
Configure GitHub Cloud to send data to the Splunk Add-on for GitHub
You can collect the data from your GitHub Cloud using the following approaches:
- Utilize GitHub Cloud Log Streaming to collect the data
- To collect the data using this approach, refer to "Configure your GitHub Cloud Audit Log Streaming to send data to Splunk Add-on for GitHub" page for configuring the Splunk Cloud and GitHub Cloud Audit Log Streaming
- Utilize Add-on inputs to collect the data
- To collect the data using this approach, follow this documentation to configure Account and Inputs of the add-on
Collect data using the add-on inputs
Before you follow the instructions on this page to set up the Splunk Add-on for Github, obtain your Personal Access Token from Github Cloud. See your GitHub Documentation for more information.
Behavior of Audit logs API
- Audit logs list events triggered by the activities that affect your enterprise.
- By Default, APIs will collect audit data from the past three months. The APIs retain Git events such as cloning, fetching, and pushing data for seven days.
Steps to configure an Account in Github
In the Add dialogue box, fill in the required fields:
Field | Description |
---|---|
Account Name | A unique name for your Github account. |
Personal Access Token | The token you generated on Github Cloud.
Next, configure your inputs. |
(Optional) Change logging level
You can change the default log level () to see more granular logs such as debug or more generic logs such as only error logs. The logging level can be configured using the steps below.
- On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
- Click the Configuration tab.
- Click the Logging tab.
- Select a new logging level from the drop-down menu.
- Click Save to save your configurations.
(Optional) Proxy setup
If you have proxy set up for data collection, the proxy settings can be configured by providing the details so that the data will be collected via the configured proxy.
- On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
- Click the Configuration tab.
- Click the Proxy tab.
- Check Enable and fill in the required fields.
Github Audit Input
Data will be collected in github:cloud:audit source type. The fields present in the Input are as below:
Field | Type | Description |
---|---|---|
Name | Textbox | Unique Input Name |
Event Type | Dropdown | Specifies the type of events to be collected
|
Account Type | Dropdown | The type of account for which you want to collect the data, i.e., Organization or Enterprise. This field becomes uneditable once you save the input successfully, to change this you can create a new input with the correct account type. |
Organization /Enterprise Name | Textbox | Enter a valid name of Organization or Enterprise |
Github Account | Dropdown | Select the account from the created Accounts in Configuration |
Interval | Textbox | Enter the interval for consecutive invocations in seconds |
Index | Textbox | Enter the index name in which you want to collect the data |
NOTE: To collect the audit-logs, the user should have the admin access of the organization/enterprise and read:audit_log
scope for the Personal Access Token.
Github User Input
Data will be collected in github:cloud:user source type. The fields present in the Input are as below:
Field | Type | Description |
---|---|---|
Name | Textbox | Unique Input Name |
Github Account | Dropdown | Select the account from the created Accounts in Configuration |
Organization /Enterprise Name | Textbox | Enter a valid name of Organization or Enterprise |
Interval | Textbox | Enter the interval for consecutive invocations in seconds |
Index | Textbox | Enter the index name in which you want to collect the data |
NOTE: To collect the user data, the user should be a member of the organization and read:org
scope for the Personal Access Token
Validate data collection
Once you have configured the input, run this search to check that you are ingesting the correct expected data.
sourcetype=github:cloud:audit
sourcetype=github:cloud:user
PREVIOUS Configure your GitHub Enterprise server to send data to the Splunk Add-on for GitHub |
NEXT Upgrade the Splunk Add-on for GitHub |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!