Splunk Add-On to collect audit log events from Github Enterprise Cloud

Overview

GitHub Enterprise Audit Log Monitoring

Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise

Support for modular inputs in Splunk Enterprise 5.0 and later enables you to add new types of inputs to Splunk Enterprise that are treated as native Splunk Enterprise inputs.

This modular input makes an HTTPS request to the GitHub Enterprise's Audit Log REST API endpoint at a definable interval to fetch audit log data.

Splunk modular input demo

Prerequisites

  • Splunk Heavy Forwarder v8.0+
  • Python 3.7+
  • GitHub Enterprise Cloud

Installation

  1. Download the latest release from Splunkbase.

  2. On a Splunk heavy forwarder, go to Apps > Manage Apps.

  3. On the Apps page, click Install app from file, and upload the SPL file you downloaded from Splunkbase. If an existing copy of the app already exists, check the Upgrade app checkbox.

  4. Generate a Personal Access Token in GitHub Enterprise with the site_admin scope.

Configuration

Personal Access Token Scope

These are the required scopes for the personal access token allowing the module to fetch the audit log entries successfully:

  • admin:enterprise Full control of enterprises
    • manage_billing:enterprise Read and write enterprise billing data
    • read:enterprise Read enterprise profile data

Input Fields

Modular input configuration view

  • name

    • This is name of your instance. You can have multiple modular inputs running simultaneously. However, this isn't recommended for this module.
    • Accepts: alpha-numeric, white spaces, and symbol characters
    • Example: GHE-enterprise-name
  • Hostname

    • This is the hostname of your GitHub Enterprise instance. Make sure there are no leading protocols (e.g. http:///https://) or trailing slashes (/) in the URL provided. This could either be a FQDN or an IP address. Don't append paths beyond the TLD.
    • Example: api.github.com
  • Enterprise

    • The enterprise name for which to fetch audit log events.
  • Personal Access Token

    • This is your personal access token that you generate for your account or a service account in GitHub Enterprise. This module requires that you create the personal access token with the site_admin scope. This is a very sensitive token so make sure to keep it secure at all times!
    • Security: The personal access token is encrypted and stored in Splunk's password storage. After you configure it the first time it will be replaced in Splunk's UI with a unique identifier. This identifier will be used by the module to fetch the personal access token before making the API request to GitHub Enterprise.
    • Accepts: a 40-character token
    • Example: d0e117b6ad471der3rjdowcc401a95d09202119f
  • Event Types

    • The audit log contains multiple event types. This field allows you to specify which events to include:
      • web: returns web (non-Git) events
      • git: returns Git events
      • allL returns both web and Git events
    • Go to the Splunk docs for more details.
  • Maximum Entries Per Run

    • The maximum number of events / entries to fetch each time the script runs. To understand how to calculate the maximum number of entries and interval to best fit your organization, go to the Tweaking throughput section.
  • Verify Self-Signed Certificates

    • This is a parameter passed to the get() method in the Requests library. If the checkbox is cheked then the SSL certificate will be verified like a browser does and requests will throw a SSLError if it’s unable to verify the certificate. Uncheck this box if you are using self-signed certificates.
  • Debug Mode

    • The personal access token will be leaked in the splunkd logs. DO NOT ENABLE unless you are ready to update your personal access token.
    • If you are experiencing issues and the module isn't operating as intended, you can enable this mode to see the module's debugging information in the splunkd logs.
  • Interval

    • Takes a cron expression as defined in the Splunk docs.
    • Example: 30 * * * *
      • At minute 30 of every hour. For example, if you set this CRON job at 11:02, your job will begin running at 11:30, 12:30, 1:30, etc...
    • Example: */5 * * * *
      • Every 5 minutes
    • Example: 300
      • Every 300 seconds or 5 minutes

Tweaking throughput

This modular input fetches events by calling the Enterprise Audit Log API. This API returns a maximum of 100 events / entries per page. The pagination algorithm can fetch events up to the maximum entries per run you defined. It's important to tweak the maximum entries per run and interval parameters to have the ability to fetch your data in a timely manner and stay as close to real time as possible.

Example:

Enterprise Events per minute Maximum entries per run Interval API calls used Guidance
Evil-Corp 1000 1000 /1 ** * 600 per hour The modular input should be able to handle this with ease.
Poizen-Inc 5000 5000 /1 ** * 3000 per hour We are approaching API rate limit per hour. Depending on latency, 5000 entries = 50 API calls per minute. One minute might not be sufficient to fetch all this data.
Monsters-Inc 10000 2000 /1 ** * 1200 per hour You will be fetching events with a slight delay.

