Skip to content
Latchkey

How to Audit Self-Hosted Runner Activity

You cannot investigate what you never logged; capture runner registrations, job history, and host activity centrally.

Use the org audit log for runner and workflow events, ship the runner _diag logs off-host, and record host-level process and network activity for forensics.

Steps

  • Query the org audit log for runner registration and workflow events.
  • Forward the runner _diag directory to central logging.
  • Retain host process and network logs off the runner itself.

Query the audit log

Terminal
gh api -X GET \
  "orgs/my-org/audit-log?phrase=action:workflows.completed_workflow_run" \
  --jq '.[] | {actor, repo, created_at}'

# Ship runner diagnostics off-host
rsync -a ./_diag/ logs-host:/var/log/gh-runner/$(hostname)/

Gotchas

  • Logs stored only on an ephemeral host vanish when it is destroyed; forward them first.
  • The audit log records control-plane events, not what a job did on the host; add host telemetry.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →