GetAuditLog response is not fully enriched

[AbbanMustafa]

Many expected fields are omitted from the AuditEntry result of the GetAuditLog request.

For example here are 4 logs for different actions

  actor: ""
  action: "git.clone"
  timestamp:
  org: ""
  transport_protocol_name: ""
  repo: ""

  actor: ""
  action: "git.fetch"
  timestamp:
  org: ""
  transport_protocol_name: ""
  repo: ""

  document_id: ""
  actor: ""
  action: "org.sso_response"
  timestamp:
  org: ""

  document_id: ""
  actor: ""
  action: "pull_request_review_comment.update"
  timestamp:
  org: ""

These are very barebones and the AuditEntry has many fields we think are essential that are just not present. Does the request need an additional parameter to ensure we have more verbose logs?

[gmlewis]

I'm looking through the official GitHub v3 API documentation: https://docs.github.com/en/rest
and am no longer finding any endpoints relating to getting the audit logs for an organization.

@AbbanMustafa - could you please contact GitHub Tech Support and ask them where the documentation is now located for these endpoint(s)?

[AbbanMustafa]

@gmlewis The docs are confusing, they need to be specified under Enterprise Cloud
https://docs.github.com/en/enterprise-cloud@latest/rest/orgs/orgs#get-the-audit-log-for-an-organization

[gmlewis]

Thank you, @AbbanMustafa !

Have you tried adding Include: github.String("all") in your request?

[AbbanMustafa]

Yes that just includes all log types but doesnt make the logs themselves include more

[gmlewis]

Yes that just includes all log types but doesnt make the logs themselves include more

Thanks, @AbbanMustafa. Can you please try and see if you can get more data from using a direct curl to the API?

If you are unable, then it is time to contact GitHub Tech Support afterall.
Would you mind asking them how to get all the data back (and show them the experiments you tried using curl)?

[cpanato]

hello @gmlewis I was trying to upgrade to release v66 and notice some fields disapperar from the response or the helper functions were removed, like GetRepo(), GetRepositoryPublic() and others

looking at a sample response using CURL via the GH API i can see

as example

  {
    "@timestamp": 1730102980565,
    "_document_id": "P89ccccixZZoHPg",
    "action": "workflows.completed_workflow_run",
    "actor": "xxxxx",
    "actor_id": 36xx92,
    "actor_is_bot": false,
    "business": "xxxxx",
    "business_id": 1xxxxx,
    "completed_at": "2024-10-28T08:09:40.000Z",
    "conclusion": "skipped",
    "created_at": 1730102980565,
    "event": "schedule",
    "external_identity_nameid": "xxx@xxx.xxxx",
    "head_branch": "main",
    "head_sha": "1ce6c919b1e340077983338d14dcdbb77142",
    "name": test 123",
    "operation_type": "modify",
    "org": "xxx-xx",
    "org_id": 874333,
    "public_repo": false,
    "repo": "xxx/xx-xx",
    "repo_id": 708222643,
    "run_attempt": 1,
    "run_number": 6033,
    "started_at": "2024-10-28T08:09:37.000Z",
    "topic": "cp1-iad.ingest.github.actions.v0.WorkflowUpdate",
    "trigger_id": null,
    "workflow_id": 80587864,
    "workflow_run_id": 11549827807
  },

but i cannot access repo, public_repo and other fields are they are not available in the struct https://github.com/google/go-github/blob/v66.0.0/github/orgs_audit_log.go#L32-L57

i can add those if that is really a missing fields

[gmlewis]

i can add those if that is really a missing fields

That would be great, @cpanato - thank you!

[cpanato]

oh, i see now, the missing fields are embedded in the AdditionalFields

[cpanato]

so i guess we are good here

[gmlewis]

Ah, yes, that is correct. I believe it is safe to close this issue.