本文档从概念上简要介绍了 Google Workspace 在 Cloud Audit Logs 中提供的审核日志。
如需了解如何管理 Google Workspace 审核日志,请参阅 查看和管理 Google Workspace 审核日志 。
概览
Google Cloud 服务会写入审核日志,便于您了解谁在何时何地执行了何种操作。您可以与 Google Cloud 共享 Google Workspace 审核日志,以便存储、分析和监控 Google Workspace 数据,并据以发出提醒。
Cloud Identity、Cloud Identity 专业版和所有 Google Workspace 客户都可以使用 Google Workspace 的审核日志。
如果您已启用与 Google Cloud 共享 Google Workspace 数据 ,则系统始终会为 Google Workspace 启用审核日志。
停用 Google Workspace 数据共享功能会停止将新的 Google Workspace 审核日志事件发送到 Google Cloud。系统会在默认保留期限 内保留任何现有日志,除非您配置了自定义保留期限 ,将日志保留更长时间。
如果您启用了与 Google Cloud 共享 Google Workspace 数据,则无法在 Google Cloud 中查看 Google Workspace 的审核日志。
注意 :某些企业群组审核成员资格更改会自动使用 cloud-support@google.com
填充审核日志中的 principalEmail
字段。例如,如果用户的成员资格到期,系统会自动将用户从群组中移除,那么审核日志可能会显示 cloud-support@google.com
是将用户从群组中移除的正文。
审核日志类型
管理员活动审核日志 包含用于修改资源配置或元数据的 API 调用或其他操作对应的日志条目。例如,这些日志会记录用户创建虚拟机实例或更改 Identity and Access Management (IAM) 权限的时间。
数据访问审核日志 包含用于读取资源配置或元数据的 API 调用,以及用户进行的用于创建、修改或读取用户所提供资源数据的 API 调用。数据访问审核日志不会记录对公开共享的资源(所有用户或所有经过身份验证的用户均可使用)或无需登录 Google Cloud、Google Workspace、Cloud Identity 或云端硬盘企业版账号即可访问的资源执行的数据访问操作。
Google Workspace 服务将审核日志转发到 Google Cloud
Google Workspace 在 Google Cloud 组织级层提供以下审核日志:
Access Transparency :Access Transparency 日志会记录 Google 员工在您的 Google Workspace 资源中访问客户内容时所执行的操作。与 Access Transparency 不同,Cloud Audit Logs 会记录您的 Google Cloud 组织成员在您的 Google Cloud 资源中执行的操作。
如需详细了解 Access Transparency 日志的结构以及记录的访问类型,请参阅日志字段说明 。
Google Workspace 管理员审核 :管理员审核日志提供了在 Google 管理控制台中执行的操作的记录。举例来说,您可以查看管理员何时添加了用户,或者何时启用了某项 Google Workspace 服务。
管理员审核仅写入管理员活动审核日志。
注意 :除非您使用 Google 管理控制台,否则对群组设置所做的更改会记录在 Google Workspace 企业版群组审核日志中。当您使用 Google 管理控制台时,对群组设置所做的更改会记录在 Google Workspace 管理员审核日志中。例如,如果您在 groups.google.com 中更改了群组电子邮件地址,那么这些更改会记录在 Google Workspace 企业版 Google 群组审核日志中。
Google Workspace 企业版群组审核 :企业版群组审核日志提供了对群组和群组成员资格执行的操作的记录。举例来说,您可以查看管理员何时添加了用户,或者群组所有者何时删除了自己的群组。
企业版群组审核仅写入管理员活动审核日志。
Google Workspace 登录审核 :登录审核日志跟踪用户登录您的网域的情况。这些日志仅记录登录事件。不会记录用来执行登录操作的系统。
登录审核仅写入数据访问审核日志。
Google Workspace OAuth 令牌审核 :OAuth 令牌审核日志跟踪哪些用户正在使用您网域中的哪些第三方移动应用或 Web 应用。例如,当有用户打开某个 Google Workspace Marketplace 应用时,该日志会记录应用名称和使用者。每当第三方应用被授权访问 Google 通讯录、日历和云端硬盘文件(仅适用于 Google Workspace)等 Google 账号数据时,该日志也会进行相应记录。
OAuth 令牌审核会写入管理员活动和数据访问审核日志。
Google Workspace SAML 审核 :SAML 审核日志会跟踪用户对 SAML 应用的成功或失败登录。系统通常会在用户操作后 1 小时内显示相关条目。
SAML 审核仅写入数据访问审核日志。
服务专属信息
各 Google Workspace 服务的审核日志详情如下所示:
全部展开
Google Workspace 管理员活动
“Google Workspace 管理员审核”审核日志会为所有审核日志使用 audited_resource
资源类型。
“Google Workspace 管理员审核”审核日志使用服务名称 admin.googleapis.com
。
Google Workspace 管理员审核仅写入管理员活动审核日志。以下是接受审核的操作:
活动类型
AuditLog.method_name
AI_CLASSIFICATION_SETTINGS
google.admin.AdminService.aiClassificationInsufficientTrainingExamples
google.admin.AdminService.aiClassificationModelLowScore
google.admin.AdminService.aiClassificationNewModelReady
ALERT_CENTER
google.admin.AdminService.alertCenterBatchDeleteAlerts
google.admin.AdminService.alertCenterBatchUndeleteAlerts
google.admin.AdminService.alertCenterCreateAlert
google.admin.AdminService.alertCenterCreateFeedback
google.admin.AdminService.alertCenterDeleteAlert
google.admin.AdminService.alertCenterGetAlertMetadata
google.admin.AdminService.alertCenterGetCustomerSettings
google.admin.AdminService.alertCenterGetSitLink
google.admin.AdminService.alertCenterListChange
