Audit Vault user activity

You can review the activity of Vault users in Vault, either across all of Vault or in a specific matter. For example, audit all of Vault to learn which Vault users edited retention rules. Or, audit a specific matter to learn who downloaded export files from that matter.

Audit activity across all off Vault

These steps are for new Vault (vault.google.com). Go to steps for classic Vault

  1. Sign in to vault.google.com.
  2. Click Reports.
  3. (Optional) Select a date range.
  4. (Optional) Enter the email addresses of the Vault users whose actions you want to audit. To audit the actions of all Vault users, leave the field empty.
  5. Select what types of Vault user actions you want to audit:
    • To audit all actions, click Select All.
    • To audit only some actions, check the box next to each action.
  6. Click Download CSV. A CSV file that contains audit information is downloaded to your device.
  7. Open the CSV file in a spreadsheet app, such as Google Sheets. For definitions of the values in the CSV, see What audits contain.

Audit activity in a specific matter

  1. Sign in to vault.google.com.
  2. Click Matters.
  3. In the list of matters, click the matter you want to audit.
  4. Click Audit.
  5. (Optional) Select a date range.
  6. (Optional) Enter the email addresses of the Vault users whose actions you want to audit. To audit the actions of all Vault users, leave the field empty.
  7. Select what types of Vault user actions you want to audit:
    • To audit all actions, click Select All.
    • To audit only some actions, check the box next to each action. Note: No retention rule-related actions are reported for matter-specific audits because retention rules are managed outside matters.
  8. Click Download CSV. A CSV file that contains audit information is downloaded to your device.
  9. Open the CSV file in a spreadsheet app, such as Google Sheets. For definitions of the values in the CSV, see What audits contain.

What audits contain

Each line of an audit provides information for one action. Each action has 11 values. Some values apply only to certain actions and are empty for other actions.

Open all   |   Close all

Epoch milliseconds

The time that an action occurred in epoch milliseconds—the number of milliseconds that have elapsed since January 1, 1970 (midnight UTC/GMT). You don't have to do any conversions of epoch milliseconds, as each action is also recorded in human-readable time in the Date value.

Date

The time that an action occurred in human-readable time. The value includes the day of the week; the date; the hour, minute, and second. The time zone is always Pacific (–0700 or –0800).

Action

The action that occurred. Possible values:

Action value Description

ADD_COLLABORATOR_BEGIN

ADD_COLLABORATOR_END

 Logged whenever someone shares a specific matter with other users. The ID number of the matter is recorded in the Matter. The email address of the user with whom that matter was shared is recorded in the Email value.

ADD_LITIGATION_HOLD_BEGIN

ADD_LITIGATION_HOLD_END

 Logged whenever someone creates a hold in a matter. The ID number of the matter is recorded in the Matter value. The email address of the user whose content is on hold is recorded in the Name value.

ADD_RETENTION_RULE_BEGIN

ADD_RETENTION_RULE_END

 Logged whenever someone creates a custom retention rule. The new rule is given a unique ID, which is recorded in the Name value. The retention period is recorded as "Period: # days" in the Details value.

CLOSE_INVESTIGATION_BEGIN

CLOSE_INVESTIGATION_END

 Logged whenever someone closes a matter. The matter ID is recorded in the Matter value.

CREATE_EXPORT_BEGIN

CREATE_EXPORT_END

Deprecated–Replaced by EXPORT. Reported for exports run in February 2014 or earlier.

Logged whenever someone exports documents that were searched for in a matter. The name of the export is recorded in the Name value. The search criteria are recorded in the Query string value.

CREATE_INVESTIGATION_BEGIN

CREATE_INVESTIGATION_END

 Logged whenever someone creates a matter. The ID number of the matter is recorded in the Matter value. The name of the matter is recorded in the Name value.

CREATE_SAVED_QUERY_BEGIN

CREATE_SAVE_QUERY_END

 Logged whenever someone saves a search query in a matter. The search criteria that were used are recorded in the Query string value.

DELETE_RETENTION_RULE_BEGIN

DELETE_RETENTION_RULE_END

 Logged whenever someone deletes a custom retention rule. The ID number of the custom retention rule is recorded in the Name value.
DOWNLOAD_CROSS_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone downloads the list of holds from Domain Holds, User Holds, or Group Holds.
DOWNLOAD_PER_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone downloads the list of holds within a matter. The ID number of the matter is recorded the Matter value.
EXPORT Logged whenever someone runs an export. The name of the export is recorded in the Name value. The search criteria are recorded in the Query string value.

