本頁面由 Cloud Translation API 翻譯而成。

Google Workspace 稽核記錄

本文件提供 Google Workspace 在 Cloud 稽核記錄中提供的稽核記錄概念總覽。

如要瞭解如何管理 Google Workspace 稽核記錄，請參閱「查看及管理 Google Workspace 稽核記錄」。

總覽

Google Cloud 服務會寫入稽核記錄，協助您瞭解什麼人在什麼時間和地點從事了什麼行為。您可以將 Google Workspace 稽核記錄提供給 Google Cloud ，以便儲存、分析、監控及發出 Google Workspace 資料的快訊。

Google Workspace 稽核記錄適用於 Cloud Identity、Cloud Identity 進階版和所有 Google Workspace 客戶。

如果您已使用 Google Cloud啟用 Google Workspace 資料分享功能，則 Google Workspace 一律會啟用稽核記錄。

停用 Google Workspace 資料分享功能後，系統就不會將新的 Google Workspace 稽核記錄事件傳送至 Google Cloud。除非您已設定自訂保留，將記錄檔保留更長的時間，否則所有現有記錄都會保留至預設保留期限。

如果您未啟用 Google Workspace 資料共用功能，就無法在 Google Cloud中查看 Google Workspace 的稽核記錄。 Google Cloud

稽核記錄類型

管理員活動稽核記錄包含 API 呼叫或修改設定或資源中繼資料的其他動作記錄項目。例如，這類記錄會記下使用者於何時建立 VM 執行個體或變更身分與存取權管理 (IAM) 權限。

資料存取稽核記錄包含讀取資源設定或中繼資料的 API 呼叫，以及建立、修改或讀取使用者所提供資源資料的使用者驅動 API 呼叫。資料存取稽核記錄不會記錄下列兩種資源的資料存取作業：公開共用的資源 (供所有使用者或所有已驗證的使用者使用)，或可在未登入 Google Cloud、Google Workspace、Cloud Identity 或 Drive Enterprise 帳戶情況下存取的資源。

Google Workspace 服務將稽核記錄轉送至 Google Cloud

Google Workspace 會在Google Cloud 機構層級提供下列稽核記錄：

資料存取透明化控管機制：資料存取透明化控管機制記錄會記錄 Google 人員存取貴組織 Google Workspace 資源中的客戶內容時採取的動作。與資料存取透明化控管機制相反，Cloud 稽核記錄會記錄 Google Cloud 機構成員在 Google Cloud 資源中採取的動作。

如要進一步瞭解資料存取透明化控管機制記錄的結構，以及記錄的存取類型，請參閱「記錄欄位說明」。
Google Workspace 管理員稽核：管理員稽核記錄會記錄 Google 管理控制台的動作執行記錄。舉例來說，您可以查看管理員何時新增使用者或啟用 Google Workspace 服務。

管理員稽核只會寫入管理員活動稽核記錄。

注意： 除非您使用 Google 管理控制台，否則 Google Workspace Enterprise 群組稽核記錄會記錄群組設定的異動。使用 Google 管理控制台時，Google Workspace 管理員稽核記錄會記錄群組設定的變更。舉例來說，如果您在 groups.google.com 中變更群組電子郵件地址，這些變更會記錄在 Google Workspace Enterprise 群組稽核記錄中。
Google Workspace Enterprise 網路論壇稽核：Enterprise 網路論壇稽核記錄會記錄與群組和群組成員資格相關的動作。舉例來說，您可以查看管理員何時新增使用者，或者版主何時刪除群組。

Enterprise Groups Audit 只會寫入管理員活動稽核記錄。
Google Workspace 登入稽核：登入稽核記錄會追蹤使用者登入您網域的活動。這些記錄只會記錄登入事件。但不會記錄系統使用哪種方式執行登入動作。

登入稽核功能只會寫入資料存取稽核記錄。
Google Workspace OAuth 權杖稽核：OAuth 權杖稽核記錄會追蹤網域中的哪些使用者正在使用哪些第三方行動應用程式或網頁應用程式。舉例來說，當使用者開啟 Google Workspace Marketplace 中的應用程式時，稽核記錄就會記下該應用程式的名稱，以及執行這項操作的使用者名稱。每當第三方應用程式獲得 Google 帳戶資料 (例如 Google 聯絡人、日曆和雲端硬碟檔案 (僅限 Google Workspace)) 的存取權時，記錄事件也會將事件記錄下來。