google.admin.AdminService.alertCenterListFeedback
google.admin.AdminService.alertCenterListRelatedAlerts
google.admin.AdminService.alertCenterUndeleteAlert
google.admin.AdminService.alertCenterUpdateAlert
google.admin.AdminService.alertCenterUpdateAlertMetadata
google.admin.AdminService.alertCenterUpdateCustomerSettings
google.admin.AdminService.alertCenterView
APPLICATION_SETTINGS
google.admin.AdminService.changeApplicationSetting
google.admin.AdminService.createApplicationSetting
google.admin.AdminService.deleteApplicationSetting
google.admin.AdminService.reorderGroupBasedPoliciesEvent
google.admin.AdminService.gplusPremiumFeatures
google.admin.AdminService.createManagedConfiguration
google.admin.AdminService.deleteManagedConfiguration
google.admin.AdminService.updateManagedConfiguration
google.admin.AdminService.flashlightEduNonFeaturedServicesSelected
CALENDAR_SETTINGS
google.admin.AdminService.createBuilding
google.admin.AdminService.deleteBuilding
google.admin.AdminService.updateBuilding
google.admin.AdminService.createCalendarResource
google.admin.AdminService.deleteCalendarResource
google.admin.AdminService.createCalendarResourceFeature
google.admin.AdminService.deleteCalendarResourceFeature
google.admin.AdminService.updateCalendarResourceFeature
google.admin.AdminService.renameCalendarResource
google.admin.AdminService.updateCalendarResource
google.admin.AdminService.changeCalendarSetting
google.admin.AdminService.cancelCalendarEvents
google.admin.AdminService.releaseCalendarResources
CHAT_SETTINGS
google.admin.AdminService.meetInteropCreateGateway
google.admin.AdminService.meetInteropDeleteGateway
google.admin.AdminService.meetInteropModifyGateway
google.admin.AdminService.changeChatSetting
CHROME_OS_SETTINGS
google.admin.AdminService.changeChromeOsAndroidApplicationSetting
google.admin.AdminService.changeChromeOsApplicationSetting
google.admin.AdminService.sendChromeOsDeviceCommand
google.admin.AdminService.changeChromeOsDeviceAnnotation
google.admin.AdminService.changeChromeOsDeviceSetting
google.admin.AdminService.changeChromeOsDeviceState
google.admin.AdminService.changeChromeOsPublicSessionSetting
google.admin.AdminService.insertChromeOsPrinter
google.admin.AdminService.deleteChromeOsPrinter
google.admin.AdminService.updateChromeOsPrinter
google.admin.AdminService.changeChromeOsSetting
google.admin.AdminService.changeChromeOsUserSetting
google.admin.AdminService.removeChromeOsApplicationSettings
CONTACTS_SETTINGS
google.admin.AdminService.changeContactsSetting
DELEGATED_ADMIN_SETTINGS
google.admin.AdminService.assignRole
google.admin.AdminService.createRole
google.admin.AdminService.deleteRole
google.admin.AdminService.addPrivilege
google.admin.AdminService.removePrivilege
google.admin.AdminService.renameRole
google.admin.AdminService.updateRole
google.admin.AdminService.unassignRole
DEVICE_SETTINGS
google.admin.AdminService.deleteDevice
google.admin.AdminService.moveDeviceToOrgUnit
DOCS_SETTINGS
google.admin.AdminService.transferDocumentOwnership
google.admin.AdminService.driveDataRestore
google.admin.AdminService.changeDocsSetting
DOMAIN_SETTINGS
google.admin.AdminService.changeAccountAutoRenewal
google.admin.AdminService.addApplication
google.admin.AdminService.addApplicationToWhitelist
google.admin.AdminService.changeAdvertisementOption
google.admin.AdminService.createAlert
google.admin.AdminService.changeAlertCriteria
google.admin.AdminService.deleteAlert
google.admin.AdminService.alertReceiversChanged
google.admin.AdminService.renameAlert
google.admin.AdminService.alertStatusChanged
google.admin.AdminService.addDomainAlias
google.admin.AdminService.removeDomainAlias
google.admin.AdminService.skipDomainAliasMx
google.admin.AdminService.verifyDomainAliasMx
google.admin.AdminService.verifyDomainAlias
google.admin.AdminService.toggleOauthAccessToAllApis
google.admin.AdminService.toggleAllowAdminPasswordReset
google.admin.AdminService.enableApiAccess
google.admin.AdminService.authorizeApiClientAccess
google.admin.AdminService.removeApiClientAccess
google.admin.AdminService.chromeLicensesRedeemed
google.admin.AdminService.toggleAutoAddNewService
google.admin.AdminService.changePrimaryDomain
google.admin.AdminService.changeWhitelistSetting
google.admin.AdminService.communicationPreferencesSettingChange
google.admin.AdminService.changeConflictAccountAction
google.admin.AdminService.enableFeedbackSolicitation
google.admin.AdminService.toggleContactSharing
google.admin.AdminService.createPlayForWorkToken
google.admin.AdminService.toggleUseCustomLogo
google.admin.AdminService.changeCustomLogo
google.admin.AdminService.changeDataLocalizationForRussia
google.admin.AdminService.changeDataLocalizationSetting
google.admin.AdminService.changeDataProtectionOfficerContactInfo
google.admin.AdminService.deletePlayForWorkToken
google.admin.AdminService.viewDnsLoginDetails
google.admin.AdminService.changeDomainDefaultLocale
google.admin.AdminService.changeDomainDefaultTimezone
google.admin.AdminService.changeDomainName
google.admin.AdminService.toggleEnablePreReleaseFeatures
google.admin.AdminService.changeDomainSupportMessage
google.admin.AdminService.addTrustedDomains
google.admin.AdminService.removeTrustedDomains
google.admin.AdminService.changeEduType
google.admin.AdminService.toggleEnableOauthConsumerKey
google.admin.AdminService.toggleSsoEnabled
google.admin.AdminService.toggleSsl
google.admin.AdminService.changeEuRepresentativeContactInfo
google.admin.AdminService.generateTransferToken
google.admin.AdminService.changeLoginBackgroundColor
google.admin.AdminService.changeLoginBorderColor
google.admin.AdminService.changeLoginActivityTrace
google.admin.AdminService.playForWorkEnroll
google.admin.AdminService.playForWorkUnenroll
google.admin.AdminService.mxRecordVerificationClaim
google.admin.AdminService.toggleNewAppFeatures
google.admin.AdminService.toggleUseNextGenControlPanel
google.admin.AdminService.uploadOauthCertificate
google.admin.AdminService.regenerateOauthConsumerSecret
google.admin.AdminService.toggleOpenIdEnabled
google.admin.AdminService.changeOrganizationName
google.admin.AdminService.toggleOutboundRelay
google.admin.AdminService.changePasswordMaxLength
google.admin.AdminService.changePasswordMinLength
google.admin.AdminService.updateDomainPrimaryAdminEmail
google.admin.AdminService.enableServiceOrFeatureNotifications
google.admin.AdminService.removeApplication
google.admin.AdminService.removeApplicationFromWhitelist
google.admin.AdminService.changeRenewDomainRegistration
google.admin.AdminService.changeResellerAccess
google.admin.AdminService.ruleActionsChanged
google.admin.AdminService.createRule
google.admin.AdminService.changeRuleCriteria
google.admin.AdminService.deleteRule
google.admin.AdminService.renameRule
google.admin.AdminService.ruleStatusChanged
google.admin.AdminService.addSecondaryDomain
google.admin.AdminService.removeSecondaryDomain
google.admin.AdminService.skipSecondaryDomainMx
google.admin.AdminService.verifySecondaryDomainMx
google.admin.AdminService.verifySecondaryDomain
google.admin.AdminService.updateDomainSecondaryEmail
google.admin.AdminService.changeSsoSettings
google.admin.AdminService.generatePin
google.admin.AdminService.updateRule
EMAIL_SETTINGS
google.admin.AdminService.dropFromQuarantine
google.admin.AdminService.emailLogSearch
google.admin.AdminService.emailUndelete
google.admin.AdminService.changeEmailSetting
google.admin.AdminService.changeGmailSetting
google.admin.AdminService.createGmailSetting
google.admin.AdminService.deleteGmailSetting
google.admin.AdminService.rejectFromQuarantine
google.admin.AdminService.releaseFromQuarantine
GROUP_SETTINGS
google.admin.AdminService.createGroup
google.admin.AdminService.deleteGroup
google.admin.AdminService.changeGroupDescription
google.admin.AdminService.groupListDownload
google.admin.AdminService.addGroupMember
google.admin.AdminService.removeGroupMember
google.admin.AdminService.updateGroupMember
google.admin.AdminService.updateGroupMemberDeliverySettings
google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride
google.admin.AdminService.groupMemberBulkUpload
google.admin.AdminService.groupMembersDownload
google.admin.AdminService.changeGroupEmail
google.admin.AdminService.changeGroupName
google.admin.AdminService.changeGroupSetting
google.admin.AdminService.whitelistedGroupsUpdated
标签
google.admin.AdminService.labelDeleted
google.admin.AdminService.labelDisabled
google.admin.AdminService.labelReenabled
google.admin.AdminService.labelPermissionUpdated
google.admin.AdminService.labelPermissionDeleted
google.admin.AdminService.labelPublished
google.admin.AdminService.labelCreated
google.admin.AdminService.labelUpdated
LICENSES_SETTINGS
google.admin.AdminService.orgUsersLicenseAssignment
google.admin.AdminService.orgAllUsersLicenseAssignment
google.admin.AdminService.userLicenseAssignment
google.admin.AdminService.changeLicenseAutoAssign
google.admin.AdminService.userLicenseReassignment
google.admin.AdminService.orgLicenseRevoke
google.admin.AdminService.userLicenseRevoke
google.admin.AdminService.updateDynamicLicense
google.admin.AdminService.licenseUsageUpdate
MOBILE_SETTINGS
google.admin.AdminService.actionCancelled
google.admin.AdminService.actionRequested
google.admin.AdminService.addMobileCertificate
google.admin.AdminService.companyDevicesBulkCreation
google.admin.AdminService.companyOwnedDeviceBlocked
google.admin.AdminService.companyDeviceDeletion
google.admin.AdminService.companyOwnedDeviceUnblocked
google.admin.AdminService.companyOwnedDeviceWiped
google.admin.AdminService.changeMobileApplicationPermissionGrant
google.admin.AdminService.changeMobileApplicationPriorityOrder
google.admin.AdminService.removeMobileApplicationFromWhitelist
google.admin.AdminService.changeMobileApplicationSettings
google.admin.AdminService.addMobileApplicationToWhitelist
google.admin.AdminService.mobileDeviceApprove
