Skip to main content
Sumo Logic

G Suite

The Sumo Logic App for G Suite allows you to monitor and analyze all of your G Suite apps activity in one place. The predefined dashboards present information about administrative and user activities, drive usage, and logins.

Log Types

Each G Suite app has its own log that tracks actions in JSON format. The logs are all structurally similar. The differences are in the events section of the JSON where the actions are recorded.

The common areas of the logs are:

Event Description


Contains applicationName (for example, drive or admin).


Contains email, which is the Google email address of the person performing the action.


The IP address of the user performing the action.

The events sections of logs are:

Google Login App

Event Description

Login type name

Equivalent of status or type of activity: login_success, logout, or login_failure. In the Login Dashboard, we also have a Panel showing login_failure_type, which displays a reason for the login failure.


Records action related to a Login Challenge for suspicious sign ins. Specific results are logged in the login_challenge_status, where the possible values are Challenge Failed or Challenge Passed. For more information on login_challenge, refer to Google documentation:

Google Admin and Token Apps

These are actions performed by Google site administrators.

Event Description


These are actions performed at the individual user level, such as CREATE_USER, DELETE_USER, CHANGE_PASSWORD.

A specific type of individual user action is CREATE_DATA_TRANSFER_REQUEST. This typically occurs after a user has been deleted, and the user’s contents, such as Drive, are transferred to that user’s manager.


These are actions such as adding and removing users from groups.


Other types of actions take place, but they are less common (for example, CHROME_OS_SETTINGS,   DEVICE_SETTINGS).

Google Drive App

The Google Drive app logs come in two types: Access and acl_change. A single user action in Drive may generate several events. Of these, one is the primary event and the rest are side effects of that event. We look for the primary event.

Access types are such as viewing and downloading a document or folder. They also include creating, uploading, renaming, editing, and moving content.

Acl_change types include who can edit a document or folder, including scope changes like what you do here:

For document type (doc_type), Google only recognizes its own documents (for example, Document, Spreadsheet, and Presentation). Other document types (such as Excel, PDF, and MP4) are classified as unknown. In a Drive Dashboard Panel, we capture the Google types, and then use the file extension to classify the other types that would otherwise be displayed as unknown.