The audit log lets administrators review the actions performed across an organization or enterprise, recording who performed an action (the actor), what the action was, the affected user or repository, the originating country, and the date and time. Within the parent goal of monitoring enterprise usage and activity, the audit log is the primary forensic record for security investigations, compliance reporting, and license or access reviews, while API rate limit data shows how programmatic clients are consuming the platform. Each audit log entry is named by a category plus an operation type, such as repo.create, which is the create operation on the repo category. Administrators cannot search by free text but instead build queries from qualifiers such as action, actor, repo, created, operation, and country. The operation qualifier groups events broadly (for example operation:access, operation:authentication, operation:modify), and the created qualifier accepts ISO8601 dates with greater-than, less-than, and range operators. The log can be exported as JSON or CSV from the Export dropdown, subject to a hard limit of 100 MB compressed, 10 minutes of processing, or both, so filtering before export is recommended. The audit log retains data for the last 180 days, but the web UI only displays the past three months by default unless you specify an older date range with the created parameter. Only organization owners can access an organization's audit log. The GraphQL and REST audit log API is available only to organizations that use GitHub Enterprise Cloud. Separately, REST API usage is governed by rate limits: 60 requests per hour for unauthenticated requests and 5,000 per hour for authenticated users, rising to 15,000 per hour for GitHub Apps and OAuth apps owned by a GitHub Enterprise Cloud organization. Clients monitor consumption through response headers like x-ratelimit-remaining and x-ratelimit-reset, or by calling GET /rate_limit, which does not count against the primary limit.
Each audit log entry name combines a category and an operation type, so repo.create represents the create operation on the repo category.
The audit log retains data for the last 180 days, but the web interface displays only the past three months unless an older date range is specified with the created parameter.
Only organization owners can access an organization's audit log, and the audit log REST and GraphQL API is available only to organizations using GitHub Enterprise Cloud.
Audit log exports as JSON or CSV are capped by a hard limit of 100 MB compressed, 10 minutes of processing time, or both, so the dataset should be filtered before exporting.
The primary REST API rate limit is 60 requests per hour for unauthenticated requests and 5,000 per hour for authenticated users, increasing to 15,000 per hour for GitHub Apps and OAuth apps owned by a GitHub Enterprise Cloud organization.
Clients check current rate limit status through response headers such as x-ratelimit-remaining and x-ratelimit-reset, or by calling GET /rate_limit, which does not count against the primary rate limit.