If your Google Apps environment has grown to more than a dozen users it’s likely you have more than one user with at least some level of delegated administrator rights if not multiple super admins. Sharing the administrative load with Google Apps is a good thing but sometimes an admin needs to play detective and determine who and why changes were made to Google Apps. For that, there’s the audit log. The audit log shows you who, what, when and where changes have been made to your Google Apps settings. Let’s take a look at how your organization can make the best use of the audit log to understand and track your Google Apps environment.
Optimize your Admins
To get the most out of the audit log, make sure each admin user is using their own account. For most organizations, making the admin user’s primary account admin rights is acceptable. However, some prefer to distinguish between the admin’s day to day work account and an account with full administrator rights. Either setup is fine but sharing a single admin account will lead to a poor experience with the audit log as the log won’t be able to show you who actually made the changes. Best practice is to give each admin their own admin account that only they have access to.
Also be sure that any automated services you are using have their own admin account. If you utilize Google Apps Directory Sync (GADS), make sure it’s using an admin account of it’s own. Do the same for any password sync tool you might be using and other admin tools you use like Google Apps Manager (GAM). By giving these tools their own admin login, you’ll be able to distinguish automated changes to your Google Apps settings from those done interactively by a real admin.
Side note: While you’re shuffling your admins, be sure to take a look at the new administrator roles feature that allows you to pre-define admin rights to a role and then apply the role to users.
Find Out What’s Happening in Your Google Apps environment
Now you’re ready to to take your first look at the audit log. Head to google.com/a/yourdomain.com and login as an admin. You can find the audit log under Reports –> Audit Log.
Seeing the most recent changes is nice but what if you want to search for a specific date range, action, or what a particular admin has been doing? You can filter the shown events by clicking Edit next to Filter Options at the top of the audit log. Audit log allows you to filter which events should be displayed, which admin user actions should be shown for and the date range of events to show.