What is the best way to acquire AuditLog in organization?

But how do I dump all log events? GraphQL is a declarative language that requires the query-er to enumerate all possible objects and ask for them. The trouble I am having is I can’t just say “give me everything” as far as I can tell. Do you have a sample query that would grab everything? All of the documentation and examples I can find are toy queries for specific things

I know this isn’t the place, but GraphQL was a bad choice of interface for an audit log.

Here are two roadmap features relevant to this topic

Git action events (e.g. clone and push) appear in the audit logs (beta Q4 2020)
GitHub adding Git CLI activities to the audit log on Github Enterprise Cloud

Webhook Delivery API (beta) (beta Q1 2021)
Today, webhooks may fail to be delivered for a variety of reasons: severed connections, downtime from GitHub, downtime from the integrator, etc. Right now, we offer the ability to view failed webhook deliveries in the UI and retry them, but we don’t provide a similar set of functionality in our REST or GraphQL API.
GItHub are introducing a REST API that will allow integrators to query the status of webhook deliveries, and trigger redeliveries where needed.

1 Like

There is definitely a difference between Audit Log UI and GraphQL API, which I still don’t understand why.

Unless we made a mistake in pulling the data this are some of the ones we’ve found in the UI and not on the API:

Policy Setting - Action on UI
*Action on UI is an example, the .disable can be interchanged with .enable etc…

Dependency Insights - members_can_view_dependency_insights.disable
Disabling Dependabot alerts - dependabot_alerts_new_repos.disable
Projects Audits - organization_projects_change.enable - repository_projects_change.enable
GitHub Pages - members_can_create_pages.enable
Dependabot Vulnerability resolves - repository_vulnerability_alert.resolve

Anyone been successful in pulling the audit logs from UI through like a script?

Hi @amenocal, you did not make a mistake, the GraphQL Audit Log feature is far from complete in terms of events covered in comparison to audit events in the GUI, so in practise does not allow you keep copies of your audit log data (all events) and monitor as inferred in the product documentation. It is also complicated as you need to write code to query specific data fields related to events to make them useful as well.
You will find a list of the limited audit events available in GraphQL at this link Interfaces - GitHub Docs

Whilst the GraphQL will not go away you can expect the future for pulling complete audit log data that would allow you keep copies of your audit log data (all audited events) and monitor will be via the new REST API feature https://github.blog/changelog/2020-12-10-audit-log-git-events-and-rest-api-now-available-in-limited-public-beta.
[Reviewing the audit log for your organization - GitHub Docs](https://audit log for your organization using the rest api).

In addition to git audit events being visible in the REST API Audit log, it also contains all the events you can see in the GUI, it does not currently provide these in ascending order (which is more appropriate for a pull process to allow you to keep copies of your audit data), but I have requested this.

There is nothing in the public roadmap as yet but customers have also asked push/stream type models for audit log data, so its something being looked at by GitHub. I am also hopeful that smaller items where an audited event may be missing, or missing some relevant data for the event may be remedied quicker as 2021 progresses.

1 Like