Use cases

Github App for Splunk

Along with this modular input we're providing a Github App for Splunk that makes use of the collected audit log events to give you an overview of the activities across your enterprise.

You can install it via the Manage Apps page.

Make sure to replace the [STANZA_NAME] placeholder with the name of your modular input instance (the first field in the input parameters configured in the previous section).

Sample activity dashboard screenshot

FAQs

How is my Personal Access Token secured?

On the first run the modular input will identify that your personal access token (PAT) isn't encrypted. It will encrypt your PAT and store it in Splunk's credentials manager. It will replace the plain text PAT with an md5 hash of an identifying key.

Your personal access token is only visible in plain text from the time you configure the modular input instance until the first run.

Does the interval field access only cron syntax?

No, you can enter the number of seconds instead.

I enabled debug mode, what now?

If you've enabled debug mode be ready to change your personal access token because it will most likely be leaked into the Splunk logs in plain text.

Why can't I use a GitHub app instead of a personal access token?

GitHub apps can't be installed on the enterprise level. The REST API requires enterprise admin privileges which are out of scope for GitHub apps.

Can I use this with GitHub Enterprise Server?

This tool has been designed to consume the Enterprise Audit Log API which is not available for GitHub Enterprise Server because the audit log on the latter can be forwarded via log forwarding directly to Splunk without the need to poll for data.

Support

Support for Github Audit Log Monitoring Add-On for Splunk is run through Github Issues. Open a new issue for any support issues or for feature requests. You may also open a pull request if you'd like to contribute additional dashboards, eventtypes for webhooks, or enhancements.

Troubleshooting

Read logs in Splunk

You can use this search query to fetch all the logs belonging to this module when Debug Mode is enabled.

index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ghe_audit_log_monitoring

Test the modular input for syntax problems

Run this test if you don't see anything in the logs (which is a highly unlikely scenario). This will display any syntax errors if there are any.

sudo $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/bin/ghe_audit_log_monitoring.py

Where are state files stored?

State files for enterprises are stored in this directory:

$SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/state/
Comments
  • Support Request: Receiving 404 Error on Hostname

    Support Request: Receiving 404 Error on Hostname

    Hello,

    We're working on using the GitHub Audit Log Monitoring Add-On to pull logs from GitHub Enterprise into Splunk, but we're receiving 404 errors for our URL. We'd like some clarification on formatting the hostname and enterprise fields. The documentation states to remove leading protocols (http://, etc.), but the and app interface and screenshot provided are explicitly using the leading protocol. Can we confirm which formatting to use?

    Additionally, is there a way to find out which hostname/URL to use? Will this always be api.github.com (which is the URL we use since it's hosted)? Or is there some URL on GitHub Enterprise that our admins can find?

    Any input would be greatly appreciated. Thank you.

    opened by alecvogelsang-deltek 8
  • Support for proxy?

    Support for proxy?

    Hi,

    We want to use this app on our on-premise HF to pull the audit logs from our github.com enterprise and orgs. Our HF is behind a corporate proxy, but we cannot seem to find any option to provide the proxy setup for this modular input app?

    Could you tell me if this is supported, and if not, if it is part of your roadmap to support this in the near future?

    Thanks!

    enhancement 
    opened by twuytens 7
  • Get security data in splunk

    Get security data in splunk

    GHAS - Dependabots, secret scanning, and code scanning data needed in splunk. Splunk team mentioned that they are using webhooks to get the data. How do we configure to get those details?

    opened by BrittanyCrowell-E16398 7
  • Github add-on Error with Data Inputs

    Github add-on Error with Data Inputs

    Hello Team!

    I have configured the github-audit-log-monitoring-add-on-for-splunk with and continuously getting below errors, can someone please help me here?

