Splunk® Supported Add-ons

Splunk Add-on for GitHub

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs using Splunk Add-on for GitHub

Github Enterprise Data Collection

Splunk Connect for Syslog

All production deployments should utilize Splunk Connect For Syslog to forward syslog data into the Splunk platform for Github Enterprise data. This solution provides improved simplicity and scalability, among other benefits. For more information, see the Splunk Connect for Syslog manual.

Validate data collection

Once you have configured the input, run this search to check that you are ingesting the correct expected data.

sourcetype=github:enterprise:audit

Github Cloud Data Collection

Before you follow the instructions on this page to set up the Splunk Add-on for Github, obtain your Personal Access Token from Github Cloud: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token.

Behavior of Audit logs API

  • Audit logs list events triggered by the activities that affect your enterprise.
  • By Default, APIs will collect audit data from the past three months. The APIs retain Git events such as cloning, fetching, and pushing data for seven days.

Steps to configure an Account in Github

  • In Splunk Web, go to the Splunk Add-on for Github, by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
  • Click the Configuration tab.
  • Click the Github Account tab.
  • In the Add dialogue box, fill in the required fields:
    
    Field Description
    Account Name A unique name for your Github account.
    Personal Access Token The token you generated on Github Cloud https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token.

    Next, configure your inputs.

    (Optional) Change logging level

    You can change the default log level () to see more granular logs such as debug or more generic logs such as only error logs. The logging level can be configured using the steps below.

    1. On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
    2. Click the Configuration tab.
    3. Click the Logging tab.
    4. Select a new logging level from the drop-down menu.
    5. Click Save to save your configurations.

    (Optional) Proxy setup

    If you have proxy set up for data collection, the proxy settings can be configured by providing the details so that the data will be collected via the configured proxy.

    1. On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
    2. Click the Configuration tab.
    3. Click the Proxy tab.
    4. Check Enable and fill in the required fields.

    Github Audit Input

    Data will be collected in github:cloud:audit source type. The fields present in the Input are as below:

    Field Type Description
    Name Textbox Unique Input Name
    Event Type Dropdown Specifies the type of events to be collected
  • web - web (non-Git) events
  • git - Git events
  • all - both web and Git events
  • Account Type Dropdown The type of account for which you want to collect the data, i.e., Organization or Enterprise
    Organization /Enterprise Name Textbox Enter a valid name of Organization or Enterprise
    Github Account Dropdown Select the account from the created Accounts in Configuration
    Interval Textbox Enter the interval for consecutive invocations in seconds
    Index Textbox Enter the index name in which you want to collect the data

    NOTE: To collect the audit-logs, the account should have the admin access

    Github User Input

    Data will be collected in github:cloud:user source type. The fields present in the Input are as below:

    Field Type Description
    Name Textbox Unique Input Name
    Github Account Dropdown Select the account from the created Accounts in Configuration
    Organization /Enterprise Name Textbox Enter a valid name of Organization or Enterprise
    Interval Textbox Enter the interval for consecutive invocations in seconds
    Index Textbox Enter the index name in which you want to collect the data

    Validate data collection

    Once you have configured the input, run this search to check that you are ingesting the correct expected data.

    sourcetype=github:cloud:audit sourcetype=github:cloud:user

    Last modified on 27 October, 2022
    PREVIOUS
    Configure your GitHub Enterprise server to send data to the Splunk Add-on for GitHub
      NEXT
    Troubleshoot the Splunk Add-on for GitHub

    This documentation applies to the following versions of Splunk® Supported Add-ons: released


    Was this documentation topic helpful?


    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters