Skip to main content

Searching the audit log for your enterprise

You can search an extensive list of audited actions in your enterprise.

Who can use this feature

Enterprise owners can search the audit log.

About search for the enterprise audit log

You can search your enterprise audit log directly from the user interface by using the Filters dropdown, or by typing a search query.

Search query

For more information about viewing your enterprise audit log, see "Accessing the audit log for your enterprise."

You can also use the API to retrieve audit log events. For more information, see "Using the audit log API for your enterprise."

You cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub AE. For more information, see "Searching on GitHub."

Note: 审核日志列出了由影响企业的活动触发的事件。 GitHub AE 的审核日志将无限期保留,除非企业所有者配置了不同的保留期。 有关详细信息,请参阅“为企业配置审核日志”。

默认情况下,仅显示过去三个月的事件。 若要查看较旧的事件,必须使用 created 参数指定日期范围。 有关详细信息,请参阅“了解搜索语法”。

Search query filters

Yesterday's activityAll actions created in the past day.
Enterprise account managementAll actions in the business category.
Organization membershipAll actions for when a new user was invited to join an organization.
Team managementAll actions related to team management.
- When a user account or repository was added or removed from a team
- When a team maintainer was promoted or demoted
- When a team was deleted
Repository managementAll actions for repository management.
- When a repository was created or deleted
- When the repository visibility was changed
- When a team was added or removed from a repository
Hook activityAll actions for webhooks and pre-receive hooks.
Security managementAll actions concerning SSH keys, deploy keys, security keys, 2FA, and SAML single sign-on credential authorization, and vulnerability alerts for repositories.

Search query syntax

You can compose a search query from one or more key:value pairs, separated by AND/OR logical operators. For example, to see all actions that have affected the repository octocat/Spoon-Knife since the beginning of 2017:

repo:"octocat/Spoon-Knife" AND created:>=2017-01-01

The key:value pairs that can be used in a search query are:

actor_idID of the user account that initiated the action
actorName of the user account that initiated the action
oauth_app_idID of the OAuth application associated with the action
actionName of the audited action
user_idID of the user affected by the action
userName of the user affected by the action
repo_idID of the repository affected by the action (if applicable)
repoName of the repository affected by the action (if applicable)
actor_ipIP address from which the action was initiated
createdTime at which the action occurred
fromView from which the action was initiated
noteMiscellaneous event-specific information (in either plain text or JSON format)
orgName of the organization affected by the action (if applicable)
org_idID of the organization affected by the action (if applicable)
businessName of the enterprise affected by the action (if applicable)
business_idID of the enterprise affected by the action (if applicable)

To see actions grouped by category, you can also use the action qualifier as a key:value pair. For more information, see "Search based on the action performed."

For a full list of actions in your enterprise audit log, see "Audit log actions for your enterprise."

Searching the audit log


使用 operation 限定符将操作限制为特定类型的操作。 例如:

  • operation:access 查找访问过资源的所有事件。
  • operation:authentication 查找执行过身份验证事件的所有事件。
  • operation:create 查找创建过资源的所有事件。
  • operation:modify 查找修改过现有资源的所有事件。
  • operation:remove 查找删除过现有资源的所有事件。
  • operation:restore 查找还原过现有资源的所有事件。
  • operation:transfer 查找传输过现有资源的所有事件。


使用 repo 限定符将操作限制到特定存储库。 例如:

  • repo:my-org/our-repo 查找 my-org 组织中 our-repo 存储库发生的所有事件。
  • repo:my-org/our-repo repo:my-org/another-repo 查找 my-org 组织中 our-repoanother-repo 存储库发生的所有事件。
  • -repo:my-org/not-this-repo 排除 my-org 组织中 not-this-repo 存储库发生的所有事件。

请注意,必须在 repo 限定符包括帐户名称;仅搜索 repo:our-repo 将不起作用。


actor 限定符可将事件范围限于执行操作的人员。 例如:

  • actor:octocat 查找 octocat 执行的所有事件。
  • actor:octocat actor:hubot 查找 octocathubot 执行的所有事件。
  • -actor:hubot 排除 hubot 执行的所有事件。

请注意,只能使用 GitHub AE 用户名,而不是个人的真实姓名。

Search based on the action performed

To search for specific events, use the action qualifier in your query. For example:

  • action:team finds all events grouped within the team category.
  • -action:hook excludes all events in the webhook category.

Each category has a set of associated actions that you can filter on. For example:

  • action:team.create finds all events where a team was created.
  • -action:hook.events_changed excludes all events where the events on a webhook have been altered.

