BatchUsageLogEvents

JSON representation
UsageLogEvent
- JSON representation
KeyguardDismissedEvent
KeyguardDismissAuthAttemptEvent
- JSON representation
KeyguardSecuredEvent
FilePulledEvent
- JSON representation
FilePushedEvent
- JSON representation
CertAuthorityInstalledEvent
- JSON representation
CertAuthorityRemovedEvent
- JSON representation
CertValidationFailureEvent
- JSON representation
CryptoSelfTestCompletedEvent
- JSON representation
KeyDestructionEvent
- JSON representation
KeyGeneratedEvent
- JSON representation
KeyImportEvent
- JSON representation
KeyIntegrityViolationEvent
- JSON representation
LoggingStartedEvent
LoggingStoppedEvent
LogBufferSizeCriticalEvent
MediaMountEvent
- JSON representation
MediaUnmountEvent
- JSON representation
OsShutdownEvent
OsStartupEvent
- JSON representation
RemoteLockEvent
- JSON representation
WipeFailureEvent
ConnectEvent
- JSON representation
DnsEvent
- JSON representation

Batched event logs of events from the device.

JSON representation
{ "device": string, "user": string, "retrievalTime": string, "usageLogEvents": [ { object (`UsageLogEvent`) } ] }

Fields
`device`	`string` The name of the device in the form ‘enterprises/{enterpriseId}/devices/{deviceId}’
`user`	`string` The resource name of the user that owns this device in the form ‘enterprises/{enterpriseId}/users/{userId}’.
`retrievalTime`	`string (Timestamp format)` The device timestamp when the batch of events were collected from the device. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`usageLogEvents[]`	`object (UsageLogEvent)` The list of UsageLogEvent that were reported by the device, sorted chronologically by the event time.

UsageLogEvent

An event logged on the device.

JSON representation

JSON representation
{ "eventId": string, "eventTime": string, "eventType": enum (`EventType`), // Union field `event` can be only one of the following: "adbShellCommandEvent": { object (`AdbShellCommandEvent`) }, "adbShellInteractiveEvent": { object (`AdbShellInteractiveEvent`) }, "appProcessStartEvent": { object (`AppProcessStartEvent`) }, "keyguardDismissedEvent": { object (`KeyguardDismissedEvent`) }, "keyguardDismissAuthAttemptEvent": { object (`KeyguardDismissAuthAttemptEvent`) }, "keyguardSecuredEvent": { object (`KeyguardSecuredEvent`) }, "filePulledEvent": { object (`FilePulledEvent`) }, "filePushedEvent": { object (`FilePushedEvent`) }, "certAuthorityInstalledEvent": { object (`CertAuthorityInstalledEvent`) }, "certAuthorityRemovedEvent": { object (`CertAuthorityRemovedEvent`) }, "certValidationFailureEvent": { object (`CertValidationFailureEvent`) }, "cryptoSelfTestCompletedEvent": { object (`CryptoSelfTestCompletedEvent`) }, "keyDestructionEvent": { object (`KeyDestructionEvent`) }, "keyGeneratedEvent": { object (`KeyGeneratedEvent`) }, "keyImportEvent": { object (`KeyImportEvent`) }, "keyIntegrityViolationEvent": { object (`KeyIntegrityViolationEvent`) }, "loggingStartedEvent": { object (`LoggingStartedEvent`) }, "loggingStoppedEvent": { object (`LoggingStoppedEvent`) }, "logBufferSizeCriticalEvent": { object (`LogBufferSizeCriticalEvent`) }, "mediaMountEvent": { object (`MediaMountEvent`) }, "mediaUnmountEvent": { object (`MediaUnmountEvent`) }, "osShutdownEvent": { object (`OsShutdownEvent`) }, "osStartupEvent": { object (`OsStartupEvent`) }, "remoteLockEvent": { object (`RemoteLockEvent`) }, "wipeFailureEvent": { object (`WipeFailureEvent`) }, "connectEvent": { object (`ConnectEvent`) }, "dnsEvent": { object (`DnsEvent`) } // End of list of possible types for union field `event`. }

