Managing Git events in the audit log for GHES (#28998)

content/admin/guides.md

@@ -119,6 +119,7 @@ includeGuides:
   - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise
   - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise
   - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise
+  - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise
   - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise
   - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise
   - /admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise.md

@@ -35,7 +35,8 @@ In addition to viewing your audit log, you can monitor activity in your enterpri
 
 As an enterprise owner{% ifversion ghes %} or site administrator{% endif %}, you can interact with the audit log data for your enterprise in several ways:
 - You can view the audit log for your enterprise. For more information, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)."
-- You can search the audit log for specific events{% ifversion ghec %} and export audit log data{% endif %}. For more information, see "[Searching the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise)"{% ifversion ghec %} and "[Exporting the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)"{% endif %}.
+- You can search the audit log for specific events{% ifversion ghec %} and export audit log data{% endif %}. For more information, see "[Searching the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise)"{% ifversion ghec %} and "[Exporting the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)"{% endif %}.{% ifversion audit-data-retention-tab %}
+- You can configure settings, such as the retention period for audit log events{% ifversion enable-git-events %} and whether Git events are included{% endif %}. For more information, see "[Configuring the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise)."{% endif %}
 {%- ifversion enterprise-audit-log-ip-addresses %}
 - You can display the IP address associated with events in the audit log. For more information, see "[Displaying IP addresses in the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise)."
 {%- endif %}

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md

@@ -392,9 +392,15 @@ Action                        | Description
 | `gist.destroy` | A gist is deleted.
 | `gist.visibility_change` | The visibility of a gist is changed.
 
-{% ifversion ghec or ghes > 3.4 or ghae-issue-6724 %}
+{% ifversion git-events-audit-log %}
 ## `git` category actions
 
+{% ifversion enable-git-events %}
+Before you'll see `git` category actions, you must enable Git events in the audit log. For more information, see "[Configuring the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise#managing-git-events-in-the-audit-log)."
+{% endif %}
+
+{% data reusables.audit_log.git-events-not-in-search-results %}
+
 | Action | Description
 |--------|-------------
 | `git.clone` | A repository was cloned.

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise.md

@@ -0,0 +1,56 @@
+---
+title: Configuring the audit log for your enterprise
+intro: "You can configure settings for your enterprise's audit log."
+shortTitle: Configure audit logs
+permissions: 'Enterprise owners can configure the audit log.'
+versions:
+  feature: audit-data-retention-tab
+type: how_to
+topics:
+  - Auditing
+  - Enterprise
+  - Logging
+---
+
+## About audit log configuration
+
+You can configure a retention period for audit log data and see index storage details.
+
+{% ifversion enable-git-events %}
+After you configure a retention period, you can enable or disable Git-related events from appearing in the audit log.
+{% endif %}
+
+## Configuring a retention period for audit log data
+
+You can configure a retention period for audit log data for {% data variables.product.product_location %}. Data that exceeds the period you configure will be permanently removed from disk.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.audit-log-tab %}
+{% data reusables.audit_log.audit-data-retention-tab %}
+1. Under "Configure audit log retention settings", select the dropdown menu and click a retention period.
+
+   ![Screenshot of the dropdown menu for audit log retention settings](/assets/images/help/enterprises/audit-log-retention-dropdown.png)
+1. Click **Save**.
+
+{% ifversion enable-git-events %}
+## Managing Git events in the audit log
+
+You can enable or disable Git-related events, such as `git.clone` and `git.push`, from appearing in your audit log. For a list of the Git events are are logged, see "[Audit log events for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#git-category-actions)."
+
+If you do enable Git events, due to the large number of Git events that are logged, we recommend monitoring your instance's file storage and reviewing your related alert configurations. For more information, see "[Monitoring storage](/admin/enterprise-management/monitoring-your-appliance/recommended-alert-thresholds#monitoring-storage)."
+
+Before you can enable Git events in the audit log, you must configure a retention period for audit log data other than "infinite." For more information, see "[Configuring a retention period for audit log data](#configuring-a-retention-period-for-audit-log-data)."
+
+{% data reusables.audit_log.git-events-not-in-search-results %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.audit-log-tab %}
+{% data reusables.audit_log.audit-data-retention-tab %}
+1. Under "Git event opt-in", select or deselect **Enable git events in the audit-log**.
+
+   ![Screenshot of the checkbox to enable Git events in the audit log](/assets/images/help/enterprises/enable-git-events-checkbox.png)
+1. Click **Save**.
+
+{% endif %}

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/index.md

@@ -11,6 +11,7 @@ topics:
 children:
   - /about-the-audit-log-for-your-enterprise
   - /accessing-the-audit-log-for-your-enterprise
+  - /configuring-the-audit-log-for-your-enterprise
   - /displaying-ip-addresses-in-the-audit-log-for-your-enterprise
   - /searching-the-audit-log-for-your-enterprise
   - /exporting-audit-log-activity-for-your-enterprise

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise.md

@@ -29,9 +29,11 @@ You can search your enterprise audit log directly from the user interface by usi
 
 For more information about viewing your enterprise audit log, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)." 
 
+{% data reusables.audit_log.git-events-not-in-search-results %}
+
 You can also use the API to retrieve audit log events. For more information, see "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise)."
 
-Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as `-`, `>`, or `<`, match the same format as searching across {% data variables.product.product_name %}. For more information, see "[Searching on {% data variables.product.prodname_dotcom %}](/search-github/getting-started-with-searching-on-github/about-searching-on-github)."
+You cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as `-`, `>`, or `<`, match the same format as searching across {% data variables.product.product_name %}. For more information, see "[Searching on {% data variables.product.prodname_dotcom %}](/search-github/getting-started-with-searching-on-github/about-searching-on-github)."
 
 {% note %}
 

data/features/audit-data-retention-tab.yml

@@ -0,0 +1,5 @@
+# Reference #5104
+# Documentation for the "Audit data retention" tab in the enterprise audit log
+versions:
+  ghes: '>=3.4'
+  ghae: 'issue-5104'

data/features/enable-git-events.yml

@@ -0,0 +1,5 @@
+# Reference: #7283
+# Documentation for enabling Git events in the audit log
+versions:
+  ghes: '>=3.5'
+  ghae: 'issue-7283'

data/features/git-events-audit-log.yml

@@ -0,0 +1,6 @@
+# Reference: #6724
+# Documentation for Git events in the audit log
+versions:
+  ghec: '*'
+  ghes: '>=3.5'
+  ghae: 'issue-6724'

data/release-notes/enterprise-server/3-5/0-rc1.yml

@@ -291,7 +291,7 @@ sections:
           - `git.fetch`
           - `git.push`
           
-          Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "[Audit log events for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#git-category-actions)" and "[Monitoring storage](/admin/enterprise-management/monitoring-your-appliance/recommended-alert-thresholds#monitoring-storage)."
+          Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "[Configuring the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise#managing-git-events-in-the-audit-log)."
 
     - heading: Improvements to CODEOWNERS
       notes:

data/release-notes/enterprise-server/3-5/0.yml

@@ -284,7 +284,7 @@ sections:
           - `git.fetch`
           - `git.push`
           
-          Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "[Audit log events for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#git-category-actions)" and "[Monitoring storage](/admin/enterprise-management/monitoring-your-appliance/recommended-alert-thresholds#monitoring-storage)."
+          Due to the large number of Git events logged, we recommend you monitor your instance's file storage and review your related alert configurations. For more information, see "[Configuring the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise#managing-git-events-in-the-audit-log)."
           
     - heading: Improvements to CODEOWNERS
       notes:

data/reusables/audit_log/audit-data-retention-tab.md

@@ -0,0 +1,3 @@
+1. Under "Audit log", click **Audit Data Retention**.
+
+   ![Screenshot of the "Audit Data Retention" tab](/assets/images/help/enterprises/audit-data-retention-tab.png)

data/reusables/audit_log/audit-log-action-categories.md

@@ -61,7 +61,6 @@
 | `external_identity` | Contains activities related to a user in an Okta group.
 {%- endif %}
 | `gist` | Contains activities related to Gists.
-| `git` | Contains activities related to Git events.
 | `hook` | Contains activities related to webhooks.
 | `integration` | Contains activities related to integrations in an account.
 | `integration_installation` | Contains activities related to integrations installed in an account.

data/reusables/audit_log/git-events-not-in-search-results.md

@@ -0,0 +1,7 @@
+{% ifversion git-events-audit-log %}
+{% note %}
+
+**Note:** Git events are not included in search results.
+
+{% endnote %}
+{% endif %}

data/reusables/audit_log/retention-periods.md

@@ -1,3 +1,3 @@
-The audit log lists events triggered by activities that affect your enterprise{% ifversion not ghec %}. Audit logs for {% data variables.product.product_name %} are retained indefinitely.{% else %} within the current month and up to the previous six months. The audit log retains Git events for seven days.{% endif %}
+The audit log lists events triggered by activities that affect your enterprise{% ifversion not ghec %}. Audit logs for {% data variables.product.product_name %} are retained indefinitely{% ifversion audit-data-retention-tab %}, unless an enterprise owner configured a different retention period. For more information, see "[Configuring the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise)."{% else %}.{% endif %}{% else %} within the current month and up to the previous six months. The audit log retains Git events for seven days.{% endif %}
 
 {% data reusables.audit_log.only-three-months-displayed %}