google.admin.AdminService.mobileDeviceBlock
google.admin.AdminService.mobileDeviceDelete
google.admin.AdminService.mobileDeviceWipe
google.admin.AdminService.changeMobileSetting
google.admin.AdminService.changeAdminRestrictionsPin
google.admin.AdminService.changeMobileWirelessNetwork
google.admin.AdminService.addMobileWirelessNetwork
google.admin.AdminService.removeMobileWirelessNetwork
google.admin.AdminService.changeMobileWirelessNetworkPassword
google.admin.AdminService.removeMobileCertificate
google.admin.AdminService.enrollForGoogleDeviceManagement
google.admin.AdminService.useGoogleMobileManagement
google.admin.AdminService.useGoogleMobileManagementForNonIos
google.admin.AdminService.useGoogleMobileManagementForIos
google.admin.AdminService.mobileAccountWipe
google.admin.AdminService.mobileDeviceCancelWipeThenApprove
google.admin.AdminService.mobileDeviceCancelWipeThenBlock
ORG_SETTINGS
google.admin.AdminService.chromeLicensesEnabled
google.admin.AdminService.chromeApplicationLicenseReservationCreated
google.admin.AdminService.chromeApplicationLicenseReservationDeleted
google.admin.AdminService.chromeApplicationLicenseReservationUpdated
google.admin.AdminService.assignCustomLogo
google.admin.AdminService.unassignCustomLogo
google.admin.AdminService.createEnrollmentToken
google.admin.AdminService.revokeEnrollmentToken
google.admin.AdminService.chromeLicensesAllowed
google.admin.AdminService.createOrgUnit
google.admin.AdminService.removeOrgUnit
google.admin.AdminService.editOrgUnitDescription
google.admin.AdminService.moveOrgUnit
google.admin.AdminService.editOrgUnitName
google.admin.AdminService.toggleServiceEnabled
SECURITY_INVESTIGATION
google.admin.AdminService.securityInvestigationAction
google.admin.AdminService.securityInvestigationActionCancellation
google.admin.AdminService.securityInvestigationActionCompletion
google.admin.AdminService.securityInvestigationActionRetry
google.admin.AdminService.securityInvestigationActionVerificationConfirmation
google.admin.AdminService.securityInvestigationActionVerificationRequest
google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration
google.admin.AdminService.securityInvestigationChartCreate
google.admin.AdminService.securityInvestigationContentAccess
google.admin.AdminService.securityInvestigationDownloadAttachment
google.admin.AdminService.securityInvestigationExportActionResults
google.admin.AdminService.securityInvestigationExportQuery
google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation
google.admin.AdminService.securityInvestigationObjectDeleteInvestigation
google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation
google.admin.AdminService.securityInvestigationObjectOwnershipTransfer
google.admin.AdminService.securityInvestigationObjectSaveInvestigation
google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing
google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing
google.admin.AdminService.securityInvestigationQuery
google.admin.AdminService.securityInvestigationSettingUpdate
SECURITY_SETTINGS
google.admin.AdminService.addToTrustedOauth2Apps
google.admin.AdminService.allowAspWithout2Sv
google.admin.AdminService.allowServiceForOauth2Access
google.admin.AdminService.allowStrongAuthentication
google.admin.AdminService.blockOnDeviceAccess
