AdminService.reorderGroupBasedPoliciesEvent OR
google.admin.AdminService.gplusPremiumFeatures OR
google.admin.AdminService.createManagedConfiguration OR
google.admin.AdminService.deleteManagedConfiguration OR
google.admin.AdminService.updateManagedConfiguration OR
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected OR
google.admin.AdminService.createBuilding OR
google.admin.AdminService.deleteBuilding OR
google.admin.AdminService.updateBuilding OR
google.admin.AdminService.createCalendarResource OR
google.admin.AdminService.deleteCalendarResource OR
google.admin.AdminService.createCalendarResourceFeature OR
google.admin.AdminService.deleteCalendarResourceFeature OR
google.admin.AdminService.updateCalendarResourceFeature OR
google.admin.AdminService.renameCalendarResource OR
google.admin.AdminService.updateCalendarResource OR
google.admin.AdminService.changeCalendarSetting OR
google.admin.AdminService.cancelCalendarEvents OR
google.admin.AdminService.releaseCalendarResources OR
google.admin.AdminService.meetInteropCreateGateway OR
google.admin.AdminService.meetInteropDeleteGateway OR
google.admin.AdminService.meetInteropModifyGateway OR
google.admin.AdminService.changeChatSetting OR  
google.admin.AdminService.changeChromeOsAndroidApplicationSetting OR
google.admin.AdminService.changeChromeOsApplicationSetting OR
google.admin.AdminService.sendChromeOsDeviceCommand OR
google.admin.AdminService.changeChromeOsDeviceAnnotation OR
google.admin.AdminService.changeChromeOsDeviceSetting OR
google.admin.AdminService.changeChromeOsDeviceState OR
google.admin.AdminService.changeChromeOsPublicSessionSetting OR
google.admin.AdminService.insertChromeOsPrinter OR
google.admin.AdminService.deleteChromeOsPrinter OR
google.admin.AdminService.updateChromeOsPrinter OR
google.admin.AdminService.changeChromeOsSetting OR
google.admin.AdminService.changeChromeOsUserSetting OR
google.admin.AdminService.removeChromeOsApplicationSettings OR
google.admin.AdminService.changeContactsSetting OR
google.admin.AdminService.assignRole OR
google.admin.AdminService.createRole OR
google.admin.AdminService.deleteRole OR
google.admin.AdminService.addPrivilege OR
google.admin.AdminService.removePrivilege OR
google.admin.AdminService.renameRole OR
google.admin.AdminService.updateRole OR
google.admin.AdminService.unassignRole OR
google.admin.AdminService.deleteDevice OR
google.admin.AdminService.moveDeviceToOrgUnit OR
google.admin.AdminService.transferDocumentOwnership OR
google.admin.AdminService.driveDataRestore OR
google.admin.AdminService.changeDocsSetting OR  
google.admin.AdminService.changeAccountAutoRenewal OR
google.admin.AdminService.addApplication OR
google.admin.AdminService.addApplicationToWhitelist OR
google.admin.AdminService.changeAdvertisementOption OR
google.admin.AdminService.createAlert OR
google.admin.AdminService.changeAlertCriteria OR
google.admin.AdminService.deleteAlert OR
google.admin.AdminService.alertReceiversChanged OR
google.admin.AdminService.renameAlert OR
google.admin.AdminService.alertStatusChanged OR
google.admin.AdminService.addDomainAlias OR
google.admin.AdminService.removeDomainAlias OR
google.admin.AdminService.skipDomainAliasMx OR
google.admin.AdminService.verifyDomainAliasMx OR
google.admin.AdminService.verifyDomainAlias OR
google.admin.AdminService.toggleOauthAccessToAllApis OR
google.admin.AdminService.toggleAllowAdminPasswordReset OR
google.admin.AdminService.enableApiAccess OR
google.admin.AdminService.authorizeApiClientAccess OR
google.admin.AdminService.removeApiClientAccess OR