Actions that can be found in your enterprise audit log are grouped within the following categories:

| 类别名称 | 说明 |------------------|------------------- | artifact | 包含与 GitHub Actions 工作流运行工件相关的活动。 | business | 包含与企业的业务设置相关的活动。 | checks | 包含与检查套件和运行相关的活动。 | commit_comment | 包含与更新或删除提交评论相关的活动。 | dependabot_alerts | 包含现有存储库中 Dependabot alerts 的组织级配置活动。 有关详细信息,请参阅“关于 Dependabot alerts”。 | dependabot_alerts_new_repos | 包含组织新建存储库中 Dependabot alerts 的组织级配置活动。 | dependabot_repository_access | 包含与允许 Dependabot 访问组织中哪些专用存储库相关的活动。 | dependency_graph | 包含存储库依赖项关系图的组织级配置活动。 有关详细信息,请参阅“关于依赖项关系图”。 | dependency_graph_new_repos | 包含组织新建存储库的组织级配置活动。 | external_group | 包含与 Okta 组相关的活动。 | external_identity | 包含与 Okta 组中的用户相关的活动。 | gist | 包含与 Gists 相关的活动。 | hook | 包含与 Webhook 相关的活动。 | integration | 包含与帐户中的集成相关的活动。 | integration_installation | 包含与帐户中安装的集成相关的活动。 | integration_installation_request | 包含与组织成员请求所有者批准在组织中使用的集成相关的活动。 | ip_allow_list | 包含与为组织启用或禁用 IP 允许列表相关的活动。 | ip_allow_list_entry | 包含与为组织创建、删除和编辑 IP 允许列表条目相关的活动。 | issue | 包含与固定、转移或删除存储库中问题相关的活动。 | issue_comment | 包含与固定、转移或删除问题评论相关的活动。 | issues | 包含与为组织启用或禁用问题创建相关的活动。 | members_can_create_pages | 包含与管理组织存储库的 GitHub Pages 站点发布相关的活动。 有关详细信息,请参阅“为组织管理 GitHub Pages 站点的发布”。 | members_can_create_private_pages | 包含与管理组织存储库的专用 GitHub Pages 站点发布相关的活动。 | members_can_create_public_pages | 包含与管理组织存储库的公共 GitHub Pages 站点发布相关的活动。 | members_can_delete_repos | 包含与为组织启用或禁用存储库创建相关的活动。 | oauth_access | 包含与 OAuth 访问令牌相关的活动。 | oauth_application | 包含与 OAuth 应用相关的活动。 | org | 包含与组织成员身份相关的活动。 | org_credential_authorization | 包含与授权凭据以用于 SAML 单一登录相关的活动。 | organization_default_label | 包含与组织中存储库的默认标签相关的活动。 | private_repository_forking | 包含与允许存储库、组织或企业的专用和内部存储库分支相关的活动。 | project | 包含与项目板相关的活动。 | project_field | 包含与项目板中的字段创建和删除相关的活动。 | project_view | 包含与项目板中的视图创建和删除相关的活动。 | protected_branch | 包含与受保护分支相关的活动。 | public_key | 包含与 SSH 密钥和部署密钥相关的活动。 | pull_request | 包含与拉取请求评审相关的活动。 | pull_request_review | 包含与拉取请求评审相关的活动。 | pull_request_review_comment | 包含与拉取请求评审评论相关的活动。 | repo | 包含与组织拥有的存储库相关的活动。 | repository_image | 包含与存储库映像相关的活动。 | repository_invitation | 包含与邀请加入存储库相关的活动。 | repository_projects_change | 包含与为存储库或组织中的所有存储库启用项目相关的活动。 | repository_secret_scanning | 包含与机密扫描相关的存储库级活动。 有关详细信息,请参阅“关于机密扫描”。 | repository_vulnerability_alert | 包含与 Dependabot alerts 相关的活动。 | secret_scanning | 包含现有存储库中机密扫描的组织级配置活动。 有关详细信息,请参阅“关于机密扫描”。 | secret_scanning_new_repos | 包含组织新建存储库中机密扫描的组织级配置活动。 | security_key | 包含与安全密钥注册和删除相关的活动。 | ssh_certificate_authority | 包含与组织或企业中的 SSH 证书颁发机构相关的活动。 | ssh_certificate_requirement | 包含与要求成员使用 SSH 证书访问组织资源相关的活动。 | staff | 包含与执行操作的站点管理员相关的活动。 | team | 包含与组织中的团队相关的活动。 | team_discussions | 包含与管理组织的团队讨论相关的活动。 | user | 包含与企业或组织中的用户相关的活动。 | workflows | 包含与 GitHub Actions 工作流相关的活动。

Search based on time of action

Use the created qualifier to filter events in the audit log based on when they occurred.

日期格式必须遵循 ISO8601 标准,即 YYYY-MM-DD(年-月-日)。 也可以在日期后添加可选的时间信息 THH:MM:SS+00:00,以按小时、分钟和秒进行搜索。 即 T,随后是 HH:MM:SS(时-分-秒)和 UTC 时差 (+00:00)。

搜索日期时,可以使用大于、小于和范围限定符来进一步筛选结果。 有关详细信息,请参阅“了解搜索语法”。

For example:

  • created:2014-07-08 finds all events that occurred on July 8th, 2014.
  • created:>=2014-07-08 finds all events that occurred on or after July 8th, 2014.
  • created:<=2014-07-08 finds all events that occurred on or before July 8th, 2014.
  • created:2014-07-01..2014-07-31 finds all events that occurred in the month of July 2014.

Search based on location

Using the qualifier country, you can filter events in the audit log based on the originating country. You can use a country's two-letter short code or full name. Countries with spaces in their name will need to be wrapped in quotation marks. For example:

  • country:de finds all events that occurred in Germany.
  • country:Mexico finds all events that occurred in Mexico.
  • country:"United States" all finds events that occurred in the United States.