Organization Audit Logs
Retrieves repository, permission, and authentication activity logs from a Github Organization.
Sync Type: Incremental
Requirements
Before configuring this input, you need to set up one of the following authentication methods:
Option 1: Personal Access Token (PAT)
-
Create a Personal Access Token (PAT) — GitHub docs.
- Go to your GitHub settings
- Navigate to Developer settings > Personal access tokens > Tokens (classic)
- Click "Generate new token (classic)"
- Select the
read:audit_logscope - Copy and securely store the generated token
-
Required Permissions:
- You must be an organization admin to access organization audit logs
- The PAT must have the
read:audit_logscope
Option 2: GitHub App Authentication
-
Create a GitHub App — GitHub docs.
- Navigate to your organization settings
- Go to Developer settings > GitHub Apps > New GitHub App
- Configure the app with a name and homepage URL
- Deselect the Active Webhook checkbox
- Under "Organization Permissions", grant the app
Administration Read-onlypermission - Generate a private key and download the
.pemfile - Note the Client ID from the app settings page
-
Install the GitHub App:
- Install the GitHub App to your organization
- Note the Installation ID (visible in the URL after installation:
https://github.com/organizations/YOUR_ORG/settings/installations/INSTALLATION_ID)
-
Required Information:
- GitHub Client ID (from the app settings)
- GitHub App Installation ID (from the installation URL)
- GitHub App Private Key (contents of the downloaded
.pemfile)
Configuration
Settings
| Setting | Type | Required | Default | Description |
|---|---|---|---|---|
| organization | string | Yes | - | Your GitHub organization name |
| auth_type | string | Yes | "personal_access_token" | Authentication method: "personal_access_token" or "github_app" |
| github_client_id | string | No* | - | The GitHub App Client ID (required when using GitHub App authentication) |
| github_app_installation_id | string | No* | - | The GitHub App Installation ID (required when using GitHub App authentication) |
| backfill_start_time | string | No | - | The date to start fetching data from. If not specified, no past records will be fetched. |
* Required when auth_type is set to "github_app"
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| personal_access_token | string | No* | GitHub Personal Access Token with read:audit_log scope (required when using PAT authentication) |
| github_app_private_key | string | No* | GitHub App private key in PEM format (required when using GitHub App authentication) |
* Exactly one authentication method must be configured
Limitations
- API rate limits apply (1,750 requests per hour per user/token)
- Maximum of 100 results per page
- Secondary rate limits may apply for high-frequency requests
- Historical data availability depends on your GitHub Enterprise retention settings
Troubleshooting
Common issues and solutions:
1. Rate Limit Errors
- The input automatically handles rate limiting by waiting for the reset period
- You'll see logs indicating the wait time when rate limits are hit
- It is possible that the speed at which you generate records exceed how fast Monad can ingest them due to Github's rate limits. In these scenarios you may wish to filter more granular.
2. Authentication Errors
For Personal Access Token:
- Verify your PAT has the
read:audit_logscope - Ensure the PAT hasn't expired
- Confirm you have organization admin access
For GitHub App:
- Verify the GitHub App is installed on your organization
- Ensure the GitHub Client ID and Installation ID are correct
- Check that the private key is in valid PEM format
- Confirm the GitHub App has the
Administration Read-onlypermission
3. No Data
- Verify that the organization name is correct
- Ensure there are audit events in the time range you've specified if you use the
backfill_start_timefield - Check that you have the necessary permissions to access audit logs
Sample Record
{
"@timestamp": 1754956009902,
"_document_id": "97b9a650-f761-bb7b-7c7d-d268c12e780a",
"action": "pull_request.create_review_request",
"actor": "John Jones",
"actor_id": 490095,
"actor_is_bot": false,
"actor_location": {
"country_code": "GB"
},
"business": "test-org",
"business_id": 96281,
"created_at": 1754956009902,
"operation_type": "create",
"org": "example-org",
"org_id": 73860966,
"public_repo": false,
"pull_request_id": 2199799492,
"pull_request_title": "Hotfix",
"pull_request_url": "https://github.com/example-org/infra/pull/930",
"repo": "test-org/infra",
"repo_id": 880125875,
"user": "Alice Miller",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
"user_id": 698322
}