Using the audit log API
Note: Webhooks might be a good alternative to the audit log or API polling for certain use cases. Webhooks are a way for GitHub to notify your server when specific events occur for a repository, organization, or enterprise. Compared to the API or searching the audit log, webhooks can be more efficient if you just want to learn and possibly log when certain events occur on your enterprise, organization, or repository. For more information, see "Webhooks documentation."
You can maintain compliance for your enterprise and secure your intellectual property by interacting with the audit log using the REST API. For more information about the specific events that you can access via the audit log API, see the following articles.
- "Audit log events for your enterprise"
- "Audit log events for your organization"
- "Security log events"
The audit log lists events triggered by activities that affect your enterprise. Audit logs for GitHub Enterprise Server are retained indefinitely, unless an enterprise owner configured a different retention period. For more information, see "Configuring the audit log for your enterprise."
By default, only events from the past three months are displayed. To view older events, you must specify a date range with the created
parameter. For more information, see "Understanding the search syntax."
Timestamps and date fields in the API response are measured in UTC epoch milliseconds.
You can use the read:audit_log
scope to access the audit log via the API.
For more information about the audit log REST API, see "REST API endpoints for enterprise audit logs" and "REST API endpoints for organizations."
Example 1: All events in an enterprise, for a specific date, with pagination
You can use page-based pagination. For more information about pagination, see "Using pagination in the REST API."
The query below searches for audit log events created on Jan 1st, 2022 in the avocado-corp
enterprise, and return the first page with a maximum of 100 items per page using pagination. For more information about pagination, see "Using pagination in the REST API."
curl -H "Authorization: Bearer TOKEN" \
--request GET \
"http(s)://HOSTNAME/api/v3/enterprises/avocado-corp/audit-log?phrase=created:2022-01-01&page=1&per_page=100"
Example 2: Events for pull requests in an enterprise, for a specific date and actor
You can specify multiple search phrases, such as created
and actor
, by separating them in your formed URL with the +
symbol or ASCII character code %20
.
The query below searches for audit log events for pull requests, where the event occurred on or after Jan 1st, 2022 in the avocado-corp
enterprise, and the action was performed by the octocat
user:
curl -H "Authorization: Bearer TOKEN" \
--request GET \
"http(s)://HOSTNAME/api/v3/enterprises/avocado-corp/audit-log?phrase=action:pull_request+created:>=2022-01-01+actor:octocat"
Example 3: Events for Git activity in an enterprise, for a specific date and actor
You can search for Git events in an enterprise, such as cloning, fetching, and pushing, by adding include=git
as a parameter in the URL. Alternatively, you can use include=all
to search for both web events and Git events.
The query below searches for audit log events for Git activity, where the event occurred after Jan 1st, 2024, in the avocado-corp
enterprise, and the action was performed by the octocat
user.
curl -H "Authorization: Bearer TOKEN" \
--request GET \
"http(s)://HOSTNAME/api/v3/enterprises/avocado-corp/audit-log?phrase=created:>=2024-01-01+actor:octocat&include=git"