{
  "eventId": string,
  "eventTime": string,
  "eventType": enum (EventType),

  // Union field event can be only one of the following:
  "adbShellCommandEvent": {
    object (AdbShellCommandEvent)
  },
  "adbShellInteractiveEvent": {
    object (AdbShellInteractiveEvent)
  },
  "appProcessStartEvent": {
    object (AppProcessStartEvent)
  },
  "keyguardDismissedEvent": {
    object (KeyguardDismissedEvent)
  },
  "keyguardDismissAuthAttemptEvent": {
    object (KeyguardDismissAuthAttemptEvent)
  },
  "keyguardSecuredEvent": {
    object (KeyguardSecuredEvent)
  },
  "filePulledEvent": {
    object (FilePulledEvent)
  },
  "filePushedEvent": {
    object (FilePushedEvent)
  },
  "certAuthorityInstalledEvent": {
    object (CertAuthorityInstalledEvent)
  },
  "certAuthorityRemovedEvent": {
    object (CertAuthorityRemovedEvent)
  },
  "certValidationFailureEvent": {
    object (CertValidationFailureEvent)
  },
  "cryptoSelfTestCompletedEvent": {
    object (CryptoSelfTestCompletedEvent)
  },
  "keyDestructionEvent": {
    object (KeyDestructionEvent)
  },
  "keyGeneratedEvent": {
    object (KeyGeneratedEvent)
  },
  "keyImportEvent": {
    object (KeyImportEvent)
  },
  "keyIntegrityViolationEvent": {
    object (KeyIntegrityViolationEvent)
  },
  "loggingStartedEvent": {
    object (LoggingStartedEvent)
  },
  "loggingStoppedEvent": {
    object (LoggingStoppedEvent)
  },
  "logBufferSizeCriticalEvent": {
    object (LogBufferSizeCriticalEvent)
  },
  "mediaMountEvent": {
    object (MediaMountEvent)
  },
  "mediaUnmountEvent": {
    object (MediaUnmountEvent)
  },
  "osShutdownEvent": {
    object (OsShutdownEvent)
  },
  "osStartupEvent": {
    object (OsStartupEvent)
  },
  "remoteLockEvent": {
    object (RemoteLockEvent)
  },
  "wipeFailureEvent": {
    object (WipeFailureEvent)
  },
  "connectEvent": {
    object (ConnectEvent)
  },
  "dnsEvent": {
    object (DnsEvent)
  }
  // End of list of possible types for union field event.
}