google.admin.AdminService.chromeLicensesRedeemed OR
google.admin.AdminService.toggleAutoAddNewService OR
google.admin.AdminService.changePrimaryDomain OR
google.admin.AdminService.changeWhitelistSetting OR
google.admin.AdminService.communicationPreferencesSettingChange OR
google.admin.AdminService.changeConflictAccountAction OR
google.admin.AdminService.enableFeedbackSolicitation OR
google.admin.AdminService.toggleContactSharing OR
google.admin.AdminService.createPlayForWorkToken OR
google.admin.AdminService.toggleUseCustomLogo OR
google.admin.AdminService.changeCustomLogo OR
google.admin.AdminService.changeDataLocalizationForRussia OR
google.admin.AdminService.changeDataLocalizationSetting OR
google.admin.AdminService.changeDataProtectionOfficerContactInfo OR
google.admin.AdminService.deletePlayForWorkToken OR
google.admin.AdminService.viewDnsLoginDetails OR
google.admin.AdminService.changeDomainDefaultLocale OR
google.admin.AdminService.changeDomainDefaultTimezone OR
google.admin.AdminService.changeDomainName OR
google.admin.AdminService.toggleEnablePreReleaseFeatures OR
google.admin.AdminService.changeDomainSupportMessage OR
google.admin.AdminService.addTrustedDomains OR
google.admin.AdminService.removeTrustedDomains OR
google.admin.AdminService.changeEduType OR
google.admin.AdminService.toggleEnableOauthConsumerKey OR
google.admin.AdminService.toggleSsoEnabled OR
google.admin.AdminService.toggleSsl OR
google.admin.AdminService.changeEuRepresentativeContactInfo OR
google.admin.AdminService.generateTransferToken OR
google.admin.AdminService.changeLoginBackgroundColor OR
google.admin.AdminService.changeLoginBorderColor OR
google.admin.AdminService.changeLoginActivityTrace OR
google.admin.AdminService.playForWorkEnroll OR
google.admin.AdminService.playForWorkUnenroll OR
google.admin.AdminService.mxRecordVerificationClaim OR
google.admin.AdminService.toggleNewAppFeatures OR
google.admin.AdminService.toggleUseNextGenControlPanel OR
google.admin.AdminService.uploadOauthCertificate OR
google.admin.AdminService.regenerateOauthConsumerSecret OR
google.admin.AdminService.toggleOpenIdEnabled OR
google.admin.AdminService.changeOrganizationName OR
google.admin.AdminService.toggleOutboundRelay OR
google.admin.AdminService.changePasswordMaxLength OR
google.admin.AdminService.changePasswordMinLength OR
google.admin.AdminService.updateDomainPrimaryAdminEmail OR
google.admin.AdminService.enableServiceOrFeatureNotifications OR
google.admin.AdminService.removeApplication OR
google.admin.AdminService.removeApplicationFromWhitelist OR
google.admin.AdminService.changeRenewDomainRegistration OR
google.admin.AdminService.changeResellerAccess OR
google.admin.AdminService.ruleActionsChanged OR
google.admin.AdminService.createRule OR
google.admin.AdminService.changeRuleCriteria OR
google.admin.AdminService.deleteRule OR
google.admin.AdminService.renameRule OR
google.admin.AdminService.ruleStatusChanged OR
google.admin.AdminService.addSecondaryDomain OR
google.admin.AdminService.removeSecondaryDomain OR
google.admin.AdminService.skipSecondaryDomainMx OR
google.admin.AdminService.verifySecondaryDomainMx OR
google.admin.AdminService.verifySecondaryDomain OR
google.admin.AdminService.updateDomainSecondaryEmail OR
google.admin.AdminService.changeSsoSettings OR
google.admin.AdminService.generatePin OR
google.admin.AdminService.updateRule OR
google.admin.AdminService.dropFromQuarantine OR
google.admin.AdminService.emailLogSearch OR
google.admin.AdminService.emailUndelete OR
google.admin.AdminService.changeEmailSetting OR