google.admin.AdminService.changeAllowedTwoStepVerificationMethods
google.admin.AdminService.changeAppAccessSettingsCollectionId
google.admin.AdminService.changeCaaAppAssignments
google.admin.AdminService.changeCaaDefaultAssignments
google.admin.AdminService.changeCaaErrorMessage
google.admin.AdminService.changeSessionLength
google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration
google.admin.AdminService.changeTwoStepVerificationFrequency
google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration
google.admin.AdminService.changeTwoStepVerificationStartDate
google.admin.AdminService.disallowServiceForOauth2Access
google.admin.AdminService.enableNonAdminUserPasswordRecovery
google.admin.AdminService.enforceStrongAuthentication
google.admin.AdminService.removeFromTrustedOauth2Apps
google.admin.AdminService.sessionControlSettingsChange
google.admin.AdminService.toggleCaaEnablement
google.admin.AdminService.trustDomainOwnedOauth2Apps
google.admin.AdminService.unblockOnDeviceAccess
google.admin.AdminService.untrustDomainOwnedOauth2Apps
google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps
google.admin.AdminService.weakProgrammaticLoginSettingsChanged
SITES_SETTINGS
google.admin.AdminService.addWebAddress
google.admin.AdminService.deleteWebAddress
google.admin.AdminService.changeSitesSetting
google.admin.AdminService.changeSitesWebAddressMappingUpdates
google.admin.AdminService.viewSiteDetails
USER_SETTINGS
google.admin.AdminService.delete2SvScratchCodes
google.admin.AdminService.generate2SvScratchCodes
google.admin.AdminService.revoke3LoDeviceTokens
google.admin.AdminService.revoke3LoToken
google.admin.AdminService.addRecoveryEmail
google.admin.AdminService.addRecoveryPhone
google.admin.AdminService.grantAdminPrivilege
google.admin.AdminService.revokeAdminPrivilege
google.admin.AdminService.revokeAsp
google.admin.AdminService.toggleAutomaticContactSharing
google.admin.AdminService.bulkUpload
google.admin.AdminService.bulkUploadNotificationSent
google.admin.AdminService.cancelUserInvite
google.admin.AdminService.changeUserCustomField
google.admin.AdminService.changeUserExternalId
google.admin.AdminService.changeUserGender
google.admin.AdminService.changeUserIm
google.admin.AdminService.enableUserIpWhitelist
google.admin.AdminService.changeUserKeyword
google.admin.AdminService.changeUserLanguage
google.admin.AdminService.changeUserLocation
google.admin.AdminService.changeUserOrganization
google.admin.AdminService.changeUserPhoneNumber
google.admin.AdminService.changeRecoveryEmail
google.admin.AdminService.changeRecoveryPhone
google.admin.AdminService.changeUserRelation
google.admin.AdminService.changeUserAddress
google.admin.AdminService.createEmailMonitor
google.admin.AdminService.createDataTransferRequest
google.admin.AdminService.grantDelegatedAdminPrivileges
google.admin.AdminService.deleteAccountInfoDump
google.admin.AdminService.deleteEmailMonitor
google.admin.AdminService.deleteMailboxDump
google.admin.AdminService.changeFirstName
google.admin.AdminService.gmailResetUser
google.admin.AdminService.changeLastName
google.admin.AdminService.mailRoutingDestinationAdded
google.admin.AdminService.mailRoutingDestinationRemoved
google.admin.AdminService.addNickname
google.admin.AdminService.removeNickname
google.admin.AdminService.changePassword
