Skip to main content

此版本的 GitHub Enterprise 已停止服务 2022-10-12. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

Using the audit log API for your enterprise

You can programmatically retrieve enterprise events with the GraphQL API.

Who can use this feature

Enterprise owners and site administrators can use the audit log API.

Using the audit log API

You can interact with the audit log using the GraphQL API.

Timestamps and date fields in the API response are measured in UTC epoch milliseconds.

Querying the audit log GraphQL API

To ensure your intellectual property is secure, and you maintain compliance for your enterprise, you can use the audit log GraphQL API to keep copies of your audit log data and monitor:

  • 对� 的组织或存储库设置的访问
  • 权限的更改
  • 在组织、存储库或团队中添� 或� 除的用户
  • 被提升为管理员的用户
  • GitHub App 权限的更改

Note that you can't retrieve Git events using the audit log API.

The GraphQL response can include data for up to 90 to 120 days.

Example 1: Members added to or removed from organizations in an enterprise

The query below fetches the audit logs for the avocado-corp enterprise and returns the first 10 organizations in the enterprise, where the only actions performed were adding or removing a member from an organization. The first 20 audit log entries for each organization are returned.

This query uses the auditlog field from the Organization object, and the OrgAddMemberAuditEntry and OrgRemoveMemberAuditEntry objects. The GitHub account querying the enterprise audit log must be an organization owner for each organization within the enterprise.

{
  enterprise(slug: "avocado-corp") {
    organizations(first: 10, orderBy: {field: LOGIN, direction: DESC}) {
      nodes {
        name
        auditLog(first: 20) {
          edges {
            node {
              ... on OrgAddMemberAuditEntry {
                action
                actorLogin
                createdAt
              }
              ... on OrgRemoveMemberAuditEntry {
                action
                actorLogin
                createdAt
              }
            }
          }
        }
      }
      pageInfo {
        hasNextPage
        endCursor
      }
    }
  }
}

The GraphQL API will return at most 100 nodes per query. To retrieve additional results, you'll need to implement pagination. For more information, see "Resource limitations" in the GraphQL API documentation and Pagination in the official GraphQL documentation.

Example 2: Events in an organization, for a specific date and actor

You can specify multiple search phrases, such as created and actor, by separating them in your query string with a space.

The query below fetches all the audit logs for the avocado-corp enterprise that relate to the octo-org organization, where the actions were performed by the octocat user on or after the 1 Jan, 2022. The first 20 audit log entries are returned, with the newest log entry appearing first.

This query uses the AuditEntry interface. The GitHub account querying the enterprise audit log must be an owner of the octo-org organization.

{
  enterprise(slug: "avocado-corp") {
    organizations(first: 1, query: "octo-org") {
      nodes {
        name
        auditLog(first: 20, query: "actor:octocat created:>=2022-01-01T00:00:00.000Z", orderBy: {field: CREATED_AT, direction: DESC}) {
          edges {
            node {
              ... on AuditEntry {
                action
                actorLogin
                createdAt
                user {
                  name
                }
              }
            }
          }
        }
      }
    }
  }
}

For more query examples, see the platform-samples repository.