Admin console Contact us

    Meet log events

    Understand users' Meet meeting activity

    Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

    As your organization's administrator, you can run searches and take action on Meet log events. There you can review meeting activity in your organization. For example, you can find out when a user starts a meeting, where they're joining meetings from, and who was in a meeting.

    Need help during a meeting or for a specific meeting?

    You can troubleshoot meetings in real time using the Meet quality tool. Go to Track meeting quality and statistics .

    Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

    Audit and investigation tool

    To run a search for log events, first choose a data source. Then, choose one or more filters for your search.

    1. In the Google Admin console, go to Menu Reporting Audit and investigation Meet log events.

      Requires having the Audit & Investigation administrator privilege.

    2. To filter events that occurred before or after a specific date, for Date , select Before or After . By default, events from the last 7 days are shown. You can select a different date range or clickto remove the date filter.

    3. Click Add a filter select an attribute. For example, to filter by a specific event type, select Event .
    4. Select an operatorselect a valueclick Apply .
      • (Optional) To create multiple filters for your search, repeat this step.
      • (Optional) To add a search operator, above Add a filter , select AND or OR .
    5. Click Search . Note : Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.

    Security investigation tool

    Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

    To run a search in the security investigation tool, first choose a data source. Then, choose one or more conditions for your search. For each condition, choose an attribute , an operator , and a value .

    1. In the Google Admin console, go to Menu Security Security center Investigation tool.

      Requires having the Security center administrator privilege.

    2. Click Data source and select Meet log events .

    3. To filter events that occurred before or after a specific date, for Date , select Before or After . By default, events from the last 7 days are shown. You can select a different date range or clickto remove the date filter.

    4. Click Add Condition .
      Tip : You can include one or more conditions in your search or customize your search with nested queries . For details, go to Customize your search with nested queries .
    5. Click Attribute select an option. For example, to filter by a specific event type, select Event .
      For a complete list of attributes, go to the Attribute descriptions section.
    6. Select an operator.
    7. Enter a value or select a value from the list.
    8. (Optional) To add more search conditions, repeat the steps.
    9. Click Search .
      You can review the search results from the investigation tool in a table at the bottom of the page.
    10. (Optional) To save your investigation, click Saveenter a title and descriptionclick Save .

    Notes

    • In the Condition builder tab, filters are represented as conditions with AND/OR operators. You can also use the Filter tab to include simple parameter and value pairs to filter the search results.
    • If you give a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com , you will not see results for events related to OldName@example.com .
    • You can only search for data in messages that have not yet been deleted from Trash.

    Attribute descriptions

    For this data source, you can use the following attributes when searching log event data.

    Attribute
    Description
    Action description
    User's description when reporting abuse in a meeting
    Action reason
    User's reason when reporting abuse in a meeting
    Action time
    The actual time of an action
    Actor
    The actor's email address or phone number, or the Meet hardware's device ID, from which the actor joined the meeting
    Actor group name

    The group name of the actor. For more information, go to Filtering results by Google Group .

    To add a group to your filtering groups allowlist:

    1. Select Actor group name .
    2. Click Filtering groups .
      The Filtering groups page appears.
    3. Click Add Groups .
    4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
    5. (Optional) To add another group, search for and select the group.
    6. When you finish selecting groups, click Add .
    7. (Optional) To remove a group, click Remove group.
    8. Click Save .
    Actor identifier type
    Identifier type of the user who joined the meeting, such as Email Address or Phone Number
    Actor name
    Name of the participant who joined the meeting
    Actor organizational unit
    Organizational unit of the actor
    Calendar event ID
    ID of the calendar event associated with the meeting, if it exists
    Call rating out of 5
    Rating of the Meet meeting from 1 to 5
    City
    City from which the participant joined a meeting
    Client type
    Type of the meet client, such as Android , iOS , or Web browser
    Conference ID
    ID of the conference, which is an instance of a meeting. For example, in an ongoing weekly meeting, each meeting has a unique conference ID.
    Country
    Country/region code of the country/region from which a participant joined the meeting
    Date
    Date and time of the event (displayed in your browser's default time zone)
    Duration (seconds)
    Amount of time a participant stayed in the meeting
    Endpoint ID
    Unique identifier for each participant
    Event
    The logged event action, such as Abuse report submitted or Livestream watched
    IP address
    IP address of the participant who joined the meeting

    IP ASN

    You need to add this column to the search results. For the steps, go to Manage search results column data .

    IP Autonomous System Number (ASN), subdivision, and region associated with the log entry.

    To review the IP ASN and subdivision and region code where the activity happened, click the name in the search results.