    03-25-2022 04:10:07.349 +0000 ERROR ExecProcessor [6894 ExecProcessorSchedulerThread] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /enterprises/XXX/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb26fa058d0>: Failed to establish a new connection: [Errno 110] Connection timed out'))

    opened by bitfluencer 2
  • Enhancement request: Adding the name of the inputs (stanza name) into logs

    Enhancement request: Adding the name of the inputs (stanza name) into logs

    It would be easier to trace / troubleshoot if the stanza name or the input name is showing up in the logs. We were troubleshooting 2 failed inputs, and it was a bit difficult to know which log event is associated with which input.

    opened by jenipherc 2
  • Splunk git hub audit logs error

    Splunk git hub audit logs error

    We have installed following two apps in our splunk environment to get data into our splunk enterprise environment

    1. GitHub App for Splunk [https://splunkbase.splunk.com/app/5596/]
    2. GitHub Audit Log Monitoring Add-On for Splunk[https://splunkbase.splunk.com/app/5595/]

    We have configured both webhook and access token based ingestion setup to get logs into splunk but we are getting following errors and not able to see the data in dashboard

    05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.dowjones.net/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/3.3/graphql"} host = ip-10-146-86-30.win.dowjones.netlog_level = ERRORsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd

    5/11/22 8:59:00.164 PM 05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" response.status_code, response.url, response.text

    image

    image

    image

    image

    image

    My new index name is "github"

    image

    It seems nothing is working from Audit logs.

    Any troubleshooting steps would be helpful

    opened by indreshgithub1 1
  • Error running in Splunk Cloud on IDM server

    Error running in Splunk Cloud on IDM server

    Here is the error message: 03-14-2022 20:58:00.323 +0000 ERROR ExecProcessor [19747 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 403 - url: https://api.github.com/enterprises/myriadgenetics/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Must have admin rights to Repository.","documentation_url":"https://docs.github.com/rest/reference/enterprise-admin#get-the-audit-log-for-an-enterprise"}

    It has admin:enterprise permission. We have not hit our rate either. What else can I look for or at?

    Thanks

    opened by larrys 1
  • Only available in GHE Cloud

    Only available in GHE Cloud

    The documentation says:

    Prerequisites

    • Splunk Heavy Forwarder v8.0+
    • Python 3.7+
    • GitHub Enterprise Cloud

    I'm wondering whether or not GHE Cloud is needed, or if you can use GHE on-prem as well for this application - it's not clear from the docs whether this is supported, or if GHE on-prem customers need to upgrade to a certain version before using, etc...

    opened by arcsector 1
  • Enhancement Request: Allow configuring an index that doesn't reside on the Splunk Enterprise where this add-on resides

    Enhancement Request: Allow configuring an index that doesn't reside on the Splunk Enterprise where this add-on resides

    We place this add-on onto a heavy forwarder for data collection, and then send data to indexer cluster where indexes reside. Therefore, when we configure the data input in UI, the index we want to send data to doesn't exist, and not available to select in the drop down menu. Even if we modify the inputs.conf manually and change the index name, the data will be not forwarded.

    We ended up creating an index locally where the Add-on is installed, and because of the outputs.conf is set to forward (and not indexed locally), this allows the Add-on to send data to the index reside in our indexer cluster.

    opened by jenipherc 1
  • License?

    License?

    What is the license of this repo? I see under /lib/ some files are Splunk copyright under Apache license. I'm mostly curious about the Github eventlog client and classes, if that helps.

    Thank you.

    opened by evilensky 1
  • Modular input not listed in Splunk after installing

    Modular input not listed in Splunk after installing

    I've installed this add-on from Splunkbase on a 9.0.1 and 9.0.0 environments and in both cases the "GitHub Enterprise Audit Log Monitoring" modular input, as shown in the screenshot in the readme of this repo, is appearing post installation. Am I missing a step?

    opened by vector-sec 0
Releases(v1.1.1)
  • v1.1.1(Nov 29, 2021)

  • v1.1.0(Oct 15, 2021)

    What's Changed

    • Update prerequisites by @josepalafox in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/1
    • Add gitignore and update FAQ by @Link- in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/2
    • README: Update instructions with correct PAT name by @beardofedu in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/6

    New Contributors

    • @josepalafox made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/1
    • @Link- made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/2
    • @beardofedu made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/6

    Full Changelog: https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/compare/v1.0.0...v1.1.0

    Source code(tar.gz)
    Source code(zip)
Owner
Splunk GitHub
Splunk GitHub
Progressbar 2 - A progress bar for Python 2 and Python 3 - "pip install progressbar2"

Text progress bar library for Python. Travis status: Coverage: Install The package can be installed through pip (this is the recommended method): pip

Rick van Hattem 795 Dec 18, 2022
A cool logging replacement for Python.