OAuth 權杖稽核會寫入管理員活動和資料存取稽核記錄。
Google Workspace SAML 稽核：SAML 稽核記錄會追蹤使用者登入 SAML 應用程式成功及失敗的記錄。記錄項目通常會在使用者執行動作後的一小時內顯示。

SAML 稽核功能只會寫入資料存取權稽核記錄。

服務專屬資訊

各項 Google Workspace 服務的稽核記錄詳細資料如下：

Google Workspace 管理員稽核

Google Workspace 管理員稽核稽核記錄使用的資源類型一律為 audited_resource。

Google Workspace 管理員稽核稽核記錄會使用 admin.googleapis.com 服務名稱。

Google Workspace 管理員稽核功能只會寫入管理員活動稽核記錄。以下是稽核的作業：

活動類型	`AuditLog.method_name`
AI_CLASSIFICATION_SETTINGS	`google.admin.AdminService.aiClassificationInsufficientTrainingExamples` `google.admin.AdminService.aiClassificationModelLowScore` `google.admin.AdminService.aiClassificationNewModelReady`
ALERT_CENTER	`google.admin.AdminService.alertCenterBatchDeleteAlerts` `google.admin.AdminService.alertCenterBatchUndeleteAlerts` `google.admin.AdminService.alertCenterCreateAlert` `google.admin.AdminService.alertCenterCreateFeedback` `google.admin.AdminService.alertCenterDeleteAlert` `google.admin.AdminService.alertCenterGetAlertMetadata` `google.admin.AdminService.alertCenterGetCustomerSettings` `google.admin.AdminService.alertCenterGetSitLink` `google.admin.AdminService.alertCenterListChange` `google.admin.AdminService.alertCenterListFeedback` `google.admin.AdminService.alertCenterListRelatedAlerts` `google.admin.AdminService.alertCenterUndeleteAlert` `google.admin.AdminService.alertCenterUpdateAlert` `google.admin.AdminService.alertCenterUpdateAlertMetadata` `google.admin.AdminService.alertCenterUpdateCustomerSettings` `google.admin.AdminService.alertCenterView`
APPLICATION_SETTINGS	`google.admin.AdminService.changeApplicationSetting` `google.admin.AdminService.createApplicationSetting` `google.admin.AdminService.deleteApplicationSetting` `google.admin.AdminService.reorderGroupBasedPoliciesEvent` `google.admin.AdminService.gplusPremiumFeatures` `google.admin.AdminService.createManagedConfiguration` `google.admin.AdminService.deleteManagedConfiguration` `google.admin.AdminService.updateManagedConfiguration` `google.admin.AdminService.flashlightEduNonFeaturedServicesSelected`
CALENDAR_SETTINGS	`google.admin.AdminService.createBuilding` `google.admin.AdminService.deleteBuilding` `google.admin.AdminService.updateBuilding` `google.admin.AdminService.createCalendarResource` `google.admin.AdminService.deleteCalendarResource` `google.admin.AdminService.createCalendarResourceFeature` `google.admin.AdminService.deleteCalendarResourceFeature` `google.admin.AdminService.updateCalendarResourceFeature` `google.admin.AdminService.renameCalendarResource` `google.admin.AdminService.updateCalendarResource` `google.admin.AdminService.changeCalendarSetting` `google.admin.AdminService.cancelCalendarEvents` `google.admin.AdminService.releaseCalendarResources`
CHAT_SETTINGS	`google.admin.AdminService.meetInteropCreateGateway` `google.admin.AdminService.meetInteropDeleteGateway` `google.admin.AdminService.meetInteropModifyGateway` `google.admin.AdminService.changeChatSetting`
CHROME_OS_SETTINGS	`google.admin.AdminService.changeChromeOsAndroidApplicationSetting` `google.admin.AdminService.changeChromeOsApplicationSetting` `google.admin.AdminService.sendChromeOsDeviceCommand` `google.admin.AdminService.changeChromeOsDeviceAnnotation` `google.admin.AdminService.changeChromeOsDeviceSetting` `google.admin.AdminService.changeChromeOsDeviceState` `google.admin.AdminService.changeChromeOsPublicSessionSetting` `google.admin.AdminService.insertChromeOsPrinter` `google.admin.AdminService.deleteChromeOsPrinter` `google.admin.AdminService.updateChromeOsPrinter` `google.admin.AdminService.changeChromeOsSetting` `google.admin.AdminService.changeChromeOsUserSetting` `google.admin.AdminService.removeChromeOsApplicationSettings`
CONTACTS_SETTINGS	`google.admin.AdminService.changeContactsSetting`
DELEGATED_ADMIN_SETTINGS	`google.admin.AdminService.assignRole` `google.admin.AdminService.createRole` `google.admin.AdminService.deleteRole` `google.admin.AdminService.addPrivilege` `google.admin.AdminService.removePrivilege` `google.admin.AdminService.renameRole` `google.admin.AdminService.updateRole` `google.admin.AdminService.unassignRole`