google.admin.AdminService.changeGmailSetting OR
google.admin.AdminService.createGmailSetting OR
google.admin.AdminService.deleteGmailSetting OR
google.admin.AdminService.rejectFromQuarantine OR
google.admin.AdminService.releaseFromQuarantine OR  
google.admin.AdminService.createGroup OR
google.admin.AdminService.deleteGroup OR
google.admin.AdminService.changeGroupDescription OR
google.admin.AdminService.groupListDownload OR
google.admin.AdminService.addGroupMember OR
google.admin.AdminService.removeGroupMember OR
google.admin.AdminService.updateGroupMember OR
google.admin.AdminService.updateGroupMemberDeliverySettings OR
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride OR
google.admin.AdminService.groupMemberBulkUpload OR
google.admin.AdminService.groupMembersDownload OR
google.admin.AdminService.changeGroupName OR
google.admin.AdminService.changeGroupSetting OR
google.admin.AdminService.whitelistedGroupsUpdated OR
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup OR
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership OR  
google.admin.AdminService.orgUsersLicenseAssignment OR
google.admin.AdminService.orgAllUsersLicenseAssignment OR
google.admin.AdminService.userLicenseAssignment OR
google.admin.AdminService.changeLicenseAutoAssign OR
google.admin.AdminService.userLicenseReassignment OR
google.admin.AdminService.orgLicenseRevoke OR
google.admin.AdminService.userLicenseRevoke OR
google.admin.AdminService.updateDynamicLicense OR
google.admin.AdminService.licenseUsageUpdate OR
google.admin.AdminService.actionCancelled OR
google.admin.AdminService.actionRequested OR
google.admin.AdminService.addMobileCertificate OR
google.admin.AdminService.companyDevicesBulkCreation OR
google.admin.AdminService.companyOwnedDeviceBlocked OR
google.admin.AdminService.companyDeviceDeletion OR
google.admin.AdminService.companyOwnedDeviceUnblocked OR
google.admin.AdminService.companyOwnedDeviceWiped OR
google.admin.AdminService.changeMobileApplicationPermissionGrant OR
google.admin.AdminService.changeMobileApplicationPriorityOrder OR
google.admin.AdminService.removeMobileApplicationFromWhitelist OR
google.admin.AdminService.changeMobileApplicationSettings OR
google.admin.AdminService.addMobileApplicationToWhitelist OR
google.admin.AdminService.mobileDeviceApprove OR
google.admin.AdminService.mobileDeviceBlock OR
google.admin.AdminService.mobileDeviceDelete OR
google.admin.AdminService.mobileDeviceWipe OR
google.admin.AdminService.changeMobileSetting OR
google.admin.AdminService.changeAdminRestrictionsPin OR
google.admin.AdminService.changeMobileWirelessNetwork OR
google.admin.AdminService.addMobileWirelessNetwork OR
google.admin.AdminService.removeMobileWirelessNetwork OR
google.admin.AdminService.changeMobileWirelessNetworkPassword OR
google.admin.AdminService.removeMobileCertificate OR
google.admin.AdminService.enrollForGoogleDeviceManagement OR
google.admin.AdminService.useGoogleMobileManagement OR
google.admin.AdminService.useGoogleMobileManagementForNonIos OR
google.admin.AdminService.useGoogleMobileManagementForIos OR
google.admin.AdminService.mobileAccountWipe OR
google.admin.AdminService.mobileDeviceCancelWipeThenApprove OR
google.admin.AdminService.mobileDeviceCancelWipeThenBlock OR
google.admin.AdminService.chromeLicensesEnabled OR
google.admin.AdminService.chromeApplicationLicenseReservationCreated OR
google.admin.AdminService.chromeApplicationLicenseReservationDeleted OR
google.admin.AdminService.chromeApplicationLicenseReservationUpdated OR