google.admin.AdminService.changePasswordOnNextLogin
google.admin.AdminService.downloadPendingInvitesList
google.admin.AdminService.removeRecoveryEmail
google.admin.AdminService.removeRecoveryPhone
google.admin.AdminService.requestAccountInfo
google.admin.AdminService.requestMailboxDump
google.admin.AdminService.resendUserInvite
google.admin.AdminService.resetSigninCookies
google.admin.AdminService.securityKeyRegisteredForUser
google.admin.AdminService.revokeSecurityKey
google.admin.AdminService.userInvite
google.admin.AdminService.viewTempPassword
google.admin.AdminService.turnOff2StepVerification
google.admin.AdminService.unblockUserSession
google.admin.AdminService.unenrollUserFromTitanium
google.admin.AdminService.archiveUser
google.admin.AdminService.updateBirthdate
google.admin.AdminService.createUser
google.admin.AdminService.deleteUser
google.admin.AdminService.downgradeUserFromGplus
google.admin.AdminService.userEnrolledInTwoStepVerification
google.admin.AdminService.downloadUserlistCsv
google.admin.AdminService.moveUserToOrgUnit
google.admin.AdminService.userPutInTwoStepVerificationGracePeriod
google.admin.AdminService.renameUser
google.admin.AdminService.unenrollUserFromStrongAuth
google.admin.AdminService.suspendUser
google.admin.AdminService.unarchiveUser
google.admin.AdminService.undeleteUser
google.admin.AdminService.unsuspendUser
google.admin.AdminService.upgradeUserToGplus
google.admin.AdminService.usersBulkUpload
google.admin.AdminService.usersBulkUploadNotificationSent
Google Workspace 企业版群组
“Google Workspace 企业版群组审核”审核日志全部都使用资源类型
audited_resource
。
“Google Workspace 企业版群组审核”审核日志使用服务名称 cloudidentity.googleapis.com
。
Google Workspace 企业版群组审核仅写入管理员活动审核日志。以下是接受审核的操作:
审核日志类别
AuditLog.method_name
管理员活动审核日志
google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup
google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
Google Workspace 登录审核
所有“Google Workspace 登录审核”审核日志都使用资源类型
audited_resource
。
“Google Workspace 登录审核”审核日志使用服务名称 login.googleapis.com
。
Google Workspace 登录审核仅写入数据访问审核日志。以下是接受审核的操作;每个操作都有日志示例 。
审核日志类别
AuditLog.method_name
数据访问审核日志
google.login.LoginService.2svDisable
google.login.LoginService.2svEnroll
google.login.LoginService.accountDisabledPasswordLeak
google.login.LoginService.accountDisabledGeneric
google.login.LoginService.accountDisabledSpammingThroughRelay
google.login.LoginService.accountDisabledSpamming
google.login.LoginService.accountDisabledHijacked
google.login.LoginService.emailForwardingOutOfDomain
google.login.LoginService.govAttackWarning
google.login.LoginService.loginChallenge
google.login.LoginService.loginFailure
google.login.LoginService.loginVerification
google.login.LoginService.logout
google.login.LoginService.loginSuccess
google.login.LoginService.passwordEdit
google.login.LoginService.recoveryEmailEdit
google.login.LoginService.recoveryPhoneEdit
google.login.LoginService.recoverySecretQaEdit
google.login.LoginService.riskySensitiveActionAllowed
google.login.LoginService.riskySensitiveActionBlocked
google.login.LoginService.suspiciousLogin
google.login.LoginService.suspiciousLoginLessSecureApp
google.login.LoginService.suspiciousProgrammaticLogin
google.login.LoginService.titaniumEnroll
google.login.LoginService.titaniumUnenroll
Google Workspace OAuth 令牌
