Skip to main content
The REST API is now versioned. For more information, see "About API versioning."

REST API endpoints for enterprise audit logs

Use the REST API to retrieve audit logs for an enterprise.

These endpoints only support authentication using a personal access token (classic). For more information, see "Managing your personal access tokens."

Get the audit log for an enterprise

Gets the audit log for an enterprise.

This endpoint has a rate limit of 1,750 queries per hour per user and IP address. If your integration receives a rate limit error (typically a 403 or 429 response), it should wait before making another request to the GitHub API. For more information, see "Rate limits for the REST API" and "Best practices for integrators."

The authenticated user must be an enterprise admin to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the read:audit_log scope to use this endpoint.

Fine-grained access tokens for "Get the audit log for an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Enterprise administration" business permissions (read)

Parameters for "Get the audit log for an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

Query parameters
Name, Type, Description
phrase string

A search phrase. For more information, see Searching the audit log.

include string

The event types to include:

  • web - returns web (non-Git) events.
  • git - returns Git events.
  • all - returns both web and Git events.

The default is web.

Can be one of: web, git, all

after string

A cursor, as given in the Link header. If specified, the query only searches for events after this cursor.

before string

A cursor, as given in the Link header. If specified, the query only searches for events before this cursor.

order string

The order of audit log events. To list newest events first, specify desc. To list oldest events first, specify asc.

The default is desc.

Can be one of: desc, asc

page integer

The page number of the results to fetch. For more information, see "Using pagination in the REST API."

Default: 1

per_page integer

The number of results per page (max 100). For more information, see "Using pagination in the REST API."

Default: 30

HTTP response status codes for "Get the audit log for an enterprise"

Status codeDescription
200

OK

Code samples for "Get the audit log for an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/enterprises/{enterprise}/audit-log
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log

Response

Status: 200
[ { "@timestamp": 1606929874512, "action": "team.add_member", "actor": "octocat", "created_at": 1606929874512, "_document_id": "xJJFlFOhQ6b-5vaAFy9Rjw", "org": "octo-corp", "team": "octo-corp/example-team", "user": "monalisa" }, { "@timestamp": 1606507117008, "action": "org.create", "actor": "octocat", "created_at": 1606507117008, "_document_id": "Vqvg6kZ4MYqwWRKFDzlMoQ", "org": "octocat-test-org" }, { "@timestamp": 1605719148837, "action": "repo.destroy", "actor": "monalisa", "created_at": 1605719148837, "_document_id": "LwW2vpJZCDS-WUmo9Z-ifw", "org": "mona-org", "repo": "mona-org/mona-test-repo", "visibility": "private" } ]

Get the audit log stream key for encrypting secrets

Retrieves the audit log streaming public key for encrypting secrets.

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."

Fine-grained access tokens for "Get the audit log stream key for encrypting secrets"

This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.

Parameters for "Get the audit log stream key for encrypting secrets"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

HTTP response status codes for "Get the audit log stream key for encrypting secrets"

Status codeDescription
200

The stream key for the audit log streaming configuration was retrieved successfully.

Code samples for "Get the audit log stream key for encrypting secrets"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/enterprises/{enterprise}/audit-log/stream-key
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log/stream-key

The stream key for the audit log streaming configuration was retrieved successfully.

Status: 200
{ "key_id": "123", "key": "actual-public-key-value" }

List audit log stream configurations for an enterprise

Lists the configured audit log streaming configurations for an enterprise. This only lists configured streams for supported providers.

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."

Fine-grained access tokens for "List audit log stream configurations for an enterprise"

This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.

Parameters for "List audit log stream configurations for an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

HTTP response status codes for "List audit log stream configurations for an enterprise"

Status codeDescription
200

OK

Code samples for "List audit log stream configurations for an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/enterprises/{enterprise}/audit-log/streams
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log/streams

OK

Status: 200
[ { "id": 1, "stream_type": "Splunk", "stream_details": "US", "enabled": true, "created_at": "2024-06-06T08:00:00Z", "updated_at": "2024-06-06T08:00:00Z", "paused_at": null } ]

Create an audit log streaming configuration for an enterprise

Creates an audit log streaming configuration for any of the supported streaming endpoints: Azure Blob Storage, Azure Event Hubs, Amazon S3, Splunk, Google Cloud Storage, Datadog.