DEVICE_SETTINGS	`google.admin.AdminService.deleteDevice` `google.admin.AdminService.moveDeviceToOrgUnit`
DOCS_SETTINGS	`google.admin.AdminService.transferDocumentOwnership` `google.admin.AdminService.driveDataRestore` `google.admin.AdminService.changeDocsSetting`
DOMAIN_SETTINGS	`google.admin.AdminService.changeAccountAutoRenewal` `google.admin.AdminService.addApplication` `google.admin.AdminService.addApplicationToWhitelist` `google.admin.AdminService.changeAdvertisementOption` `google.admin.AdminService.createAlert` `google.admin.AdminService.changeAlertCriteria` `google.admin.AdminService.deleteAlert` `google.admin.AdminService.alertReceiversChanged` `google.admin.AdminService.renameAlert` `google.admin.AdminService.alertStatusChanged` `google.admin.AdminService.addDomainAlias` `google.admin.AdminService.removeDomainAlias` `google.admin.AdminService.skipDomainAliasMx` `google.admin.AdminService.verifyDomainAliasMx` `google.admin.AdminService.verifyDomainAlias` `google.admin.AdminService.toggleOauthAccessToAllApis` `google.admin.AdminService.toggleAllowAdminPasswordReset` `google.admin.AdminService.enableApiAccess` `google.admin.AdminService.authorizeApiClientAccess` `google.admin.AdminService.removeApiClientAccess` `google.admin.AdminService.chromeLicensesRedeemed` `google.admin.AdminService.toggleAutoAddNewService` `google.admin.AdminService.changePrimaryDomain` `google.admin.AdminService.changeWhitelistSetting` `google.admin.AdminService.communicationPreferencesSettingChange` `google.admin.AdminService.changeConflictAccountAction` `google.admin.AdminService.enableFeedbackSolicitation` `google.admin.AdminService.toggleContactSharing` `google.admin.AdminService.createPlayForWorkToken` `google.admin.AdminService.toggleUseCustomLogo` `google.admin.AdminService.changeCustomLogo` `google.admin.AdminService.changeDataLocalizationForRussia` `google.admin.AdminService.changeDataLocalizationSetting` `google.admin.AdminService.changeDataProtectionOfficerContactInfo` `google.admin.AdminService.deletePlayForWorkToken` `google.admin.AdminService.viewDnsLoginDetails` `google.admin.AdminService.changeDomainDefaultLocale` `google.admin.AdminService.changeDomainDefaultTimezone` `google.admin.AdminService.changeDomainName` `google.admin.AdminService.toggleEnablePreReleaseFeatures` `google.admin.AdminService.changeDomainSupportMessage` `google.admin.AdminService.addTrustedDomains` `google.admin.AdminService.removeTrustedDomains` `google.admin.AdminService.changeEduType` `google.admin.AdminService.toggleEnableOauthConsumerKey` `google.admin.AdminService.toggleSsoEnabled` `google.admin.AdminService.toggleSsl` `google.admin.AdminService.changeEuRepresentativeContactInfo` `google.admin.AdminService.generateTransferToken` `google.admin.AdminService.changeLoginBackgroundColor` `google.admin.AdminService.changeLoginBorderColor` `google.admin.AdminService.changeLoginActivityTrace` `google.admin.AdminService.playForWorkEnroll` `google.admin.AdminService.playForWorkUnenroll` `google.admin.AdminService.mxRecordVerificationClaim` `google.admin.AdminService.toggleNewAppFeatures` `google.admin.AdminService.toggleUseNextGenControlPanel` `google.admin.AdminService.uploadOauthCertificate` `google.admin.AdminService.regenerateOauthConsumerSecret` `google.admin.AdminService.toggleOpenIdEnabled` `google.admin.AdminService.changeOrganizationName` `google.admin.AdminService.toggleOutboundRelay` `google.admin.AdminService.changePasswordMaxLength` `google.admin.AdminService.changePasswordMinLength` `google.admin.AdminService.updateDomainPrimaryAdminEmail` `google.admin.AdminService.enableServiceOrFeatureNotifications` `google.admin.AdminService.removeApplication` `google.admin.AdminService.removeApplicationFromWhitelist` `google.admin.AdminService.changeRenewDomainRegistration` `google.admin.AdminService.changeResellerAccess` `google.admin.AdminService.ruleActionsChanged` `google.admin.AdminService.createRule` `google.admin.AdminService.changeRuleCriteria` `google.admin.AdminService.deleteRule` `google.admin.AdminService.renameRule` `google.admin.AdminService.ruleStatusChanged` `google.admin.AdminService.addSecondaryDomain` `google.admin.AdminService.removeSecondaryDomain` `google.admin.AdminService.skipSecondaryDomainMx` `google.admin.AdminService.verifySecondaryDomainMx` `google.admin.AdminService.verifySecondaryDomain` `google.admin.AdminService.updateDomainSecondaryEmail` `google.admin.AdminService.changeSsoSettings` `google.admin.AdminService.generatePin` `google.admin.AdminService.updateRule`
EMAIL_SETTINGS	`google.admin.AdminService.dropFromQuarantine` `google.admin.AdminService.emailLogSearch` `google.admin.AdminService.emailUndelete` `google.admin.AdminService.changeEmailSetting` `google.admin.AdminService.changeGmailSetting` `google.admin.AdminService.createGmailSetting` `google.admin.AdminService.deleteGmailSetting` `google.admin.AdminService.rejectFromQuarantine` `google.admin.AdminService.releaseFromQuarantine`
GROUP_SETTINGS	`google.admin.AdminService.createGroup` `google.admin.AdminService.deleteGroup` `google.admin.AdminService.changeGroupDescription` `google.admin.AdminService.groupListDownload` `google.admin.AdminService.addGroupMember` `google.admin.AdminService.removeGroupMember` `google.admin.AdminService.updateGroupMember` `google.admin.AdminService.updateGroupMemberDeliverySettings` `google.admin.AdminService.updateGroupMemberDeliverySettingsCanEmailOverride` `google.admin.AdminService.groupMemberBulkUpload` `google.admin.AdminService.groupMembersDownload` `google.admin.AdminService.changeGroupEmail` `google.admin.AdminService.changeGroupName` `google.admin.AdminService.changeGroupSetting` `google.admin.AdminService.whitelistedGroupsUpdated`
標籤	`google.admin.AdminService.labelDeleted` `google.admin.AdminService.labelDisabled` `google.admin.AdminService.labelReenabled` `google.admin.AdminService.labelPermissionUpdated` `google.admin.AdminService.labelPermissionDeleted` `google.admin.AdminService.labelPublished` `google.admin.AdminService.labelCreated` `google.admin.AdminService.labelUpdated`
LICENSES_SETTINGS	`google.admin.AdminService.orgUsersLicenseAssignment` `google.admin.AdminService.orgAllUsersLicenseAssignment` `google.admin.AdminService.userLicenseAssignment` `google.admin.AdminService.changeLicenseAutoAssign` `google.admin.AdminService.userLicenseReassignment` `google.admin.AdminService.orgLicenseRevoke` `google.admin.AdminService.userLicenseRevoke` `google.admin.AdminService.updateDynamicLicense` `google.admin.AdminService.licenseUsageUpdate`
MOBILE_SETTINGS	`google.admin.AdminService.actionCancelled` `google.admin.AdminService.actionRequested` `google.admin.AdminService.addMobileCertificate` `google.admin.AdminService.companyDevicesBulkCreation` `google.admin.AdminService.companyOwnedDeviceBlocked` `google.admin.AdminService.companyDeviceDeletion` `google.admin.AdminService.companyOwnedDeviceUnblocked` `google.admin.AdminService.companyOwnedDeviceWiped` `google.admin.AdminService.changeMobileApplicationPermissionGrant` `google.admin.AdminService.changeMobileApplicationPriorityOrder` `google.admin.AdminService.removeMobileApplicationFromWhitelist` `google.admin.AdminService.changeMobileApplicationSettings` `google.admin.AdminService.addMobileApplicationToWhitelist` `google.admin.AdminService.mobileDeviceApprove` `google.admin.AdminService.mobileDeviceBlock` `google.admin.AdminService.mobileDeviceDelete` `google.admin.AdminService.mobileDeviceWipe` `google.admin.AdminService.changeMobileSetting` `google.admin.AdminService.changeAdminRestrictionsPin` `google.admin.AdminService.changeMobileWirelessNetwork` `google.admin.AdminService.addMobileWirelessNetwork` `google.admin.AdminService.removeMobileWirelessNetwork` `google.admin.AdminService.changeMobileWirelessNetworkPassword` `google.admin.AdminService.removeMobileCertificate` `google.admin.AdminService.enrollForGoogleDeviceManagement` `google.admin.AdminService.useGoogleMobileManagement` `google.admin.AdminService.useGoogleMobileManagementForNonIos` `google.admin.AdminService.useGoogleMobileManagementForIos` `google.admin.AdminService.mobileAccountWipe` `google.admin.AdminService.mobileDeviceCancelWipeThenApprove` `google.admin.AdminService.mobileDeviceCancelWipeThenBlock`
ORG_SETTINGS	`google.admin.AdminService.chromeLicensesEnabled` `google.admin.AdminService.chromeApplicationLicenseReservationCreated` `google.admin.AdminService.chromeApplicationLicenseReservationDeleted` `google.admin.AdminService.chromeApplicationLicenseReservationUpdated` `google.admin.AdminService.assignCustomLogo` `google.admin.AdminService.unassignCustomLogo` `google.admin.AdminService.createEnrollmentToken` `google.admin.AdminService.revokeEnrollmentToken` `google.admin.AdminService.chromeLicensesAllowed` `google.admin.AdminService.createOrgUnit` `google.admin.AdminService.removeOrgUnit` `google.admin.AdminService.editOrgUnitDescription` `google.admin.AdminService.moveOrgUnit` `google.admin.AdminService.editOrgUnitName` `google.admin.AdminService.toggleServiceEnabled`
SECURITY_INVESTIGATION	`google.admin.AdminService.securityInvestigationAction` `google.admin.AdminService.securityInvestigationActionCancellation` `google.admin.AdminService.securityInvestigationActionCompletion` `google.admin.AdminService.securityInvestigationActionRetry` `google.admin.AdminService.securityInvestigationActionVerificationConfirmation` `google.admin.AdminService.securityInvestigationActionVerificationRequest` `google.admin.AdminService.securityInvestigationActionVerificationRequestExpiration` `google.admin.AdminService.securityInvestigationChartCreate` `google.admin.AdminService.securityInvestigationContentAccess` `google.admin.AdminService.securityInvestigationDownloadAttachment` `google.admin.AdminService.securityInvestigationExportActionResults` `google.admin.AdminService.securityInvestigationExportQuery` `google.admin.AdminService.securityInvestigationObjectCreateDraftInvestigation` `google.admin.AdminService.securityInvestigationObjectDeleteInvestigation` `google.admin.AdminService.securityInvestigationObjectDuplicateInvestigation` `google.admin.AdminService.securityInvestigationObjectOwnershipTransfer` `google.admin.AdminService.securityInvestigationObjectSaveInvestigation` `google.admin.AdminService.securityInvestigationObjectUpdateDirectSharing` `google.admin.AdminService.securityInvestigationObjectUpdateLinkSharing` `google.admin.AdminService.securityInvestigationQuery` `google.admin.AdminService.securityInvestigationSettingUpdate`
SECURITY_SETTINGS	`google.admin.AdminService.addToTrustedOauth2Apps` `google.admin.AdminService.allowAspWithout2Sv` `google.admin.AdminService.allowServiceForOauth2Access` `google.admin.AdminService.allowStrongAuthentication` `google.admin.AdminService.blockOnDeviceAccess` `google.admin.AdminService.changeAllowedTwoStepVerificationMethods` `google.admin.AdminService.changeAppAccessSettingsCollectionId` `google.admin.AdminService.changeCaaAppAssignments` `google.admin.AdminService.changeCaaDefaultAssignments` `google.admin.AdminService.changeCaaErrorMessage` `google.admin.AdminService.changeSessionLength` `google.admin.AdminService.changeTwoStepVerificationEnrollmentPeriodDuration` `google.admin.AdminService.changeTwoStepVerificationFrequency` `google.admin.AdminService.changeTwoStepVerificationGracePeriodDuration` `google.admin.AdminService.changeTwoStepVerificationStartDate` `google.admin.AdminService.disallowServiceForOauth2Access` `google.admin.AdminService.enableNonAdminUserPasswordRecovery` `google.admin.AdminService.enforceStrongAuthentication` `google.admin.AdminService.removeFromTrustedOauth2Apps` `google.admin.AdminService.sessionControlSettingsChange` `google.admin.AdminService.toggleCaaEnablement` `google.admin.AdminService.trustDomainOwnedOauth2Apps` `google.admin.AdminService.unblockOnDeviceAccess` `google.admin.AdminService.untrustDomainOwnedOauth2Apps` `google.admin.AdminService.updateErrorMsgForRestrictedOauth2Apps` `google.admin.AdminService.weakProgrammaticLoginSettingsChanged`
