Splunk® Supported Add-ons

Splunk Add-on for GitHub

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF


Configure GitHub Cloud to send data to the Splunk Add-on for GitHub

You can collect the data from your GitHub Cloud using the following approaches:

  • Utilize GitHub Cloud Log Streaming to collect the data
    • To collect the data using this approach, refer to "Configure your GitHub Cloud Audit Log Streaming to send data to Splunk Add-on for GitHub" page for configuring the Splunk Cloud and GitHub Cloud Audit Log Streaming
  • Utilize Add-on inputs to collect the data
    • To collect the data using this approach, follow this documentation to configure Account and Inputs of the add-on


Collect data using the add-on inputs

Before you follow the instructions on this page to set up the Splunk Add-on for Github, obtain your Personal Access Token from Github Cloud. See your GitHub Documentation for more information.

Behavior of Audit logs API

  • Audit logs list events triggered by the activities that affect your enterprise.
  • By Default, APIs will collect audit data from the past three months. The APIs retain Git events such as cloning, fetching, and pushing data for seven days.

Steps to configure an Account in Github

  • In Splunk Web, go to the Splunk Add-on for Github, by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
  • Click the Configuration tab.
  • Click the Github Account tab. 
    • In the Add dialogue box, fill in the required fields:
    Field Description
    Account Name A unique name for your Github account.
    Personal Access Token The token you generated on Github Cloud.

    Next, configure your inputs.

    (Optional) Change logging level

    You can change the default log level () to see more granular logs such as debug or more generic logs such as only error logs. The logging level can be configured using the steps below.

    1. On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
    2. Click the Configuration tab.
    3. Click the Logging tab.
    4. Select a new logging level from the drop-down menu.
    5. Click Save to save your configurations.

    (Optional) Proxy setup

    If you have proxy set up for data collection, the proxy settings can be configured by providing the details so that the data will be collected via the configured proxy.

    1. On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
    2. Click the Configuration tab.
    3. Click the Proxy tab.
    4. Check Enable and fill in the required fields.

    Github Audit Input

    Data will be collected in github:cloud:audit source type. The fields present in the Input are as below:

    Field Type Description
    Name Textbox Unique Input Name
    Event Type Dropdown Specifies the type of events to be collected
  • web - web (non-Git) events
  • git - Git events
  • all - both web and Git events
    • Account Type Dropdown The type of account for which you want to collect the data, i.e., Organization or Enterprise. This field becomes uneditable once you save the input successfully, to change this you can create a new input with the correct account type.
    Organization /Enterprise Name Textbox Enter a valid name of Organization or Enterprise
    Github Account Dropdown Select the account from the created Accounts in Configuration
    Interval Textbox Enter the interval for consecutive invocations in seconds
    Index Textbox Enter the index name in which you want to collect the data

    NOTE: To collect the audit-logs, the user should have the admin access of the organization/enterprise and read:audit_log scope for the Personal Access Token.

    Github User Input

    Data will be collected in github:cloud:user source type. The fields present in the Input are as below:

    Field Type Description
    Name Textbox Unique Input Name
    Github Account Dropdown Select the account from the created Accounts in Configuration
    Organization /Enterprise Name Textbox Enter a valid name of Organization or Enterprise
    Interval Textbox Enter the interval for consecutive invocations in seconds
    Index Textbox Enter the index name in which you want to collect the data

    NOTE: To collect the user data, the user should be a member of the organization and read:org scope for the Personal Access Token

    Validate data collection

    Once you have configured the input, run this search to check that you are ingesting the correct expected data.

    sourcetype=github:cloud:audit sourcetype=github:cloud:user

    Last modified on 25 September, 2023
    PREVIOUS
    Configure your GitHub Enterprise server to send data to the Splunk Add-on for GitHub     		  NEXT
    Upgrade the Splunk Add-on for GitHub

    This documentation applies to the following versions of Splunk® Supported Add-ons: released

    Was this documentation topic helpful?


    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters