- About Google Apps Audits
- Audit Monitors
- Managing the GPG Key
- User Account Activity
- User Mailbox Exports
- Using GPG with Audits
GAM now gives admins the ability to audit users accounts using the newly announced Google Apps Audit API. With Auditing, you can monitor current emails and chats to and from a user, you can get an user activity log showing login, login failures and logouts for the past 30 days and you can export a user's mailbox for discovery purposes.
You, the Google Apps Administrator, are responsible for using Audits legally and ethically according to your country, state and organization's rules. The Google Apps API Terms Section 10 specifies that The Audit API is not designed and should not be used for general backup, archival, or journaling purposes. Google reserves the right to prevent a customer from using the Audit API in ways that might adversely impact the performance or usability of the Audit API. You the Administrator take all responsibility for using GAM to make Audit requests for your domain(s).
gam audit monitor create <source user> <destination user> [begin <begin date>] [end <end date>] [incoming_headers]
[outgoing_headers] [nochats] [nodrafts] [chat_headers] [draft_headers]
create an audit monitor for the source user. All Mail to and from the source user will be forwarded to the destination user. By default, the audit will begin immediately and last for 30 days. Optional parameters begin and end can set the start and end times. Both parameters must be in the future with end being later than begin, the format is "YYYY-MM-DD hh:mm". Optional parameters, incoming_headers and outgoing_headers configure the audit to not send the given message's full email body but just the message headers. By default, the audit will also forward the source user's Chats and saved message Drafts. The optional parameters nochats and nodrafts disable forwarding of these type of messages. The optional parameters chat_headers and draft_headers tell the audit to only send the headers of the given messages instead of the full message body.
Only one audit is possible per a source and destination user combo. Creating a new audit with the same source and destination of an existing audit will overwrite the settings of the current of the existing audit.
This example configures an audit of the source user, forwarding full copies of all incoming, outgoing, chat and draft messages to the destination user. The audit will start immediately and terminate in 30 days time
gam audit monitor create jsmith fthomas
This example will start the audit on the given date and end it on the given date. Only message headers of each type will be sent to fthomas
gam audit monitor create jsmith fthomas begin "2010-07-15 12:00" end "2011-07-15 12:00"
incoming_headers outgoing_headers chat_headers draft_headers
This example will not capture drafts or chats
gam audit monitor create jsmith fthomas nochats nodrafts
gam audit monitor list <source user>
shows the current audit monitors for the user source user.
This example will list the current monitors for the user jsmith
gam audit monitor list jsmith
jsmith has the following monitors:
Destination: fthomas
Begin: 2010-07-04 12:00
End: 2010-08-05 12:00
Monitor Incoming: HEADER_ONLY
Monitor Outgoing: HEADER_ONLY
Monitor Chats: NONE
Monitor Drafts: NONE
gam audit monitor delete <source user> <destination user>
delete the audit monitor for the given source user / destination user combo.
This example deletes the monitor that is sending all jsmith's mail to fthomas
gam audit monitor delete jsmith fthomas
gam audit uploadkey
updates the public GPG key that Google's servers use to encrypt Audit Activity and Export files. The key should be provided on Standard Input. See Using GPG with Audits for more details on GPG keys.
This example tells GPG to print the key on standard output and gam reads the key on standard input
gpg --export --armor | gam audit uploadkey
gam audit activity request <user>
request the account activity of the given user. Requests can take several hours/days to be completed by Google's servers. GAM will print out a request ID which can be used to monitor the progress of the request (see Retrieving Request Status below). Note that before requesting an account's activity, a GPG key should be uploaded to Google Servers. See Using GPG with Audits for more details on GPG keys. Failure to upload a key will result in the activity request always getting a status of ERROR.
This example creates a request for the user's activity
gam audit activity request jsmith
gam audit activity status [user] [request_id]
get the current status of existing account activity requests. Optionally, a user and request_id can be specified to limit the retrieval to a single request.
This example retrieves the status of all current activity requests
gam audit activity status
gam audit activity download <user> <request_id>
download the results of an activity request that has a status of COMPLETED. The required parameters user and request_id specify which request to download. The GPG encrypted activity file will be saved to a file named with the format activity-username-request_id-1.txt.gpg and should be decrypted with GPG.
This example downloads the encrypted activity log of the COMPLETED request
gam audit activity download jsmith 234342
gam audit activity delete <user> <request_id>
delete the completed activity request for the given user. User and Request ID are required parameters.
This example deletes the completed activity request for the user
gam audit activity delete jsmith 234342
gam audit export request <user> [begin <Begin Date>] [end <End Date>] [search <Search Query>] [headersonly] [includedeleted]
request an export of all mail in a user's mailbox. Optional parameters begin and end date specify the range of messages that should be included in the export and should be of the format "YYYY-MM-DD hh:mm". By default, export begins at account creation and ends at the time of the export request. Optional parameter search, specifies a search query defining what messages should be included in the export. The query parameters are the same as those used in the Gmail interface and described here. Optional parameter headersonly specifies that only the message headers should be included in the export instead of the full message body. Optional parameter includedeleted specifies that deleted messages should also be included in the export.
Note that before requesting an export of an account, a GPG key should be uploaded to Google's Server. See Using GPG with Audits for more details on GPG keys. Failure to upload a key will result in the export request always getting a status of ERROR.
This example requests an export of all of a user's mail including deleted messages
gam audit export request jsmith includedeleted
This example requests an export of all of a user's mail for a 30 day range including deleted
gam audit export request jsmith begin "2010-06-01 00:00" end "2010-07-01 00:00" includedeleted
This example requests an export of all of a user's mail that has the word secret in the message subject
gam audit export request jsmith search "subject:secret"
gam audit export status [user] [request_id]
retrieve the status of current export requests. If the optional parameters user and request_id are specified, only the status of the one request will be retrieved, otherwise all current requests' status will be retrieved.
This example shows the status of all current export requests
gam audit export status
gam audit export download <user> <request_id>
download the encrypted results of a completed export request. The required parameters user and request_id specify which request's results should be downloaded. The encrypted files are saved with file names of export-username-request_id-file_number.mbox.gpg. If a file already exists on the hard drive, GAM will not re-download that file. GAM does not verify that the existing local file is complete, only that it exists. Thus if a download is interrupted, delete the partially downloaded file and start the process again, GAM will then skip over the files that have finished downloading. After they have been downloaded, they can be decrypted with GPG and then viewed with a mail client like Thunderbird.
This example downloads the completed export request for jsmith
gam audit export download jsmith 344920
gam audit export delete <user> <request_id>
delete the completed export request. The required parameters user and request_id specify which request to delete.
This example deletes the export request for the given user
gam audit export delete jsmith 344920
Google's Servers use GPG to encrypt files that you request via the Audit API for account activity and mailbox export. Before you can successfully request a user account activity log or mailbox export, you need to create a GPG and upload it to Google's Servers for their use.
A Windows version of GPG can be downloaded here. I suggest installing it to an easy to remember location like C:\GPG.
GPG comes with many Linux distributions by default. Try opening a Terminal and typing:
gpg --version
if you get an error, visit your Linux Distributions website and search for instructions on installing GPG.
You can download a version of GPG for Macs here. Download the GPG Suite and run the package installer. The GUI suite will open. You can quit it and continue as below or use the GUI to generate your key.
Run the command:
gpg --gen-key --expert
you will be prompted for the kind of key you want, choose "RSA and RSA (default)".
Next you'll be prompted for the keysize. This determines how strong the encryption is. If you're not paranoid about security, I suggest choosing a smaller key size as bigger keys will take longer to encrypt/decrypt your data thus greatly slowing down the process (especially for large exports), 1024 should be fine in most cases.
Next you'll be prompted for how long the key should be valid. Specify 0 so that the key does not expire.
Next you'll be prompted for your name, email address and a comment. Remember the name you enter, you'll need it for the next step. Google doesn't really use this information so feel free to make something up if you want.
Finally, you'll be prompted for a passphrase, you'll need this passphrase in order to decrypt activity logs and exports so make sure you remember what it is!
You can now upload your key to Google's Servers with the command:
gpg --export --armor -a "Your Name" | \path\to\gam\gam audit uploadkey
where "Your Name" is the name you entered for yourself in the last GPG command. This will output the GPG key and "pipe" it into GAM, telling GAM to upload the key to Google.
Once you've submitted requests, the requests complete and you download requests, you can decrypt the data with GPG. The command to decrypt is:
gpg --output <new decrypted file> --decrypt <encrypted file>
encrypted file is one of the files GAM downloaded from a completed activity or export request. In the case of exports, you may have multiple files to decrypt. Here's an example decrypt command:
gpg --output jsmith-activity.txt --decrypt c:\gam\activity-jsmith-34231-1.txt.gpg
this will create a file jsmith-activity.txt with the decrypted results.