Searching the audit log

Site administrators can search an extensive list of audited actions on the enterprise.

In this article

Search query syntax

Compose a search query from one or more key:value pairs separated by AND/OR logical operators.

KeyValue
actor_idID of the user account that initiated the action
actorName of the user account that initiated the action
oauth_app_idID of the OAuth application associated with the action
actionName of the audited action
user_idID of the user affected by the action
userName of the user affected by the action
repo_idID of the repository affected by the action (if applicable)
repoName of the repository affected by the action (if applicable)
actor_ipIP address from which the action was initiated
created_atTime at which the action occurred
fromView from which the action was initiated
noteMiscellaneous event-specific information (in either plain text or JSON format)
orgName of the organization affected by the action (if applicable)
org_idID of the organization affected by the action (if applicable)

For example, to see all actions that have affected the repository octocat/Spoon-Knife since the beginning of 2017:

repo:"octocat/Spoon-Knife" AND created_at:[2017-01-01 TO *]

For a full list of actions, see "Audited actions."

Searching the audit log

  1. Navigate to your enterprise account by visiting https://HOSTNAME/enterprises/ENTERPRISE-NAME, replacing HOSTNAME with your instance's hostname and ENTERPRISE-NAME with your enterprise account's name.

  2. In the enterprise account sidebar, click Settings.

    Settings tab in the enterprise account sidebar

  3. Under " Settings", click Audit log.

    Audit log tab in the enterprise account sidebar

  4. Type a search query.

    Search query

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.