As a site administrator, you can search an extensive list of audited actions on your GitHub Enterprise instance.

Instructions

  1. In the upper-left corner of any page, click . Octocat icon

  2. In the upper-right corner of any page, click . Rocketship icon for accessing site admin settings

  3. In the left sidebar, click Audit log. Audit log tab

  4. Type a search query. Search query

  5. Click Search.

    Search button

Search query syntax

Compose a search query from one or more key:value pairs separated by AND/OR logical operators.

Key Value
actor_id ID of the user account that initiated the action
actor Name of the user account that initiated the action
oauth_app_id ID of the OAuth application associated with the action
action Name of the audited action
user_id ID of the user affected by the action
user Name of the user affected by the action
repo_id ID of the repository affected by the action (if applicable)
repo Name of the repository affected by the action (if applicable)
actor_ip IP address from which the action was initiated
created_at Time at which the action occurred
from View from which the action was initiated
note Miscellaneous event-specific information (in either plain text or JSON format)
org Name of the organization affected by the action (if applicable)
org_id ID of the organization affected by the action (if applicable)

For example, to see all actions that have affected the repository octocat/Spoon-Knife since the beginning of 2014, you would type the following query:

repo:"octocat/Spoon-Knife" AND created_at:[2014-01-01 TO *]

To see all actions that have affected or been initiated by the user account hubot, you would type:

user:hubot OR actor:hubot

To see all SSH keys that have been added, updated, or removed, you would type:

action:public_key.create OR action:public_key.update OR action:public_key.delete

For a full list of actions, see "Audited actions."