Skip to main content

This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Auditing users across your enterprise

The audit log dashboard shows site administrators the actions performed by all users and organizations across your enterprise within the last 180 days. The audit log includes details such as who performed the action, what the action was, and when the action was performed.

Accessing the audit log

The audit log dashboard gives you a visual display of audit data across your enterprise.

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.

    Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.

  2. On the left side of the page, in the enterprise account sidebar, click Settings.

  3. Under " Settings", click Audit log.

Within the map, you can pan and zoom to see events around the world. Hover over a country to see a quick count of events from that country.

Searching for events across your enterprise

The audit log lists the following information about actions made within your enterprise:

Note

  • While you can't use text to search for audit entries, you can construct search queries using a variety of filters. GitHub Enterprise Server supports many operators for searching across GitHub Enterprise Server. For more information, see About searching on GitHub.
  • Audit records are available for the last 180 days.

Search based on the repository

The repo qualifier limits actions to a specific repository owned by your organization. For example:

  • repo:my-org/our-repo finds all events that occurred for the our-repo repository in the my-org organization.
  • repo:my-org/our-repo repo:my-org/another-repo finds all events that occurred for both the our-repo and another-repo repositories in the my-org organization.
  • -repo:my-org/not-this-repo excludes all events that occurred for the not-this-repo repository in the my-org organization.

You must include your organization's name within the repo qualifier; searching for just repo:our-repo will not work.

Search based on the user

The actor qualifier scopes events based on the member of your organization that performed the action. For example:

  • actor:octocat finds all events performed by octocat.
  • actor:octocat actor:hubot finds all events performed by both octocat and hubot.
  • -actor:hubot excludes all events performed by hubot.

You can only use a GitHub Enterprise Server username, not an individual's real name.

Search based on the organization

The org qualifier limits actions to a specific organization. For example:

  • org:my-org finds all events that occurred for the my-org organization.
  • org:my-org action:team finds all team events performed within the my-org organization.
  • -org:my-org excludes all events that occurred for the my-org organization.

Search based on the action performed

The action qualifier searches for specific events, grouped within categories. For information on the events associated with these categories, see Audit log events for your enterprise.

Category nameDescription
hookContains all activities related to webhooks.
orgContains all activities related organization membership
repoContains all activities related to the repositories owned by your organization.
teamContains all activities related to teams in your organization.

You can search for specific sets of actions using these terms. For example:

  • action:team finds all events grouped within the team category.
  • -action:billing excludes all events in the billing category.

Each category has a set of associated events that you can filter on. For example:

  • action:team.create finds all events where a team was created.
  • -action:billing.change_email excludes all events where the billing email was changed.

Search based on the location

The country qualifier filters actions by the originating country.

  • You can use a country's two-letter short code or its full name.
  • Countries with spaces in their name must be wrapped in quotation marks. For example:
    • country:de finds all events that occurred in Germany.
    • country:Mexico finds all events that occurred in Mexico.
    • country:"United States" all finds events that occurred in the United States.

Search based on the time of action

The created qualifier filters actions by the time they occurred.

  • Define dates using the format of YYYY-MM-DD--that's year, followed by month, followed by day.
  • Dates support greater than, less than, and range qualifiers. For example:
    • created:2014-07-08 finds all events that occurred on July 8th, 2014.
    • created:>=2014-07-01 finds all events that occurred on or after July 8th, 2014.
    • created:<=2014-07-01 finds all events that occurred on or before July 8th, 2014.
    • created:2014-07-01..2014-07-31 finds all events that occurred in the month of July 2014.