Auditing users across your instance

Accessing the GitHub Enterprise Server audit log

The audit log dashboard gives you a visual display of audit data across your GitHub Enterprise Server instance.

1. In the upper-right corner of any page, click .

   

2. In the left sidebar, click Audit log.

   

Within the map, you can pan and zoom to see events around the world. Hover over a country to see a quick count of events from that country.

Searching for events across your instance

The audit log lists the following information about actions made within your GitHub Enterprise Server instance:

• The repository an action was performed in
• The user who performed the action
• Which organization an action pertained to
• The action that was performed
• Which country the action took place in
• The date and time the action occurred

Search based on the repository

The repo qualifier limits actions to a specific repository owned by your organization. For example:

• repo:my-org/our-repo finds all events that occurred for the our-repo repository in the my-org organization.
• repo:my-org/our-repo repo:my-org/another-repo finds all events that occurred for both the our-repo and another-repo repositories in the my-org organization.
• -repo:my-org/not-this-repo excludes all events that occurred for the not-this-repo repository in the my-org organization.

You must include your organization's name within the repo qualifier; searching for just repo:our-repo will not work.

Search based on the user

The actor qualifier scopes events based on the member of your organization that performed the action. For example:

• actor:octocat finds all events performed by octocat.
• actor:octocat actor:hubot finds all events performed by both octocat and hubot.
• -actor:hubot excludes all events performed by hubot.

You can only use a GitHub Enterprise Server username, not an individual's real name.

Search based on the organization

The org qualifier limits actions to a specific organization. For example:

• org:my-org finds all events that occured for the my-org organization.
• org:my-org action:team finds all team events performed within the my-org organization.
• -org:my-org excludes all events that occured for the my-org organization.

Search based on the action performed

The action qualifier searches for specific events, grouped within categories. For information on the events associated with these categories, see "Audited actions".

You can search for specific sets of actions using these terms. For example:

• action:team finds all events grouped within the team category.
• -action:billing excludes all events in the billing category.

Each category has a set of associated events that you can filter on. For example:

• action:team.create finds all events where a team was created.
• -action:billing.change_email excludes all events where the billing email was changed.

Search based on the location

The country qualifier filters actions by the originating country.

• You can use a country's two-letter short code or its full name.

• Countries with spaces in their name must be wrapped in quotation marks. For example:

  • country:de finds all events that occurred in Germany.
  • country:Mexico finds all events that occurred in Mexico.
  • country:"United States" all finds events that occurred in the United States.

Search based on the time of action

The created qualifier filters actions by the time they occurred.

• Define dates using the format of YYYY-MM-DD--that's year, followed by month, followed by day.

• Dates support greater than, less than, and range qualifiers. For example:

  • created:2014-07-08 finds all events that occurred on July 8th, 2014.
  • created:>=2014-07-01 finds all events that occurred on or after July 8th, 2014.
  • created:<=2014-07-01 finds all events that occurred on or before July 8th, 2014.
  • created:2014-07-01..2014-07-31 finds all events that occurred in the month of July 2014.