google.admin.AdminService.assignCustomLogo OR
google.admin.AdminService.unassignCustomLogo OR
google.admin.AdminService.createEnrollmentToken OR
google.admin.AdminService.revokeEnrollmentToken OR
google.admin.AdminService.chromeLicensesAllowed OR
google.admin.AdminService.createOrgUnit OR
google.admin.AdminService.removeOrgUnit OR
google.admin.AdminService.editOrgUnitDescription OR
google.admin.AdminService.moveOrgUnit OR
google.admin.AdminService.editOrgUnitName OR
google.admin.AdminService.addToTrustedOauth2Apps OR
google.admin.AdminService.allowAspWithout2Sv OR
google.admin.AdminService.allowServiceForOauth2Access OR
google.admin.AdminService.allowStrongAuthentication OR
google.admin.AdminService.blockOnDeviceAccess OR
google.admin.AdminService.changeAllowedTwoStepVerificationMethods OR
google.admin.AdminService.changeAppAccessSettingsCollectionId OR
google.admin.AdminService.changeCaaAppAssignments OR
google.admin.AdminService.changeCaaDefaultAssignments OR
google.admin.AdminService.changeCaaErrorMessage OR
google.admin.AdminService.changeSessionLength OR
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration OR
google.admin.AdminService.changeTwoStepVerificationFrequency OR
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration OR
google.admin.AdminService.changeTwoStepVerificationStartDate OR
google.admin.AdminService.disallowServiceForOauth2Access OR
google.admin.AdminService.enableNonAdminUserPasswordRecovery OR
google.admin.AdminService.enforceStrongAuthentication OR
google.admin.AdminService.removeFromTrustedOauth2Apps OR
google.admin.AdminService.sessionControlSettingsChange OR
google.admin.AdminService.toggleCaaEnablement OR
google.admin.AdminService.trustDomainOwnedOauth2Apps OR
google.admin.AdminService.unblockOnDeviceAccess OR
google.admin.AdminService.untrustDomainOwnedOauth2Apps OR
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps OR
google.admin.AdminService.weakProgrammaticLoginSettingsChanged OR
google.admin.AdminService.addWebAddress OR
google.admin.AdminService.deleteWebAddress OR
google.admin.AdminService.changeSitesSetting OR
google.admin.AdminService.changeSitesWebAddressMappingUpdates OR
google.admin.AdminService.viewSiteDetails OR
google.admin.AdminService.delete2SvScratchCodes OR
google.admin.AdminService.generate2SvScratchCodes OR
google.admin.AdminService.revoke3LoDeviceTokens OR
google.admin.AdminService.revoke3LoToken OR
google.admin.AdminService.addRecoveryEmail OR
google.admin.AdminService.addRecoveryPhone OR
google.admin.AdminService.grantAdminPrivilege OR
google.admin.AdminService.revokeAdminPrivilege OR
google.admin.AdminService.revokeAsp OR
google.admin.AdminService.toggleAutomaticContactSharing OR
google.admin.AdminService.bulkUpload OR
google.admin.AdminService.bulkUploadNotificationSent OR
google.admin.AdminService.cancelUserInvite OR
google.admin.AdminService.changeUserCustomField OR
google.admin.AdminService.changeUserExternalId OR
google.admin.AdminService.changeUserGender OR
google.admin.AdminService.changeUserIm OR
google.admin.AdminService.enableUserIpWhitelist OR
google.admin.AdminService.changeUserKeyword OR
google.admin.AdminService.changeUserLanguage OR
google.admin.AdminService.changeUserLocation OR
google.admin.AdminService.changeUserOrganization OR
google.admin.AdminService.changeUserPhoneNumber OR
google.admin.AdminService.changeRecoveryEmail OR
google.admin.AdminService.changeRecoveryPhone OR
google.admin.AdminService.changeUserRelation OR
google.admin.AdminService.changeUserAddress OR
google.admin.AdminService.createEmailMonitor OR
