What is the best way to acquire AuditLog in organization?

Although there is description as “Advanced auditing” at github.com Enterprise, can we get all Audit logs in Organization?
Is it more detailed than the AuditLog on the management console?
What is the best way to acquire AuditLog in organization?
API?
webhook for all event?
download csv by management console?

1 Like

This is also something we could use too.  Can we have access to the AuditLog from the API please?

6 Likes

There are a few options for accessing this data which may be consumed singularly or in parallel. Our telemetry features include: the audit log api, audit log UI, audit log data export and multi-level web hooks at the enterprise, organization and repo level. I have provided documentation and further detail for each of the options below.

  • The audit log allows administrators to quickly review the actions performed by members of your enterprise organizations. It includes details such as who performed the action, what the action was, and when it was performed. If you are not using the Audit Log UI built into the GitHub Enterprise admin interface, we have this help article that will describe how to programmatically query events that occurred in your GitHub Enterprise Cloud instance based on the organization, repository, user, action performed, time of action and location. You can query these specific log events directly from our Audit Log API using GraphQL. 
  • Webhooks allow you to build or set up integrations, such as GitHub Apps or OAuth Apps, which subscribe to certain events on GitHub Enterprise cloud. When one of those events is triggered, we’ll send a HTTP POST payload to the webhook’s configured URL. Webhooks can be triggered whenever a variety of actions are performed on an enterprise, organization or repository. For example, you can configure a webhook to execute whenever: a repository is pushed to, a pull request is opened, a GitHub Pages site is built or a new member is added to a team. Webhooks can be installed on an enterprise, organization or a specific repository.

Both the audit log API and web hooks can be leveraged to integrate into modern reporting tools such as logstash. The data received can then be indexed by elasticsearch and analyzed through your kibana or data visualization dashboard. In some cases it may be necessary to write a simple script that bridges our reporting services with your reporting tools.

Try this Audit Log API GraphQL query to retrieve the last 100 audit log events on your organization. 

POST: https://api.github.com/graphql

query {
    organization(login:"<org_name>") {
      auditLog(last:100){
        edges{
          node{
            ... on AuditEntry {
              action
              actorLogin
              createdAt
            }
          }
        }
      }
    }
}

I’ve started experimenting with the audit log GraphQL querying features in our Enterprise Cloud orgs; however, we still have a few orgs, such as some free open source team accounts, that are not on that product.

In that scenario, it seems like there are still a few gaps - for example, installing or configuring GitHub Apps and OAuth apps do not seem to send any organization events, and changing team members to maintainers, or vica-versa, do not have events triggered, either.

Is it possible that the org-level web hooks might eventually include new events to help with these gaps in the collect-the-events-yourself approach?

hello alwell-kevin,
Thanks for this detailed answer, it really helped me with my work.
i have question, can we fetch all the audit log details of last 120 days through graphql?
if Yes, then please can you help me with that

Hi @wintushar09,

Yes, you can apply a timestamp filter as a second argument next to “last”. Something like:

organization(login:“org_name”) {
auditLog(last: 100, query: “created:>=2019-09-01T21:51:46”){

Kevin

1 Like

Yes, that is possible you may be able to harvest them through an Org level webhook. We are continuing to expand our list of supported events for both webhooks and the AuditLog. Coming soon: git event support for the Audit Log.

Thanks @alwell-kevin for immediate reply. I will go through it.

1 Like

Hi @alwell-kevin I need your help in python code

Hi @alwell-kevin i am trying to retrieve audit log data of an organization and i am getting error as “wintushar09 does not have permission to retrieve auditLog information”. but when i try to fetch data manually by going to the setting i can do that. so i am getting error only while going through Graphql API. So please help me with this error. If you know anything about this .

Hi @wintushar09,

Is your token SSO authorized and your user an owner of the organization?

Yeahh. I solved that issue :slightly_smiling_face: . now i can fetch the data but is it possible to fetch last 3 or 6 months audit log data through Graphql API. if Yes then how can we do that. can you please help me with that.

Hi @alwell-kevin
any chance to fetch the audit log via REST API (v3)?
GraphQL would require development resources that we do not have right now.

Thanks and BR
Patrick

Hi Patrick,

You could export through the UI at both the Org and Enterprise Account levels.

Otherwise, the AuditLog API is exclusively v4 GraphQL as of today.

Kevin

Now i am able to fetch the audit log data of the organization :slightly_smiling_face: , with that i want to retrieve the email addresses of the the users, So is it possible to fetch the primary email addresses of the users which they are entered while registering with github. Because some of the users haven’t assigned there email address as a public. but i need emails of those people, so is there any possible way to get there private primary emails?

Tushar

Hi @alwell-kevin,
I want to retrieve 500 entries from audit log data, So how can i retrieve it because first or last field cannot exceed limit of 100 entries.

Tushar