SITES_SETTINGS	`google.admin.AdminService.addWebAddress` `google.admin.AdminService.deleteWebAddress` `google.admin.AdminService.changeSitesSetting` `google.admin.AdminService.changeSitesWebAddressMappingUpdates` `google.admin.AdminService.viewSiteDetails`
USER_SETTINGS	`google.admin.AdminService.delete2SvScratchCodes` `google.admin.AdminService.generate2SvScratchCodes` `google.admin.AdminService.revoke3LoDeviceTokens` `google.admin.AdminService.revoke3LoToken` `google.admin.AdminService.addRecoveryEmail` `google.admin.AdminService.addRecoveryPhone` `google.admin.AdminService.grantAdminPrivilege` `google.admin.AdminService.revokeAdminPrivilege` `google.admin.AdminService.revokeAsp` `google.admin.AdminService.toggleAutomaticContactSharing` `google.admin.AdminService.bulkUpload` `google.admin.AdminService.bulkUploadNotificationSent` `google.admin.AdminService.cancelUserInvite` `google.admin.AdminService.changeUserCustomField` `google.admin.AdminService.changeUserExternalId` `google.admin.AdminService.changeUserGender` `google.admin.AdminService.changeUserIm` `google.admin.AdminService.enableUserIpWhitelist` `google.admin.AdminService.changeUserKeyword` `google.admin.AdminService.changeUserLanguage` `google.admin.AdminService.changeUserLocation` `google.admin.AdminService.changeUserOrganization` `google.admin.AdminService.changeUserPhoneNumber` `google.admin.AdminService.changeRecoveryEmail` `google.admin.AdminService.changeRecoveryPhone` `google.admin.AdminService.changeUserRelation` `google.admin.AdminService.changeUserAddress` `google.admin.AdminService.createEmailMonitor` `google.admin.AdminService.createDataTransferRequest` `google.admin.AdminService.grantDelegatedAdminPrivileges` `google.admin.AdminService.deleteAccountInfoDump` `google.admin.AdminService.deleteEmailMonitor` `google.admin.AdminService.deleteMailboxDump` `google.admin.AdminService.changeFirstName` `google.admin.AdminService.gmailResetUser` `google.admin.AdminService.changeLastName` `google.admin.AdminService.mailRoutingDestinationAdded` `google.admin.AdminService.mailRoutingDestinationRemoved` `google.admin.AdminService.addNickname` `google.admin.AdminService.removeNickname` `google.admin.AdminService.changePassword` `google.admin.AdminService.changePasswordOnNextLogin` `google.admin.AdminService.downloadPendingInvitesList` `google.admin.AdminService.removeRecoveryEmail` `google.admin.AdminService.removeRecoveryPhone` `google.admin.AdminService.requestAccountInfo` `google.admin.AdminService.requestMailboxDump` `google.admin.AdminService.resendUserInvite` `google.admin.AdminService.resetSigninCookies` `google.admin.AdminService.securityKeyRegisteredForUser` `google.admin.AdminService.revokeSecurityKey` `google.admin.AdminService.userInvite` `google.admin.AdminService.viewTempPassword` `google.admin.AdminService.turnOff2StepVerification` `google.admin.AdminService.unblockUserSession` `google.admin.AdminService.unenrollUserFromTitanium` `google.admin.AdminService.archiveUser` `google.admin.AdminService.updateBirthdate` `google.admin.AdminService.createUser` `google.admin.AdminService.deleteUser` `google.admin.AdminService.downgradeUserFromGplus` `google.admin.AdminService.userEnrolledInTwoStepVerification` `google.admin.AdminService.downloadUserlistCsv` `google.admin.AdminService.moveUserToOrgUnit` `google.admin.AdminService.userPutInTwoStepVerificationGracePeriod` `google.admin.AdminService.renameUser` `google.admin.AdminService.unenrollUserFromStrongAuth` `google.admin.AdminService.suspendUser` `google.admin.AdminService.unarchiveUser` `google.admin.AdminService.undeleteUser` `google.admin.AdminService.unsuspendUser` `google.admin.AdminService.upgradeUserToGplus` `google.admin.AdminService.usersBulkUpload` `google.admin.AdminService.usersBulkUploadNotificationSent`

Google Workspace Enterprise 網上論壇稽核

Google Workspace Enterprise Groups Audit 稽核記錄使用的資源類型一律為 audited_resource。

Google Workspace Enterprise Groups Audit 稽核記錄使用服務名稱 cloudidentity.googleapis.com。

Google Workspace 企業群組稽核功能只會寫入管理員活動稽核記錄。以下是稽核的作業：

稽核記錄類別	`AuditLog.method_name`
管理員活動稽核記錄	`google.apps.cloudidentity.groups.v1.GroupsService.UpdateGroup` `google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership`

所有 Google Workspace 登入稽核稽核記錄都使用 audited_resource 的資源類型。

Google Workspace 登入稽核稽核記錄會使用服務名稱 login.googleapis.com。

Google Workspace 登入稽核功能只會寫入資料存取權稽核記錄。以下是經稽核的作業，每個作業都有記錄範例。

稽核記錄類別 AuditLog.method_name

資料存取稽核記錄 google.login.LoginService.2svDisable
google.login.LoginService.2svEnroll
google.login.LoginService.accountDisabledPasswordLeak
google.login.LoginService.accountDisabledGeneric
google.login.LoginService.accountDisabledSpammingThroughRelay
google.login.LoginService.accountDisabledSpamming
google.login.LoginService.accountDisabledHijacked
google.login.LoginService.emailForwardingOutOfDomain
google.login.LoginService.govAttackWarning
google.login.LoginService.loginChallenge
google.login.LoginService.loginFailure
google.login.LoginService.loginVerification
google.login.LoginService.logout
google.login.LoginService.loginSuccess
google.login.LoginService.passwordEdit
google.login.LoginService.recoveryEmailEdit
google.login.LoginService.recoveryPhoneEdit
google.login.LoginService.recoverySecretQaEdit
google.login.LoginService.riskySensitiveActionAllowed
google.login.LoginService.riskySensitiveActionBlocked
google.login.LoginService.suspiciousLogin
google.login.LoginService.suspiciousLoginLessSecureApp
google.login.LoginService.suspiciousProgrammaticLogin
google.login.LoginService.titaniumEnroll
google.login.LoginService.titaniumUnenroll

稽核記錄類別	`AuditLog.method_name`
資料存取稽核記錄	`google.login.LoginService.2svDisable` `google.login.LoginService.2svEnroll` `google.login.LoginService.accountDisabledPasswordLeak` `google.login.LoginService.accountDisabledGeneric` `google.login.LoginService.accountDisabledSpammingThroughRelay` `google.login.LoginService.accountDisabledSpamming` `google.login.LoginService.accountDisabledHijacked` `google.login.LoginService.emailForwardingOutOfDomain` `google.login.LoginService.govAttackWarning` `google.login.LoginService.loginChallenge` `google.login.LoginService.loginFailure` `google.login.LoginService.loginVerification` `google.login.LoginService.logout` `google.login.LoginService.loginSuccess` `google.login.LoginService.passwordEdit` `google.login.LoginService.recoveryEmailEdit` `google.login.LoginService.recoveryPhoneEdit` `google.login.LoginService.recoverySecretQaEdit` `google.login.LoginService.riskySensitiveActionAllowed` `google.login.LoginService.riskySensitiveActionBlocked` `google.login.LoginService.suspiciousLogin` `google.login.LoginService.suspiciousLoginLessSecureApp` `google.login.LoginService.suspiciousProgrammaticLogin` `google.login.LoginService.titaniumEnroll` `google.login.LoginService.titaniumUnenroll`

Google Workspace OAuth 權杖稽核

Google Workspace OAuth 權杖稽核稽核記錄使用的資源類型一律為 audited_resource。

Google Workspace OAuth 權杖稽核稽核記錄會使用服務名稱 oauth2.googleapis.com。

Google Workspace OAuth 權杖稽核會寫入管理員活動和資料存取稽核記錄。以下是稽核的作業：

稽核記錄類別	`AuditLog.method_name`
管理員活動稽核記錄	`google.identity.oauth2.Deny` `google.identity.oauth2.GetToken` `google.identity.oauth2.Request` `google.identity.oauth2.RevokeToken`
資料存取稽核記錄	`google.identity.oauth2.GetTokenInfo`

Google Workspace SAML 稽核

Google Workspace SAML Audit 稽核記錄使用的資源類型一律為 audited_resource。

Google Workspace SAML 稽核稽核記錄會使用服務名稱 login.googleapis.com。

Google Workspace SAML 稽核功能只會寫入資料存取稽核記錄。以下是經稽核的作業：

稽核記錄類別	`AuditLog.method_name`
資料存取稽核記錄	`google.apps.login.v1.SamlLoginFailed`
	`google.apps.login.v1.SamlLoginSucceeded`

