Google Apps Audit Log
Google Apps for Work provides a robust audit trail to both Standard and Unlimited accounts. By default, the feature is only available to Admins. Non-admin users have no way to view their personal audit history. Google categorizes their audit trail as a type of report, so it is available under the Reports menu.
For the Standard Plan, audit logs are available for Admin activities, Logins, Calendar activities, Tokens, Groups, and Email log search. Unlimited admins are also able to access audit logs for Mobile and Drive (which we’ll get into later). Noticeably missing is any audit log activity for Hangouts (videos or chats). Google+ also doesn’t appear to have audit logs but that could just be a function of no one having ever used it.
The execution of the audit logs as shown below is actually quite good. The Calendar audit log is a great example of how audit logs should be done. The information is clearly presented:
With options for which columns to include in the report:
As well as a detailed filtering & date ranging option:
Any report can be exported to either CSV or directly into a Google Sheet:
The main functionality that the Google Apps Calendar Audit Log appears to be missing is the ability to access this information from the Reports API.
Standard Admins do have access to some of the Audit Logs via the Reports API (today this includes Admin activity, Logins and Tokens). Unlimited Admins can access Drive and Mobile audit logs from the API. Having API access is an important feature as it allows companies to move this into unified logging systems like Splunk to create a holistic view of user activity.
For Google Apps Unlimited the audit log for Drive is even more detailed in that it logs View events. Ie, every time a Google Doc is viewed that view is logged for administrative use (IP address does not appear to be included with view events).
Google Apps does provide insights into the retention policy & lag times for all audit events. However, this lag time can cast some doubt on the reliability of the logs. Also, given that the audit log is only covered with a 99.9% SLA there is room for additional errors.
The detail provided about the mechanics of the Drive Audit Log gives some insight into the difficulty of delivering truly accurate logs. However, it is better to disclose known issues than to keep this information hidden from customers.
Google Apps doesn’t provide much insight into the immutable nature of these logs or try to prove immutability in any way. There is also a gap in the time-synced nature of these logs as they only provide detail down to the millisecond if the API is used to gather the data. If a report is downloaded, this information is excluded and could prove to not be enough detail for true sequencing when integrating with additional log sources. It also appears that there is no way to validate the server time was synced with NTP.
Provide a change log things that are added to the audit log over time.