Fields
`eventId`	`string (int64 format)` Unique id of the event.
`eventTime`	`string (Timestamp format)` Device timestamp when the event was logged. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`eventType`	`enum (EventType)` The particular usage log event type that was reported on the device. Use this to determine which `event` field to access.
Union field `event`. Types of events logged on the device. See each event type for more detail on when it is sent and restrictions on when event is logged and what fields are included. `event` can be only one of the following:
`adbShellCommandEvent`	`object (AdbShellCommandEvent)` A shell command was issued over ADB via “adb shell command”. Part of `SECURITY_LOGS`.
`adbShellInteractiveEvent`	`object (AdbShellInteractiveEvent)` An ADB interactive shell was opened via “adb shell”. Part of `SECURITY_LOGS`.
`appProcessStartEvent`	`object (AppProcessStartEvent)` An app process was started. Part of `SECURITY_LOGS`.
`keyguardDismissedEvent`	`object (KeyguardDismissedEvent)` The keyguard was dismissed. Part of `SECURITY_LOGS`.
`keyguardDismissAuthAttemptEvent`	`object (KeyguardDismissAuthAttemptEvent)` An attempt was made to unlock the device. Part of `SECURITY_LOGS`.
`keyguardSecuredEvent`	`object (KeyguardSecuredEvent)` The device was locked either by user or timeout. Part of `SECURITY_LOGS`.
`filePulledEvent`	`object (FilePulledEvent)` A file was downloaded from the device. Part of `SECURITY_LOGS`.
`filePushedEvent`	`object (FilePushedEvent)` A file was uploaded onto the device. Part of `SECURITY_LOGS`.
`certAuthorityInstalledEvent`	`object (CertAuthorityInstalledEvent)` A new root certificate was installed into the system's trusted credential storage. Part of `SECURITY_LOGS`.
`certAuthorityRemovedEvent`	`object (CertAuthorityRemovedEvent)` A root certificate was removed from the system's trusted credential storage. Part of `SECURITY_LOGS`.
`certValidationFailureEvent`	`object (CertValidationFailureEvent)` An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate. Part of `SECURITY_LOGS`.
`cryptoSelfTestCompletedEvent`	`object (CryptoSelfTestCompletedEvent)` Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted. Part of `SECURITY_LOGS`.
`keyDestructionEvent`	`object (KeyDestructionEvent)` A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. Part of `SECURITY_LOGS`.
`keyGeneratedEvent`	`object (KeyGeneratedEvent)` A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management. Part of `SECURITY_LOGS`.
`keyImportEvent`	`object (KeyImportEvent)` A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. Part of `SECURITY_LOGS`.
`keyIntegrityViolationEvent`	`object (KeyIntegrityViolationEvent)` A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. Part of `SECURITY_LOGS`.
`loggingStartedEvent`	`object (LoggingStartedEvent)` `usageLog` policy has been enabled. Part of `SECURITY_LOGS`.
`loggingStoppedEvent`	`object (LoggingStoppedEvent)` `usageLog` policy has been disabled. Part of `SECURITY_LOGS`.
`logBufferSizeCriticalEvent`	`object (LogBufferSizeCriticalEvent)` The audit log buffer has reached 90% of its capacity, therefore older events may be dropped. Part of `SECURITY_LOGS`.
`mediaMountEvent`	`object (MediaMountEvent)` Removable media was mounted. Part of `SECURITY_LOGS`.
`mediaUnmountEvent`	`object (MediaUnmountEvent)` Removable media was unmounted. Part of `SECURITY_LOGS`.
`osShutdownEvent`	`object (OsShutdownEvent)` Device was shutdown. Part of `SECURITY_LOGS`.
`osStartupEvent`	`object (OsStartupEvent)` Device was started. Part of `SECURITY_LOGS`.
`remoteLockEvent`	`object (RemoteLockEvent)` The device or profile has been remotely locked via the `LOCK` command. Part of `SECURITY_LOGS`.
`wipeFailureEvent`	`object (WipeFailureEvent)` The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. `delete` was received. Part of `SECURITY_LOGS`.
`connectEvent`	`object (ConnectEvent)` A TCP connect event was initiated through the standard network stack. Part of `NETWORK_ACTIVITY_LOGS`.
`dnsEvent`	`object (DnsEvent)` A DNS lookup event was initiated through the standard network stack. Part of `NETWORK_ACTIVITY_LOGS`.

KeyguardDismissedEvent

The keyguard was dismissed. Intentionally empty.

KeyguardDismissAuthAttemptEvent

An attempt was made to unlock the device.

JSON representation
{ "success": boolean, "strongAuthMethodUsed": boolean }

Fields

Fields
`success`	`boolean` Whether the unlock attempt was successful.
`strongAuthMethodUsed`	`boolean` Whether a strong form of authentication (password, PIN, or pattern) was used to unlock device.

success

boolean

Whether the unlock attempt was successful.

strongAuthMethodUsed

boolean

Whether a strong form of authentication (password, PIN, or pattern) was used to unlock device.

