GitHub Enterprise keeps logs of audited user, repository, and system events. You can use these logs to debug your installation as well as to comply with internal security mandates and external regulations.

Audited actions

A number of user-initiated actions are audited, including:

  • creating or deleting a repository
  • creating or deleting an organization
  • adding or removing an email address
  • adding or removing an SSH key

For a full list of actions, see "Audited actions." For more information on finding a particular action, see "Searching the audit log."

Push logs

In addition to audited actions that affect repositories, every Git push operation is logged with the following information:

  • who initiated the push
  • whether it was a force push or not
  • which branch was pushed to
  • which protocol was used
  • what the originating IP address was
  • which Git client was used
  • the SHA hashes from before and after the operation

For more information, see "Viewing push logs."

System events

All audited system events—including all pushes and pulls—are logged to /var/log/github/audit.log. Logs are automatically rotated every 24 hours and are retained for 7 days.

The Support Bundle includes these system logs.

Support Bundles

All audit information is logged to the audit.log file in the github-logs directory of any Support Bundle. If log forwarding is enabled, you can stream this data to an external syslog stream consumer such as Splunk or Logstash. All entries from this log use the "github_audit" keyword and can be filtered using that.

Here is a sample entry showing that a new repository was created:

Oct 26 01:42:08 github-ent github_audit: {:created_at=>1351215728326, :actor_ip=>"", :data=>{}, :user=>"some-user", :repo=>"some-user/some-repository", :actor=>"some-user", :actor_id=>2, :user_id=>2, :action=>"repo.create", :repo_id=>1, :from=>"repositories#create"}

Here is a sample entry showing that commits were pushed to a repository:

Oct 26 02:19:31 github-ent github_audit: { "pid":22860, "ppid":22859, "program":"receive-pack", "git_dir":"/data/repositories/some-user/some-repository.git", "hostname":"github-ent", "pusher":"some-user", "real_ip":"", "user_agent":"git/", "repo_id":1, "repo_name":"some-user/some-repository", "transaction_id":"b031b7dc7043c87323a75f7a92092ef1456e5fbaef995c68", "frontend_ppid":1, "repo_public":true, "user_name":"some-user", "user_login":"some-user", "frontend_pid":18238, "frontend":"github-ent", "user_email":"", "user_id":2, "pgroup":"github-ent_22860", "status":"post_receive_hook", "features":" report-status side-band-64k", "received_objects":3, "receive_pack_size":243, "non_fast_forward":false, "current_ref":"refs/heads/master" }