Welcome to Logbook Travis AppVeyor Supported Versions Latest Version Test Coverage Logbook is a nice logging replacement. It should be easy to setup,

1.4k Nov 11, 2022
Display tabular data in a visually appealing ASCII table format

PrettyTable Installation Install via pip: python -m pip install -U prettytable Install latest development version: python -m pip install -U git+https

Jazzband 924 Jan 05, 2023
This is a key logger based in python which when executed records all the keystrokes of the system it has been executed on .

This is a key logger based in python which when executed records all the keystrokes of the system it has been executed on

Purbayan Majumder 0 Mar 28, 2022
Colored terminal output for Python's logging module

coloredlogs: Colored terminal output for Python's logging module The coloredlogs package enables colored terminal output for Python's logging module.

Peter Odding 496 Dec 30, 2022
Logging system for the TPC software.

tpc_logger Logging system for the TPC software. The TPC Logger class provides a singleton for logging information within C++ code or in the python API

UC Davis Machine Learning 1 Jan 10, 2022
Monitoring plugin to check disk io with Icinga, Nagios and other compatible monitoring solutions

check_disk_io - Monitor disk io This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check the disk io. It uses

DinoTools 3 Nov 15, 2022
A colored formatter for the python logging module

Log formatting with colors! colorlog.ColoredFormatter is a formatter for use with Python's logging module that outputs records using terminal colors.

Sam Clements 778 Dec 26, 2022
Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Luca 2 Mar 27, 2022
Discord-Image-Logger - Discord Image Logger With Python

Discord-Image-Logger A exploit I found in discord. Working as of now. Explanatio

111 Dec 31, 2022
Integrates a UPS monitored by NUT into OctoPrint

OctoPrint UPS This OctoPrint plugin interfaces with a UPS monitored by NUT (Network UPS Tools). Requirements NUT must be configured by the user. This

Shawn Bruce 11 Jul 05, 2022
changedetection.io - The best and simplest self-hosted website change detection monitoring service

changedetection.io - The best and simplest self-hosted website change detection monitoring service. An alternative to Visualping, Watchtower etc. Designed for simplicity - the main goal is to simply

7.3k Jan 01, 2023
ScreenshotLogger works just like a keylogger but instead of capturing keystroke,it captures the screen, stores it or sends via email

ScreenshotLogger works just like a keylogger but instead of capturing keystroke,it captures the screen, stores it or sends via email. Scrapeasy is super easy to use and handles everything for you. Ju

Ifechukwudeni Oweh 17 Jul 17, 2022
Multi-processing capable print-like logger for Python

MPLogger Multi-processing capable print-like logger for Python Requirements and Installation Python 3.8+ is required Pip pip install mplogger Manual P

Eötvös Loránd University Department of Digital Humanities 1 Jan 28, 2022
Soda SQL Data testing, monitoring and profiling for SQL accessible data.

Soda SQL Data testing, monitoring and profiling for SQL accessible data. What does Soda SQL do? Soda SQL allows you to Stop your pipeline when bad dat

Soda Data Monitoring 51 Jan 01, 2023
Monitor and log Network and Disks statistics in MegaBytes per second.

iometrics Monitor and log Network and Disks statistics in MegaBytes per second. Install pip install iometrics Usage Pytorch-lightning integration from

Leo Gallucci 17 May 03, 2022
Log4j alternative for Python

Log4p Log4p is the most secure logging library ever created in this and all other universes. Usage: import log4p log4p.log('"Wow, this library is sec

Isaak Uchakaev 15 Dec 16, 2022
蓝鲸日志平台(BK-LOG)是为解决分布式架构下日志收集、查询困难的一款日志产品,基于业界主流的全文检索引擎

蓝鲸日志平台(BK-LOG)是为解决分布式架构下日志收集、查询困难的一款日志产品,基于业界主流的全文检索引擎,通过蓝鲸智云的专属 Agent 进行日志采集,提供多种场景化的采集、查询功能。

腾讯蓝鲸 102 Dec 22, 2022
A python library used to interact with webots robocup game web logs

A python library used to interact with webots robocup game web logs

Hamburg Bit-Bots 2 Nov 05, 2021
A Python package which supports global logfmt formatted logging.

Python Logfmter A Python package which supports global logfmt formatted logging. Install $ pip install logfmter Usage Before integrating this library,

Joshua Taylor Eppinette 15 Dec 29, 2022