KeyguardSecuredEvent

The device was locked either by user or timeout. Intentionally empty.

FilePulledEvent

A file was downloaded from the device.

JSON representation
{ "filePath": string }

Fields

Fields
`filePath`	`string` The path of the file being pulled.

filePath

string

The path of the file being pulled.

FilePushedEvent

A file was uploaded onto the device.

JSON representation
{ "filePath": string }

Fields

Fields
`filePath`	`string` The path of the file being pushed.

filePath

string

The path of the file being pushed.

CertAuthorityInstalledEvent

A new root certificate was installed into the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{ "certificate": string, "userId": integer, "success": boolean }

Fields

Fields
`certificate`	`string` Subject of the certificate.
`userId`	`integer` The user in which the certificate install event happened. Only available for devices running Android 11 and above.
`success`	`boolean` Whether the installation event succeeded.

certificate

string

Subject of the certificate.

userId

integer

The user in which the certificate install event happened. Only available for devices running Android 11 and above.

success

boolean

Whether the installation event succeeded.

CertAuthorityRemovedEvent

A root certificate was removed from the system's trusted credential storage. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{ "certificate": string, "userId": integer, "success": boolean }

Fields

Fields
`certificate`	`string` Subject of the certificate.
`userId`	`integer` The user in which the certificate removal event occurred. Only available for devices running Android 11 and above.
`success`	`boolean` Whether the removal succeeded.

certificate

string

Subject of the certificate.

userId

integer

The user in which the certificate removal event occurred. Only available for devices running Android 11 and above.

success

boolean

Whether the removal succeeded.

CertValidationFailureEvent

An X.509v3 certificate failed to validate, currently this validation is performed on the Wi-FI access point and failure may be due to a mismatch upon server certificate validation. However it may in the future include other validation events of an X.509v3 certificate.

JSON representation
{ "failureReason": string }

Fields

Fields
`failureReason`	`string` The reason why certification validation failed.

failureReason

string

The reason why certification validation failed.

CryptoSelfTestCompletedEvent

Validates whether Android’s built-in cryptographic library (BoringSSL) is valid. Should always succeed on device boot, if it fails, the device should be considered untrusted.

JSON representation
{ "success": boolean }

Fields

Fields
`success`	`boolean` Whether the test succeeded.

success

boolean

Whether the test succeeded.

KeyDestructionEvent

A cryptographic key including user installed, admin installed and system maintained private key is removed from the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{ "keyAlias": string, "applicationUid": integer, "success": boolean }

Fields

Fields
`keyAlias`	`string` Alias of the key.
`applicationUid`	`integer` UID of the application which owns the key.
`success`	`boolean` Whether the operation was successful.

keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which owns the key.

success

boolean

Whether the operation was successful.

KeyGeneratedEvent

A cryptographic key including user installed, admin installed and system maintained private key is installed on the device either by the user or management.This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{ "keyAlias": string, "applicationUid": integer, "success": boolean }

Fields

Fields
`keyAlias`	`string` Alias of the key.
`applicationUid`	`integer` UID of the application which generated the key.
`success`	`boolean` Whether the operation was successful.

keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which generated the key.

success

boolean

Whether the operation was successful.

KeyImportEvent

A cryptographic key including user installed, admin installed and system maintained private key is imported on the device either by the user or management. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{ "keyAlias": string, "applicationUid": integer, "success": boolean }

Fields

Fields
`keyAlias`	`string` Alias of the key.
`applicationUid`	`integer` UID of the application which imported the key
`success`	`boolean` Whether the operation was successful.

keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which imported the key

success

boolean

Whether the operation was successful.

KeyIntegrityViolationEvent

A cryptographic key including user installed, admin installed and system maintained private key is determined to be corrupted due to storage corruption, hardware failure or some OS issue. This is available device-wide on fully managed devices and within the work profile on organization-owned devices with a work profile.