稽核記錄權限

IAM 權限和角色會決定您是否能夠在 Logging API、記錄檔探索工具和 Google Cloud CLI 中存取稽核記錄資料。

如要進一步瞭解可能需要的機構層級 IAM 權限和角色，請參閱「使用 IAM 控管存取權」。

稽核記錄格式

Google Workspace 稽核記錄項目包含下列物件：

記錄項目本身，屬於 LogEntry 類型的物件。檢查稽核記錄資料時，您可能會發現下列資訊很實用：
- logName 包含機構 ID 和稽核記錄類型。
- resource 包含稽核作業的目標。
- timeStamp 包含稽核作業的時間。
- protoPayload 會在 metadata 欄位中包含 Google Workspace 稽核記錄。

protoPayload.metadata 欄位會保留已稽核的 Google Workspace 資訊。以下是登入稽核記錄的範例：

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.net"
    },
    "requestMetadata": {
      "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.loginFailure",
    "resourceName": "organizations/123",
    "metadata": {
      "event": [
        {
          "eventName": "login_failure",
          "eventType": "login",
          "parameter": [
            {
              "value": "google_password",
              "type": "TYPE_STRING",
              "name": "login_type",
            },
            {
              "name": "login_challenge_method",
              "type": "TYPE_STRING",
              "label": "LABEL_REPEATED",
              "multiStrValue": [
                "password",
                "idv_preregistered_phone",
                "idv_preregistered_phone"
              ]
            },
          ]
        }
      ],
      "activityId": {
        "uniqQualifier": "358068855354",
        "timeUsec": "1632500217183212"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
    }
  },
  "insertId": "-nahbepd4l1x",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.loginFailure",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T16:16:57.183212Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}

如要瞭解服務專屬稽核記錄欄位及其解讀方式，請從「可用的稽核記錄」一節中選取服務。

查看記錄

如要瞭解如何查看 Google Workspace 稽核記錄，請參閱「查看及管理 Google Workspace 稽核記錄」。

路由稽核記錄

您可以將 Google Workspace 稽核記錄從 Cloud Logging 轉送至支援的目的地，包括其他記錄值區。

以下是一些轉送稽核記錄的應用方式：

如要使用更強大的搜尋功能，您可以將稽核記錄的副本轉送至 Cloud Storage、BigQuery 或 Pub/Sub。您可以使用 Pub/Sub 將記錄檔轉送至其他應用程式、其他存放區或第三方。
如要管理整個機構的稽核記錄，您可以建立匯總接收器，結合並重新導向機構中所有 Google Cloud 專案、帳單帳戶和資料夾的記錄。舉例來說，您可以將稽核記錄項目從機構的資料夾匯總並轉送至 Cloud Storage 值區。

如需記錄轉送操作說明，請參閱「將記錄轉送至支援的目的地」。

區域規劃

您無法選擇 Google Workspace 記錄檔的儲存區域。Google Workspace 資料地區政策不適用於 Google Workspace 記錄。

保留期限

稽核記錄資料適用下列保留期限：

Google Workspace 中的資料保留政策。
Google Cloud Cloud Logging 中的資料保留政策。

對於每個機構，Cloud Logging 會自動將記錄檔儲存在兩個值區：_Default 值區和 _Required 值區。_Required 值區會保留管理員活動稽核記錄、系統事件稽核記錄和資料存取透明化控管機制記錄。_Default 值區會保留所有未儲存在 _Required 值區中的記錄項目。如要進一步瞭解 Logging 值區，請參閱「轉送和儲存空間總覽」。

您可以設定 Cloud Logging，讓 _Default 記錄值區中的記錄檔保留 1 天到 3650 天的期限。

如要更新 _Default 記錄資料集的保留期限，請參閱「自訂保留」一文。

您無法變更 _Required 值區的保留期限。

配額與限制

同樣的配額也適用於 Google Workspace 和 Cloud Audit Logs 的稽核記錄。

如要進一步瞭解這些用量限制 (包括稽核記錄的最大大小)，請參閱「配額與限制」一文。

定價

Google Workspace 的機構層級記錄檔可免費使用。

後續步驟

瞭解如何設定及管理 Google Workspace 稽核記錄。
詳閱 Cloud 稽核記錄的最佳做法。
瞭解如何查看及瞭解 Google Workspace 的資料存取透明化控管機制記錄。