google.admin.AdminService.createDataTransferRequest OR
google.admin.AdminService.grantDelegatedAdminPrivileges OR
google.admin.AdminService.deleteAccountInfoDump OR
google.admin.AdminService.deleteEmailMonitor OR
google.admin.AdminService.deleteMailboxDump OR
google.admin.AdminService.changeFirstName OR
google.admin.AdminService.gmailResetUser OR
google.admin.AdminService.changeLastName OR
google.admin.AdminService.mailRoutingDestinationAdded OR
google.admin.AdminService.mailRoutingDestinationRemoved OR
google.admin.AdminService.addNickname OR
google.admin.AdminService.removeNickname OR
google.admin.AdminService.changePassword OR
google.admin.AdminService.changePasswordOnNextLogin OR
google.admin.AdminService.downloadPendingInvitesList OR
google.admin.AdminService.removeRecoveryEmail OR
google.admin.AdminService.removeRecoveryPhone OR
google.admin.AdminService.requestAccountInfo OR
google.admin.AdminService.requestMailboxDump OR
google.admin.AdminService.resendUserInvite OR
google.admin.AdminService.resetSigninCookies OR
google.admin.AdminService.securityKeyRegisteredForUser OR
google.admin.AdminService.revokeSecurityKey OR
google.admin.AdminService.userInvite OR
google.admin.AdminService.viewTempPassword OR
google.admin.AdminService.turnOff2StepVerification OR
google.admin.AdminService.unblockUserSession OR
google.admin.AdminService.unenrollUserFromTitanium OR
google.admin.AdminService.archiveUser OR
google.admin.AdminService.updateBirthdate OR
google.admin.AdminService.createUser OR
google.admin.AdminService.deleteUser OR
google.admin.AdminService.downgradeUserFromGplus OR
google.admin.AdminService.userEnrolledInTwoStepVerification OR
google.admin.AdminService.downloadUserlistCsv OR
google.admin.AdminService.moveUserToOrgUnit OR
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod OR
google.admin.AdminService.renameUser OR
google.admin.AdminService.unenrollUserFromStrongAuth OR
google.admin.AdminService.suspendUser OR
google.admin.AdminService.unarchiveUser OR
google.admin.AdminService.undeleteUser OR
google.admin.AdminService.unsuspendUser OR
google.admin.AdminService.upgradeUserToGplus OR
google.admin.AdminService.usersBulkUpload OR
google.admin.AdminService.usersBulkUploadNotificationSent OR
google.login.LoginService.2svDisable OR
google.login.LoginService.2svEnroll OR
google.login.LoginService.accountDisabledPasswordLeak OR
google.login.LoginService.accountDisabledGeneric OR
google.login.LoginService.accountDisabledSpammingThroughRelay OR
google.login.LoginService.accountDisabledSpamming OR
google.login.LoginService.accountDisabledHijacked OR
google.login.LoginService.emailForwardingOutOfDomain OR
google.login.LoginService.govAttackWarning OR
google.login.LoginService.loginChallenge OR
google.login.LoginService.loginFailure OR
google.login.LoginService.loginVerification OR
google.login.LoginService.logout OR
google.login.LoginService.loginSuccess OR
google.login.LoginService.passwordEdit OR
google.login.LoginService.recoveryEmailEdit OR
google.login.LoginService.recoveryPhoneEdit OR
google.login.LoginService.recoverySecretQaEdit OR
google.login.LoginService.suspiciousLogin OR
google.login.LoginService.suspiciousLoginLessSecureApp OR
google.login.LoginService.suspiciousProgrammaticLogin OR
google.login.LoginService.titaniumEnroll OR
google.login.LoginService.titaniumUnenroll OR
google.identity.oauth2.GetToken OR
google.identity.oauth2.RevokeToken OR
google.identity.oauth2.GetTokenInfo OR
google.apps.login.v1.SamlLoginFailed OR
google.apps.login.v1.SamlLoginSucceeded)