“Google Workspace OAuth 令牌审核”审核日志会为所有审核日志使用
audited_resource
资源类型。
“Google Workspace OAuth 令牌审核”审核日志使用服务名称 oauth2.googleapis.com
。
Google Workspace OAuth 令牌审核会写入管理员活动和数据访问审核日志。以下是接受审核的操作:
审核日志类别
AuditLog.method_name
管理员活动审核日志
google.identity.oauth2.Deny
google.identity.oauth2.GetToken
google.identity.oauth2.Request
google.identity.oauth2.RevokeToken
数据访问审核日志
google.identity.oauth2.GetTokenInfo
Google Workspace SAML
“Google Workspace SAML 审核”审核日志全部都使用资源类型
audited_resource
。
“Google Workspace SAML 审核”审核日志使用服务名称 login.googleapis.com
。
Google Workspace SAML 审核仅写入数据访问审核日志。以下是接受审核的操作:
审核日志类别
AuditLog.method_name
数据访问审核日志
google.apps.login.v1.SamlLoginFailed
google.apps.login.v1.SamlLoginSucceeded
审核日志权限
IAM 权限和角色决定了您能否在 Logging API 、Logs Explorer 和 Google Cloud CLI 中访问审核日志数据。
如需详细了解您可能需要的组织级层 IAM 权限和角色,请参阅使用 IAM 进行访问权限控制 。
Google Workspace 审核日志条目包含以下对象:
protoPayload.metadata
字段包含所审核的 Google Workspace 信息。以下是登录审核日志的示例:
{
"protoPayload" : {
"@type" : "type.googleapis.com/google.cloud.audit.AuditLog" ,
"authenticationInfo" : {
"principalEmail" : "test-user@example.net"
},
"requestMetadata" : {
"callerIp" : "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" ,
"requestAttributes" : {},
"destinationAttributes" : {}
},
"serviceName" : "login.googleapis.com" ,
"methodName" : "google.login.LoginService.loginFailure" ,
"resourceName" : "organizations/123" ,
"metadata" : {
"event" : [
{
"eventName" : "login_failure" ,
"eventType" : "login" ,
"parameter" : [
{
"value" : "google_password" ,
"type" : "TYPE_STRING" ,
"name" : "login_type" ,
},
{
"name" : "login_challenge_method" ,
"type" : "TYPE_STRING" ,
"label" : "LABEL_REPEATED" ,
"multiStrValue" : [
"password" ,
"idv_preregistered_phone" ,
"idv_preregistered_phone"
]
},
]
}
],
"activityId" : {
"uniqQualifier" : "358068855354" ,
"timeUsec" : "1632500217183212"
},
"@type" : "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId" : "-nahbepd4l1x" ,
"resource" : {
"type" : "audited_resource" ,
"labels" : {
"method" : "google.login.LoginService.loginFailure" ,
"service" : "login.googleapis.com"
}
},
"timestamp" : "2021-09-24T16:16:57.183212Z" ,
"severity" : "NOTICE" ,
"logName" : "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access" ,
"receiveTimestamp" : "2021-09-24T17:51:25.034361197Z"
}
如需了解服务专属审核日志记录字段以及如何解读这些字段,请从可用审核日志 中列出的服务中进行选择。
查看日志
如需了解如何查看 Google Workspace 审核日志,请参阅查看和管理 Google Workspace 审核日志 。
路由审核日志
您可以将 Google Workspace 审核日志从 Cloud Logging 路由到受支持的目标位置,包括其他 Logging 存储桶。
以下是用于路由审核日志的一些应用:
如需使用更强大的搜索功能,您可以将审核日志的副本路由到 Cloud Storage、BigQuery 或 Pub/Sub。您可以使用 Pub/Sub 将内容路由到其他应用、其他代码库和第三方。
如需管理整个组织范围内与您相关的审核日志,您可以创建一个汇总接收器 ,以便合并和路由组织所包含的所有 Google Cloud 项目、结算账号和文件夹日志中的日志。例如,您可以将组织文件夹中的审核日志条目汇总并路由到 Cloud Storage 存储桶。
如需了解如何路由日志,请参阅将日志路由到支持的目的地 。
地区化
您不能选择存储 Google Workspace 日志的地区。
Google Workspace 数据地区政策 未涵盖 Google Workspace 日志。
保留期限
以下保留期限适用于审核日志数据:
对于每个组织,Cloud Logging 会自动将日志存储在两个存储桶中:_Default
存储桶和 _Required
存储桶。_Required
存储桶用于存储管理员活动审核日志、系统事件审核日志和 Access Transparency 日志 。_Default
存储桶用于存储未存储在 _Required
存储桶中的所有其他日志条目。如需详细了解 Logging 存储桶,请参阅路由和存储概览 。
您可以配置 Cloud Logging,将 _Default
日志存储桶中的日志保留 1 到 3650 天。
如需更新 _Default
日志存储桶的保留期限,请参阅自定义保留 。
您不能更改 _Required
存储桶的保留期限。
配额和限制
Google Workspace 和 Cloud Audit Logs 的审核日志适用相同的配额。
如需详细了解这些用量限制(包括审核日志的大小上限),请参阅配额和限制 。
价格
Google Workspace 的组织级层日志免费提供。
后续步骤