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."

Fine-grained access tokens for "Create an audit log streaming configuration for an enterprise"

This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.

Parameters for "Create an audit log streaming configuration for an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

Body parameters
Name, Type, Description
enabled boolean Required

This setting pauses or resumes a stream.

stream_type string Required

The audit log streaming provider. The name is case sensitive.

Can be one of: Azure Blob Storage, Azure Event Hubs, Amazon S3, Splunk, HTTPS Event Collector, Google Cloud Storage, Datadog

vendor_specific object Required
Name, Type, Description
AzureBlobConfig object Required

Azure Blob Config for audit log streaming configuration.

Name, Type, Description
key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

encrypted_sas_url string Required
AzureHubConfig object Required

Azure Event Hubs Config for audit log streaming configuration.

Name, Type, Description
name string Required

Instance name of Azure Event Hubs

encrypted_connstring string Required

Encrypted Connection String for Azure Event Hubs

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

AmazonS3OIDCConfig object Required

Amazon S3 OIDC Config for audit log streaming configuration.

Name, Type, Description
bucket string Required

Amazon S3 Bucket Name.

region string Required

AWS S3 Bucket Region.

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

authentication_type string Required

Authentication Type for Amazon S3.

Value: oidc

arn_role string Required
AmazonS3AccessKeysConfig object Required

Amazon S3 Access Keys Config for audit log streaming configuration.

Name, Type, Description
bucket string Required

Amazon S3 Bucket Name.

region string Required

Amazon S3 Bucket Name.

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

authentication_type string Required

Authentication Type for Amazon S3.

Value: access_keys

encrypted_secret_key string Required

Encrypted AWS Secret Key.

encrypted_access_key_id string Required

Encrypted AWS Access Key ID.

SplunkConfig object Required

Splunk Config for Audit Log Stream Configuration

Name, Type, Description
domain string Required

Domain of Splunk instance.

port integer Required

The port number for connecting to Splunk.

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

encrypted_token string Required

Encrypted Token.

ssl_verify boolean Required

SSL verification helps ensure your events are sent to your Splunk endpoint securely.

GoogleCloudConfig object Required

Google Cloud Config for audit log streaming configuration.

Name, Type, Description
bucket string Required

Google Cloud Bucket Name

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

encrypted_json_credentials string Required
DatadogConfig object Required

Datadog Config for audit log streaming configuration.

Name, Type, Description
encrypted_token string Required

Encrypted Splunk token.

site string Required

Datadog Site to use.

Can be one of: US, US3, US5, EU1, US1-FED, AP1

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

HTTP response status codes for "Create an audit log streaming configuration for an enterprise"

Status codeDescription
200

The audit log stream configuration was created successfully.

Code samples for "Create an audit log streaming configuration for an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

post/enterprises/{enterprise}/audit-log/streams
curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log/streams \ -d '{"enabled":false,"stream_type":"Azure Event Hubs","vendor_specific":{"namespace":"newnamespace","shared_access_key_name":"newaccesskeyname","shared_access_key":"newaccesskey","event_hub_name":"neweventhub"}}'

The audit log stream configuration was created successfully.

Status: 200
{ "id": 1, "stream_type": "Splunk", "stream_details": "US", "enabled": true, "created_at": "2024-06-06T08:00:00Z", "updated_at": "2024-06-06T08:00:00Z", "paused_at": null }

List one audit log streaming configuration via a stream ID

Lists one audit log stream configuration via a stream ID.

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."

Fine-grained access tokens for "List one audit log streaming configuration via a stream ID"

This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.

Parameters for "List one audit log streaming configuration via a stream ID"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

stream_id integer Required

The ID of the audit log stream configuration.

HTTP response status codes for "List one audit log streaming configuration via a stream ID"

Status codeDescription
200

Lists one audit log stream configuration via stream ID.

Code samples for "List one audit log streaming configuration via a stream ID"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/enterprises/{enterprise}/audit-log/streams/{stream_id}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log/streams/STREAM_ID

Lists one audit log stream configuration via stream ID.

Status: 200
{ "id": 1, "stream_type": "Splunk", "stream_details": "US", "enabled": true, "created_at": "2024-06-06T08:00:00Z", "updated_at": "2024-06-06T08:00:00Z", "paused_at": null }

Update an existing audit log stream configuration

Updates an existing audit log stream configuration for an enterprise.

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."

Fine-grained access tokens for "Update an existing audit log stream configuration"

This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.

Parameters for "Update an existing audit log stream configuration"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

stream_id integer Required

The ID of the audit log stream configuration.

Body parameters
Name, Type, Description
enabled boolean Required

This setting pauses or resumes a stream.

stream_type string Required

The audit log streaming provider. The name is case sensitive.

Can be one of: Azure Blob Storage, Azure Event Hubs, Amazon S3, Splunk, HTTPS Event Collector, Google Cloud Storage, Datadog

vendor_specific object Required
Name, Type, Description
AzureBlobConfig object Required

Azure Blob Config for audit log streaming configuration.

Name, Type, Description
key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

encrypted_sas_url string Required
AzureHubConfig object Required

Azure Event Hubs Config for audit log streaming configuration.

Name, Type, Description
name string Required

Instance name of Azure Event Hubs

encrypted_connstring string Required

Encrypted Connection String for Azure Event Hubs

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

AmazonS3OIDCConfig object Required

Amazon S3 OIDC Config for audit log streaming configuration.

Name, Type, Description
bucket string Required

Amazon S3 Bucket Name.

region string Required

AWS S3 Bucket Region.

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

authentication_type string Required

Authentication Type for Amazon S3.

Value: oidc

arn_role string Required
AmazonS3AccessKeysConfig object Required

Amazon S3 Access Keys Config for audit log streaming configuration.

Name, Type, Description
bucket string Required

Amazon S3 Bucket Name.

region string Required

Amazon S3 Bucket Name.

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

authentication_type string Required

Authentication Type for Amazon S3.

Value: access_keys

encrypted_secret_key string Required

Encrypted AWS Secret Key.

encrypted_access_key_id string Required

Encrypted AWS Access Key ID.

SplunkConfig object Required

Splunk Config for Audit Log Stream Configuration

Name, Type, Description
domain string Required

Domain of Splunk instance.

port integer Required

The port number for connecting to Splunk.

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

encrypted_token string Required

Encrypted Token.

ssl_verify boolean Required

SSL verification helps ensure your events are sent to your Splunk endpoint securely.

GoogleCloudConfig object Required

Google Cloud Config for audit log streaming configuration.

Name, Type, Description
bucket string Required

Google Cloud Bucket Name

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

encrypted_json_credentials string Required
DatadogConfig object Required

Datadog Config for audit log streaming configuration.

Name, Type, Description
encrypted_token string Required

Encrypted Splunk token.

site string Required

Datadog Site to use.

Can be one of: US, US3, US5, EU1, US1-FED, AP1

key_id string Required

Key ID obtained from the audit log stream key endpoint used to encrypt secrets.

HTTP response status codes for "Update an existing audit log stream configuration"

Status codeDescription
200

Successful update

422

Validation error

Code samples for "Update an existing audit log stream configuration"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

put/enterprises/{enterprise}/audit-log/streams/{stream_id}
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log/streams/STREAM_ID \ -d '{"enabled":false,"stream_type":"Azure Event Hubs","vendor_specific":{"namespace":"newnamespace","shared_access_key_name":"newaccesskeyname","shared_access_key":"newaccesskey","event_hub_name":"neweventhub"}}'

Successful update

Status: 200
{ "id": 1, "stream_type": "Splunk", "stream_details": "US", "enabled": true, "created_at": "2024-06-06T08:00:00Z", "updated_at": "2024-06-06T08:00:00Z", "paused_at": null }

Delete an audit log streaming configuration for an enterprise

Deletes an existing audit log stream configuration for an enterprise.

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."

Fine-grained access tokens for "Delete an audit log streaming configuration for an enterprise"

This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.

Parameters for "Delete an audit log streaming configuration for an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

stream_id integer Required

The ID of the audit log stream configuration.

HTTP response status codes for "Delete an audit log streaming configuration for an enterprise"

Status codeDescription
204

The audit log stream configuration was deleted successfully.

Code samples for "Delete an audit log streaming configuration for an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

delete/enterprises/{enterprise}/audit-log/streams/{stream_id}
curl -L \ -X DELETE \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/audit-log/streams/STREAM_ID

The audit log stream configuration was deleted successfully.

Status: 204