MODIFY_DEFAULT_RETENTION_PERIOD_BEGIN

MODIFY_DEFAULT_RETENTION_PERIOD_END

 Logged whenever someone modifies the default retention rule. The modified retention period is recorded as "Period: # days" in the Details value.

REMOVE_COLLABORATOR_BEGIN

REMOVE_COLLABORATOR_END

 Logged whenever someone removes another user from a shared matter. The ID of the matter is recorded in the Matter value. The email address of the user with whom the matter is no longer shared is recorded in the Email value.

REMOVE_LITIGATION_HOLD_BEGIN

REMOVE_LITIGATION_HOLD_END

 Logged whenever someone removes a hold on an account. The ID number of the matter is recorded in the Matter value. The email address of the user whose content is no longer on hold is recorded in the Name value.
SEARCH Logged whenever someone runs a search from a matter. The ID number of the matter is recorded in the Matter value. The search criteria are recorded in the Query string value.

UPDATE_RETENTION_RULE_BEGIN

UPDATE_RETENTION_RULE_END

 Logged whenever someone modifies a custom retention rule. The ID number of the custom retention rule is recorded in the Name value. The modified retention period is recorded as "Period: # days" in the Details value.
VIEW_CROSS_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone clicks User Holds to view which users are on hold.
VIEW_CUSTODIAN_LITIGATION_HOLD_REPORT Logged whenever someone clicks Domain Holds to view holds for organizational units or users.
VIEW_DOCUMENT Logged whenever someone views a document. A unique ID number for that document is recorded in the Name value.
VIEW_INVESTIGATION Logged whenever someone opens the Search or Export pages in a matter.
VIEW_MATTER_AUDIT_LOG Logged whenever someone runs an audit within a specific matter. The ID number of the matter is recorded in the Matter value.
VIEW_PER_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone views holds in a matter. The ID number of the matter is recorded the Matter value.
VIEW_RETENTION_POLICY Logged whenever someone opens the Retention page.
VIEW_SYSTEM_AUDIT_LOG Logged whenever someone downloads an audit.
User

The email address of the Vault user who performed the action in the Action value.

Matter

For actions in a specific matter, the unique ID of the matter. The matter ID is part of the Vault URL for the matter.

Name

The information in this value depends on the action that the Vault user took:

  • If the user viewed a document (VIEW_DOCUMENT action), the unique ID of the document.

    Example: ACD7onr49fP6DqvgAvIDhboAqqth9q7ekwGc0xpC3xjhpylzQvvQoNKmBKyE9NL1Qdww4eA2SQSc5mOF0JJ_bV_tkVFU3TWIdIrBYOiZLw0eBA9-xL7A-pc

  • If the user added or removed a collaborator (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END action), the email address of the user who was added or removed.
  • If the user created an export in a matter (CREATE_EXPORT_BEGIN/END action), the name of export.
Email

The email address of the collaborator who was added to or removed from a matter (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END action).

Resource url

The URL of any document that the user viewed (VIEW_DOCUMENT action).

Query string

The search parameters the user entered for a specific search (SEARCH or SEARCH_COUNT action).

Example: query: "( Project X )"

Organization

The name of the organizational unit to which the action applies. For example, if the Vault user created a retention rule that applies to a specific organizational unit.

Details

The retention period in days that a user set for a custom retention rule. The period is indicated as "Period: # days."

How long information in audit logs persists

Actions in audit reports can't be deleted or truncated by Google or by any Vault administrator or user as long as your organization continues to use Vault.

If your organization terminates its Vault service, audit data is deleted after approximately 30 days.

 

Use classic Vault

Click below to open steps for classic Vault (ediscovery.google.com). Go to steps for new Vault

Get an audit report in ediscovery.google.com

  1. In Vault, go to Reports > Audit.
  2. In Select date range, include start and end dates for the audit.
  3. In Select Vault users, include users on whom you want to run the audit. The Vault users you enter here have Vault privileges; you are auditing their actions in Vault (for example, if they've set retention rules, searched in matters, modified holds, or performed any other administrative actions).
  4. In Select action types, check the boxes next to actions about which you want audit information. For example, you can select Retention to audit a Vault user's actions related to retention, such as which retention rules a Vault user created or modified and when.
  5. Click Download CSV. A CSV file that contains audit information is downloaded to your device.

Get definitions of the values in the CSV in What audits contain.

Was this helpful?
How can we improve it?