JSON representation
{ "keyAlias": string, "applicationUid": integer }

Fields

Fields
`keyAlias`	`string` Alias of the key.
`applicationUid`	`integer` UID of the application which owns the key

keyAlias

string

Alias of the key.

applicationUid

integer

UID of the application which owns the key

LoggingStartedEvent

usageLog policy has been enabled. Intentionally empty.

LoggingStoppedEvent

usageLog policy has been disabled. Intentionally empty.

LogBufferSizeCriticalEvent

The usageLog buffer on the device has reached 90% of its capacity, therefore older events may be dropped. Intentionally empty.

MediaMountEvent

Removable media was mounted.

JSON representation
{ "mountPoint": string, "volumeLabel": string }

Fields

Fields
`mountPoint`	`string` Mount point.
`volumeLabel`	`string` Volume label. Redacted to empty string on organization-owned managed profile devices.

mountPoint

string

Mount point.

volumeLabel

string

Volume label. Redacted to empty string on organization-owned managed profile devices.

MediaUnmountEvent

Removable media was unmounted.

JSON representation
{ "mountPoint": string, "volumeLabel": string }

Fields

Fields
`mountPoint`	`string` Mount point.
`volumeLabel`	`string` Volume label. Redacted to empty string on organization-owned managed profile devices.

mountPoint

string

Mount point.

volumeLabel

string

Volume label. Redacted to empty string on organization-owned managed profile devices.

OsShutdownEvent

Device was shutdown. Intentionally empty.

OsStartupEvent

Device was started.

JSON representation
{ "verifiedBootState": enum (`VerifiedBootState`), "verityMode": enum (`DmVerityMode`) }

Fields

Fields
`verifiedBootState`	`enum (VerifiedBootState)` Verified Boot state.
`verityMode`	`enum (DmVerityMode)` dm-verity mode.

verifiedBootState

enum (VerifiedBootState)

Verified Boot state.

verityMode

enum (DmVerityMode)

dm-verity mode.

RemoteLockEvent

The device or profile has been remotely locked via the LOCK command.

JSON representation
{ "adminPackageName": string, "adminUserId": integer, "targetUserId": integer }

Fields

Fields
`adminPackageName`	`string` Package name of the admin app requesting the change.
`adminUserId`	`integer` User ID of the admin app from the which the change was requested.
`targetUserId`	`integer` User ID in which the change was requested in.

adminPackageName

string

Package name of the admin app requesting the change.

adminUserId

integer

User ID of the admin app from the which the change was requested.

targetUserId

integer

User ID in which the change was requested in.

WipeFailureEvent

The work profile or company-owned device failed to wipe when requested. This could be user initiated or admin initiated e.g. delete was received. Intentionally empty.

ConnectEvent

A TCP connect event was initiated through the standard network stack.

JSON representation
{ "destinationIpAddress": string, "destinationPort": integer, "packageName": string }

Fields

Fields
`destinationIpAddress`	`string` The destination IP address of the connect call.
`destinationPort`	`integer` The destination port of the connect call.
`packageName`	`string` The package name of the UID that performed the connect call.

destinationIpAddress

string

The destination IP address of the connect call.

destinationPort

integer

The destination port of the connect call.

packageName

string

The package name of the UID that performed the connect call.

DnsEvent

A DNS lookup event was initiated through the standard network stack.

JSON representation
{ "hostname": string, "ipAddresses": [ string ], "totalIpAddressesReturned": string, "packageName": string }

Fields
`hostname`	`string` The hostname that was looked up.
`ipAddresses[]`	`string` The (possibly truncated) list of the IP addresses returned for DNS lookup (max 10 IPv4 or IPv6 addresses).
`totalIpAddressesReturned`	`string (int64 format)` The number of IP addresses returned from the DNS lookup event. May be higher than the amount of ipAddresses if there were too many addresses to log.
`packageName`	`string` The package name of the UID that performed the DNS lookup.