|
1 | 1 | # GitHub Enterprise Audit Log Monitoring |
2 | 2 |
|
3 | | -> Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise |
4 | | -
|
5 | | -Support for modular inputs in Splunk Enterprise 5.0 and later enables you to add new types of inputs to Splunk Enterprise that are treated as native Splunk Enterprise inputs. |
6 | | - |
7 | | -This modular input makes an HTTPS request to the GitHub Enterprise's Audit Log REST API endpoint at a definable interval to fetch audit log data. |
8 | | - |
9 | | - |
10 | | - |
11 | 3 | ## Prerequisites |
12 | 4 |
|
13 | 5 | - Splunk v8.x+ |
14 | 6 | - Python 3.x |
15 | 7 |
|
16 | 8 | ## Installation |
17 | 9 |
|
18 | | -1. SSH to your Splunk server |
19 | | - |
20 | | -2. Download the latest release from [Releases](https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/releases) |
21 | | - |
22 | | -3. Copy the tarball to the apps directory and extract it: |
23 | | - |
24 | | - ```sh |
25 | | - $ cp splunk-ghe-audit-log-monitoring-<VERSION>.tar.gz $SPLUNK_HOME/etc/apps/ |
26 | | - |
27 | | - $ mkdir -p $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring |
28 | | - |
29 | | - $ tar xf $SPLUNK_HOME/etc/apps/splunk-ghe-audit-log-monitoring-<VERSION>.tar.gz -C $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring --strip-components=1 |
30 | | - |
31 | | - # Optional depending on the user executing the previous actions |
32 | | - $ sudo chown -R splunk:splunk $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring |
33 | | - |
34 | | - # Make the state directory writable by the group |
35 | | - $ sudo chmod -R 775 /opt/splunk/etc/apps/ghe_audit_log_monitoring/state |
36 | | - ``` |
37 | | - |
38 | | -4. Restart the Splunk server |
39 | | - |
40 | | -5. Generate a Personal Access Token in GitHub.com (PAT must be generated by an Enterprise Owner). |
41 | | - |
42 | | -6. Configure and the GitHub Enterprise Audit Log Monitoring by entering the necessary information in the input fields |
| 10 | +Installation and configuration documents for the (Splunk Add-on for GitHub)[https://docs.splunk.com/Documentation/AddOns/released/GitHub/About] is available in our official Splunk docs. This add-on can be used for both GitHub Enterprise Cloud and Server. To configure for each specific environment, please refer to the official docs. |
43 | 11 |
|
44 | 12 | ## Configuration |
45 | 13 |
|
@@ -155,30 +123,3 @@ If you've enabled debug mode be ready to change your personal access token becau |
155 | 123 | ### Why can't I use a GitHub app instead of a personal access token? |
156 | 124 |
|
157 | 125 | GitHub apps cannot be installed on the enterprise level. The REST API requires enterprise admin privileges which are out of scope for GitHub apps. |
158 | | - |
159 | | -## Troubleshooting |
160 | | - |
161 | | -### Read logs in Splunk |
162 | | - |
163 | | -You can use this search query to fetch all the logs belonging to this module when **Debug Mode** is enabled. |
164 | | - |
165 | | -```sh |
166 | | -index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ghe_audit_log_monitoring |
167 | | -``` |
168 | | - |
169 | | -### Test the modular input for syntax problems |
170 | | - |
171 | | -Run this test if you don't see anything in the logs (which is a highly unlikely scenario). This will display any syntax errors if there are any. |
172 | | - |
173 | | -```sh |
174 | | -sudo $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/bin/ghe_audit_log_monitoring.py |
175 | | -``` |
176 | | - |
177 | | -### Where are state files stored? |
178 | | - |
179 | | -State files for enterprises are stored in this directory: |
180 | | - |
181 | | -```sh |
182 | | -$SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/state/ |
183 | | -``` |
184 | | -Test |
0 commit comments