    Live stream view page ID
    The ID for the Meet conference live stream view page. Recurrent meetings have the same live stream view page ID
    Meeting code
    Code for the meeting. Recurrent meetings have the same meeting code.
    Organizer email
    Email address of the meeting organizer
    Participant outside organization
    Whether or not the participant is from within the organization
    Product type
    The product used to join the meeting, such as Google Meet
    Resources

    List of resources associated with the action. Click a resource to view the following details:

    • Resource ID —The resource identifier
    • Resource title —Title of the resource
    • Resource type —Google Drive item, email, alert, rule, and so on
    • Resource relation —Relationship of the resource to the event

    • Resource label —List of classification labels for a resource, including Resource label ID , Resource label title , and Resource label field .

      The Resource label field contains the:

      • Label field ID
      • Label field name
      • Label field type —The data type of the label field, such as:
        • Text
        • Number
        • Selection —Included: ID, Display name, Is badged
        • Selection list
        • User —Included: Email
        • User list
        • Date

    If you export the information to a comma-separated values (CSV) file or Google Sheets, the information is saved as a single block of text within a cell.

    Streaming session state
    The status of a streaming session (recording, broadcasting, transcription, etc.)
    Target
    Email address of the reported participant
    Target display names
    Display names of reported users
    Target phone number
    Phone number of the reported device
    Target user count
    The number of users affected by the action

    Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com , you will not see results for events related to OldName@example.com .

    Identify meeting participants

    Some log event attributes described above, such as Actor , Actor Name , and Country , can help you understand who joined meetings inside and outside your organization (internal and external meetings). Depending on the participant and meeting type, information in the log event data might be:

    • Shown as clear text—Displayed as unmasked, readable text.
    • Obscured—Displayed with asterisks (*) to mask the information. For example, an obscured email address might include these characters: li***@s***.com.
    • Not shown—Information that's not displayed in the log.

    The following table shows participant identifiers available in log event data. This table also helps you understand what's available to other organizations when people from your organization join their meetings.

    Participant identifier
    Available information

    Country and IP address

    • Internal participants in your organization's meetings : Shown as clear text
    • External participants in any meeting : Not shown

    Email & device ID

    • Internal & external participants in your organization's meetings : Shown as clear text
    • External participants in external meetings : Obscured
    Name
    Shown as clear text for all participants

    Organizer email

    • Organizers of meetings inside your organization : Shown as clear text
    • Organizers of meetings outside your organization : Obscured
    Phone number
    Obscured for all participants

    Note: When the participant is an anonymous user, the Actor identifier typefield is blank and the Actor Namefield is the name submitted by the user.

    Get other Meet data

    Manage log event data

    Manage search results column data

    You can control which data columns appear in your search results.

    1. At the top-right of the search results table, click Manage columns.
    2. (Optional) To remove current columns, click Remove.
    3. (Optional) To add columns, next to Add new column , click the Down arrowand select the data column.
      Repeat as needed.
    4. (Optional) To change the order of the columns, drag the data column names.
    5. Click Save .

    Export search result data

    You can export search results to Sheets or to a CSV file.

    1. At the top of the search results table, click Export all .
    2. Enter a nameclick Export .
      The export displays below the search results table under Export action results .
    3. To view the data, click the name of your export.
      The export opens in Sheets.

    Export limits vary:

    • The total results of the export are limited to 100,000 rows.
    • Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

      If you have the security investigation tool, the total results of the export are limited to 30 million rows.

    For more information, go to Export search results .

    When and how long is data available?

    Take action based on search results

    Create activity rules & set up alerts

    • You can set up alerts based on log event data using reporting rules. For instructions, go to Create and manage reporting rules .
    • Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

      To help prevent, detect, and remediate security issues efficiently, you can automate actions in the security investigation tool and set up alerts by creating activity rules . To set up a rule, set up conditions for the rule, and then specify the actions to perform when the conditions are met. For more details, go to Create and manage activity rules .

    Take action based on search results

    Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

    After you run a search in the security investigation tool, you can act on your search results. For example, you can run a search based on Gmail log events, and then use the tool to delete specific messages, send messages to quarantine, or send messages to users' inboxes. For more details, go to Take action based on search results .

    Manage your investigations

    Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

    View your list of investigations

    To view a list of the investigations that you own and that were shared with you, click View investigations. The investigation list includes the names, descriptions, and owners of the investigations, and the date last modified.

    From this list, you can take action on any investigations that you own, for example, to delete an investigation. Check the box for an investigation and then click Actions .

    Note : You can view your saved investigations under Quick access , directly above your list of investigations.

    Configure settings for your investigations

    As a super administrator , click Settingsto:

    • Change the time zone for your investigations. The time zone applies to search conditions and results.
    • Turn on or off Require reviewer . For more details, go to Require reviewers for bulk actions .
    • Turn on or off View content . This setting allows admins with the appropriate privileges to view content.
    • Turn on or off Enable action justification .

    For more details, go to Configure settings for your investigations .
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: