The Organization Audit Log allows members of an organization's Owners team to review actions performed by members of an organization within the last 90 days.
In this article
- Accessing the organization audit log dashboard
- Accessing the organization audit log
- Searching for events in an organization
Accessing the organization audit log dashboard
The audit log lists actions performed within the last 90 days. Only members of the Owners team can access an organization's audit log.
In the top right corner of any page, click your username.
On the left side of your profile page, under "Organizations", click the icon for your organization.
On the right side of the organization profile page, click Audit log.
Accessing the organization audit log
As a site admin, sign in to your GitHub Enterprise instance at
http(s)://[hostname]/login.In the upper-right corner of any page, click .
In the Site admin settings sidebar, click Audit log.
- Perform a search for specific events.
Searching for events in an organization
If you need to look for a specific incident, you can construct search queries using a variety of qualifiers. These can be combined in one query to narrow results even further.
The Organization Audit Log lists the following information about actions made within an organization:
- The user that performed the action.
- The action that was performed.
- The date and time the action occurred.
- Which repository an action was performed in.
- Which country the action took place in.
User search
Use the actor qualifier to search for actions performed by specific users in the organization. For example:
-
actor:octocatreturns all actions performed byoctocat. -
actor:octocat actor:hubotreturns actions performed by bothoctocatandhubot. -
-actor:hubotexcludes actions performed byhubot.
Note that the log only displays usernames, not real names or other personally identifying information.
Action search
Use the action qualifier to search for specific actions in your query. Actions listed in the audit log are grouped within the following categories:
| Category Name | Description |
|---|---|
hook |
Contains all webhook activities |
org |
Contains all organization membership activities |
repo |
Contains all activities related to the repositories owned by the organization. |
team |
Contains all team-related activities in the organization. |
You can search for sets of actions using these terms. For example:
-
action: teamreturns all team-related events. -
-action:repoexcludes all repository-related events.
Each category has a set of events you can filter on. For example:
-
action:team.createreturns all team creation events. -
-action:hook.config_changedexcludes all events where an existing webhook's configuration was changed.
The hook category
| Action | Description |
|---|---|
create |
Triggered when a new hook is added to a repository owned by the organization. |
config_changed |
Triggered when an existing hook has its configuration altered. |
destroy |
Triggered when an existing hook is removed from a repository. |
events_changed |
Triggered when the events on a hook have been altered. |
The org category
| Action | Description |
|---|---|
cancel_invitation |
Triggered when an organization invitation is revoked. |
invite_member |
Triggered when a new GitHub user is invited to join the organization. |
The oauth_application category
| Action | Description |
|---|---|
create |
Triggered when a new OAuth application is created. |
destroy |
Triggered when an existing OAuth application is deleted. |
reset_secret |
Triggered when an OAuth application's client secret is reset. |
revoke_tokens |
Triggered when an OAuth application's user tokens are revoked. |
transfer |
Triggered when an existing OAuth application is transferred to a new organization. |
The repo category
| Action | Description |
|---|---|
access |
Triggered when a repository owned by an organization is switched from "private" to "public" (or vice versa). |
add_member |
Triggered when a GitHub user is given access to a repository. |
create |
Triggered when a new repository is created in the organization. |
destroy |
Triggered when a repository is deleted from the organization. |
disable |
Triggered when a repository is disabled (e.g., for excessive size). |
enable |
Triggered when a repository is reenabled. |
remove_member |
Triggered when a GitHub user is removed from a repository. |
rename |
Triggered when a repository is renamed. |
transfer |
Triggered when a repository is transferred into or out of the organization. |
transfer_start |
Triggered when a repository transfer is about to occur. |
The team category
| Action | Description |
|---|---|
add_member |
Triggered when a member of an organization is added to a team. |
add_repository |
Triggered when a team is given control of a repository. |
create |
Triggered when a new team is created. |
destroy |
Triggered when a team is removed from the organization. |
remove_member |
Triggered when a member of an organization is removed from a team. |
remove_repository |
Triggered when a repository is removed from a team's control. |
Time search
Use the created qualifier to filter actions based on the time they occurred. Date formatting must follow the ISO8601 standard, which is YYYY-MM-DD--that's year-month-day.
You may also add some optional time information, formatted as THH:MM:SS+07:00--that's hour-minutes-seconds (HH:MM:SS), followed by a UTC offset (+07:00)
Dates support greater than, less than, and range qualifiers. For example:
-
created:2014-07-01returns all events that occurred on July 1st, 2014. -
created:>=2014-07-01returns all events that occurred on or after July 1st, 2014. -
created:<=2014-07-01returns all events that occurred on or before July 1st, 2014. -
created:2014-07-01..2014-07-31returns all events that occurred in the month of July 2014.
The audit log only displays data from the past 90 days, but you can use the created qualifier to search for older events.
Location search
Use the country qualifier to search for actions based on the originating country. You can search with a country's full name or its two-letter short code. Countries with spaces in their names must be quoted. For example:
-
country:dereturns all events that occurred in Germany. -
country:Mexicoreturns all events that occurred in Mexico. -
country:"United States"returns all events that occurred in the United States.
Repository search
Use the repo qualifier to limit actions to a specific repository owned by your organization. For example:
-
repo:my-org/our-reporeturns all events involving theour-reporepository in themy-orgorganization. -
repo:my-org/our-repo repo:my-org/another-reporeturns all events involving both theour-repoandanother-reporepositories in themy-orgorganization. -
-repo:my-org/not-this-repoexcludes all events involving thenot-this-reporepository in themy-orgorganization.
Note that you must include the organization name within the repo qualifier; searching for repo:our-repo will not work.
