Using the audit log API
You can interact with the audit log using the GraphQL API or the REST API.
Timestamps and date fields in the API response are measured in UTC epoch milliseconds.
Querying the audit log GraphQL API
To ensure your intellectual property is secure, and you maintain compliance for your enterprise, you can use the audit log GraphQL API to keep copies of your audit log data and monitor:
- 組織またはリポジトリの設定へのアクセス
- アクセス許可の変更
- 組織、リポジトリ、またはチームの追加または削除されたユーザー
- 管理者に昇格されるユーザー
- GitHub Appの権限の変更
Note that you can't retrieve Git events using the audit log API.
The GraphQL response can include data for up to 90 to 120 days.
Example 1: Members added to or removed from organizations in an enterprise
The query below fetches the audit logs for the avocado-corp enterprise and returns the first 10 organizations in the enterprise, where the only actions performed were adding or removing a member from an organization. The first 20 audit log entries for each organization are returned.
This query uses the auditlog field from the Organization object, and the OrgAddMemberAuditEntry and OrgRemoveMemberAuditEntry objects. The GitHub account querying the enterprise audit log must be an organization owner for each organization within the enterprise.
{
enterprise(slug: "avocado-corp") {
organizations(first: 10, orderBy: {field: LOGIN, direction: DESC}) {
nodes {
name
auditLog(first: 20) {
edges {
node {
... on OrgAddMemberAuditEntry {
action
actorLogin
createdAt
}
... on OrgRemoveMemberAuditEntry {
action
actorLogin
createdAt
}
}
}
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
}The GraphQL API will return at most 100 nodes per query. To retrieve additional results, you'll need to implement pagination. For more information, see "Resource limitations" in the GraphQL API documentation and Pagination in the official GraphQL documentation.
Example 2: Events in an organization, for a specific date and actor
You can specify multiple search phrases, such as created and actor, by separating them in your query string with a space.
The query below fetches all the audit logs for the avocado-corp enterprise that relate to the octo-org organization, where the actions were performed by the octocat user on or after the 1 Jan, 2022. The first 20 audit log entries are returned, with the newest log entry appearing first.
This query uses the AuditEntry interface. The GitHub account querying the enterprise audit log must be an owner of the octo-org organization.
{
enterprise(slug: "avocado-corp") {
organizations(first: 1, query: "octo-org") {
nodes {
name
auditLog(first: 20, query: "actor:octocat created:>=2022-01-01T00:00:00.000Z", orderBy: {field: CREATED_AT, direction: DESC}) {
edges {
node {
... on AuditEntry {
action
actorLogin
createdAt
user {
name
}
}
}
}
}
}
}
}
}For more query examples, see the platform-samples repository.
Querying the audit log REST API
To ensure your intellectual property is secure, and you maintain compliance for your enterprise, you can use the audit log REST API to keep copies of your audit log data and monitor:
- 組織またはリポジトリの設定へのアクセス
- アクセス許可の変更
- 組織、リポジトリ、またはチームの追加または削除されたユーザー
- 管理者に昇格されるユーザー
- GitHub Appの権限の変更
監査ログには、Enterprise に影響するアクティビティによってトリガーされるイベントの一覧が表示されます。 GitHub Enterprise Server の監査ログは、エンタープライズ所有者が別の保持期間を構成していない限り、無期限に保持されます。 詳しくは、「エンタープライズの監査ログの構成」を参照してください。
既定では、過去 3 か月のイベントのみが表示されます。 古いイベントを表示するには、created パラメーターを使って日付範囲を指定します。 詳細については、「Understanding the search syntax」 (検索構文の理解) を参照してください。
For more information about the audit log REST API, see "Enterprise administration" and "Organizations."
Example 1: All events in an enterprise, for a specific date, with pagination
You can use page-based pagination or cursor based pagination. For more information, see "Traversing with Pagination."
Example with page-based pagination
The query below searches for audit log events created on Jan 1st, 2022 in the avocado-corp enterprise, and return the first page with a maximum of 100 items per page using REST API pagination:
curl -H "Authorization: Bearer TOKEN" \
--request GET \
"https://api.github.com/enterprises/avocado-corp/audit-log?phrase=created:2022-01-01&page=1&per_page=100"Example with cursor-based pagination
The query below searches for audit log events created on Jan 1st, 2022 in the avocado-corp enterprise, and returns the first page with a maximum of 100 items per page using REST API pagination. The --include flag causes the headers to be returned along with the response.
curl --include -H "Authorization: Bearer TOKEN" \
--request GET \
"https://api.github.com/enterprises/avocado-corp/audit-log?phrase=created:2022-01-01&per_page=100"
If there are more than 100 results, the link header will include URLs to fetch the next, first, and previous pages of results.
link: <https://api.github.com/enterprises/13827/audit-log?%3A2022-11-01=&per_page=100&after=MS42NjQzODMzNTk5MjdlKzEyfDloQzBxdURzaFdVbVlLWjkxRU9mNXc%3D&before=>; rel="next",
<https://api.github.com/enterprises/13827/audit-log?%3A2022-11-01=&per_page=100&after=&before=>; rel="first",
<https://api.github.com/enterprises/13827/audit-log?%3A2022-11-01=&per_page=100&after=&before=MS42Njc4NDA2MjM4MzNlKzEyfExqeG5sUElvNEZMbG1XZHA5akdKTVE%3D>; rel="prev"
Copy the corresponding pagination link into your next request. For example:
curl -I -H "Authorization: Bearer TOKEN" \
--request GET \
"https://api.github.com/enterprises/13827/audit-log?%3A2022-11-01=&per_page=100&after=MS42Njc4NDA2MjM5NDFlKzEyfHRYa3AwSkxUd2xyRjA5bWxfOS1RbFE%3D&before="Example 2: Events for pull requests in an enterprise, for a specific date and actor
You can specify multiple search phrases, such as created and actor, by separating them in your formed URL with the + symbol or ASCII character code %20.
The query below searches for audit log events for pull requests, where the event occurred on or after Jan 1st, 2022 in the avocado-corp enterprise, and the action was performed by the octocat user:
curl -H "Authorization: Bearer TOKEN" \
--request GET \
"https://api.github.com/enterprises/avocado-corp/audit-log?phrase=action:pull_request+created:>=2022-01-01+actor:octocat"