Splunk Add-On to collect audit log events from Github Enterprise Cloud

Overview

GitHub Enterprise Audit Log Monitoring

Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise

Support for modular inputs in Splunk Enterprise 5.0 and later enables you to add new types of inputs to Splunk Enterprise that are treated as native Splunk Enterprise inputs.

This modular input makes an HTTPS request to the GitHub Enterprise's Audit Log REST API endpoint at a definable interval to fetch audit log data.

Splunk modular input demo

Prerequisites

  • Splunk Heavy Forwarder v8.0+
  • Python 3.7+
  • GitHub Enterprise Cloud

Installation

  1. Download the latest release from Splunkbase.

  2. On a Splunk heavy forwarder, go to Apps > Manage Apps.

  3. On the Apps page, click Install app from file, and upload the SPL file you downloaded from Splunkbase. If an existing copy of the app already exists, check the Upgrade app checkbox.

  4. Generate a Personal Access Token in GitHub Enterprise with the site_admin scope.

Configuration

Personal Access Token Scope

These are the required scopes for the personal access token allowing the module to fetch the audit log entries successfully:

  • admin:enterprise Full control of enterprises
    • manage_billing:enterprise Read and write enterprise billing data
    • read:enterprise Read enterprise profile data

Input Fields

Modular input configuration view

  • name

    • This is name of your instance. You can have multiple modular inputs running simultaneously. However, this isn't recommended for this module.
    • Accepts: alpha-numeric, white spaces, and symbol characters
    • Example: GHE-enterprise-name
  • Hostname

    • This is the hostname of your GitHub Enterprise instance. Make sure there are no leading protocols (e.g. http:///https://) or trailing slashes (/) in the URL provided. This could either be a FQDN or an IP address. Don't append paths beyond the TLD.
    • Example: api.github.com
  • Enterprise

    • The enterprise name for which to fetch audit log events.
  • Personal Access Token

    • This is your personal access token that you generate for your account or a service account in GitHub Enterprise. This module requires that you create the personal access token with the site_admin scope. This is a very sensitive token so make sure to keep it secure at all times!
    • Security: The personal access token is encrypted and stored in Splunk's password storage. After you configure it the first time it will be replaced in Splunk's UI with a unique identifier. This identifier will be used by the module to fetch the personal access token before making the API request to GitHub Enterprise.
    • Accepts: a 40-character token
    • Example: d0e117b6ad471der3rjdowcc401a95d09202119f
  • Event Types

    • The audit log contains multiple event types. This field allows you to specify which events to include:
      • web: returns web (non-Git) events
      • git: returns Git events
      • allL returns both web and Git events
    • Go to the Splunk docs for more details.
  • Maximum Entries Per Run

    • The maximum number of events / entries to fetch each time the script runs. To understand how to calculate the maximum number of entries and interval to best fit your organization, go to the Tweaking throughput section.
  • Verify Self-Signed Certificates

    • This is a parameter passed to the get() method in the Requests library. If the checkbox is cheked then the SSL certificate will be verified like a browser does and requests will throw a SSLError if it’s unable to verify the certificate. Uncheck this box if you are using self-signed certificates.
  • Debug Mode

    • The personal access token will be leaked in the splunkd logs. DO NOT ENABLE unless you are ready to update your personal access token.
    • If you are experiencing issues and the module isn't operating as intended, you can enable this mode to see the module's debugging information in the splunkd logs.
  • Interval

    • Takes a cron expression as defined in the Splunk docs.
    • Example: 30 * * * *
      • At minute 30 of every hour. For example, if you set this CRON job at 11:02, your job will begin running at 11:30, 12:30, 1:30, etc...
    • Example: */5 * * * *
      • Every 5 minutes
    • Example: 300
      • Every 300 seconds or 5 minutes

Tweaking throughput

This modular input fetches events by calling the Enterprise Audit Log API. This API returns a maximum of 100 events / entries per page. The pagination algorithm can fetch events up to the maximum entries per run you defined. It's important to tweak the maximum entries per run and interval parameters to have the ability to fetch your data in a timely manner and stay as close to real time as possible.

Example:

Enterprise Events per minute Maximum entries per run Interval API calls used Guidance
Evil-Corp 1000 1000 /1 ** * 600 per hour The modular input should be able to handle this with ease.
Poizen-Inc 5000 5000 /1 ** * 3000 per hour We are approaching API rate limit per hour. Depending on latency, 5000 entries = 50 API calls per minute. One minute might not be sufficient to fetch all this data.
Monsters-Inc 10000 2000 /1 ** * 1200 per hour You will be fetching events with a slight delay.

Use cases

Github App for Splunk

Along with this modular input we're providing a Github App for Splunk that makes use of the collected audit log events to give you an overview of the activities across your enterprise.

You can install it via the Manage Apps page.

Make sure to replace the [STANZA_NAME] placeholder with the name of your modular input instance (the first field in the input parameters configured in the previous section).

Sample activity dashboard screenshot

FAQs

How is my Personal Access Token secured?

On the first run the modular input will identify that your personal access token (PAT) isn't encrypted. It will encrypt your PAT and store it in Splunk's credentials manager. It will replace the plain text PAT with an md5 hash of an identifying key.

Your personal access token is only visible in plain text from the time you configure the modular input instance until the first run.

Does the interval field access only cron syntax?

No, you can enter the number of seconds instead.

I enabled debug mode, what now?

If you've enabled debug mode be ready to change your personal access token because it will most likely be leaked into the Splunk logs in plain text.

Why can't I use a GitHub app instead of a personal access token?

GitHub apps can't be installed on the enterprise level. The REST API requires enterprise admin privileges which are out of scope for GitHub apps.

Can I use this with GitHub Enterprise Server?

This tool has been designed to consume the Enterprise Audit Log API which is not available for GitHub Enterprise Server because the audit log on the latter can be forwarded via log forwarding directly to Splunk without the need to poll for data.

Support

Support for Github Audit Log Monitoring Add-On for Splunk is run through Github Issues. Open a new issue for any support issues or for feature requests. You may also open a pull request if you'd like to contribute additional dashboards, eventtypes for webhooks, or enhancements.

Troubleshooting

Read logs in Splunk

You can use this search query to fetch all the logs belonging to this module when Debug Mode is enabled.

index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ghe_audit_log_monitoring

Test the modular input for syntax problems

Run this test if you don't see anything in the logs (which is a highly unlikely scenario). This will display any syntax errors if there are any.

sudo $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/bin/ghe_audit_log_monitoring.py

Where are state files stored?

State files for enterprises are stored in this directory:

$SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/state/
Comments
  • Support Request: Receiving 404 Error on Hostname

    Support Request: Receiving 404 Error on Hostname

    Hello,

    We're working on using the GitHub Audit Log Monitoring Add-On to pull logs from GitHub Enterprise into Splunk, but we're receiving 404 errors for our URL. We'd like some clarification on formatting the hostname and enterprise fields. The documentation states to remove leading protocols (http://, etc.), but the and app interface and screenshot provided are explicitly using the leading protocol. Can we confirm which formatting to use?

    Additionally, is there a way to find out which hostname/URL to use? Will this always be api.github.com (which is the URL we use since it's hosted)? Or is there some URL on GitHub Enterprise that our admins can find?

    Any input would be greatly appreciated. Thank you.

    opened by alecvogelsang-deltek 8
  • Support for proxy?

    Support for proxy?

    Hi,

    We want to use this app on our on-premise HF to pull the audit logs from our github.com enterprise and orgs. Our HF is behind a corporate proxy, but we cannot seem to find any option to provide the proxy setup for this modular input app?

    Could you tell me if this is supported, and if not, if it is part of your roadmap to support this in the near future?

    Thanks!

    enhancement 
    opened by twuytens 7
  • Get security data in splunk

    Get security data in splunk

    GHAS - Dependabots, secret scanning, and code scanning data needed in splunk. Splunk team mentioned that they are using webhooks to get the data. How do we configure to get those details?

    opened by BrittanyCrowell-E16398 7
  • Github add-on Error with Data Inputs

    Github add-on Error with Data Inputs

    Hello Team!

    I have configured the github-audit-log-monitoring-add-on-for-splunk with and continuously getting below errors, can someone please help me here?

    03-25-2022 04:10:07.349 +0000 ERROR ExecProcessor [6894 ExecProcessorSchedulerThread] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /enterprises/XXX/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb26fa058d0>: Failed to establish a new connection: [Errno 110] Connection timed out'))

    opened by bitfluencer 2
  • Enhancement request: Adding the name of the inputs (stanza name) into logs

    Enhancement request: Adding the name of the inputs (stanza name) into logs

    It would be easier to trace / troubleshoot if the stanza name or the input name is showing up in the logs. We were troubleshooting 2 failed inputs, and it was a bit difficult to know which log event is associated with which input.

    opened by jenipherc 2
  • Splunk git hub audit logs error

    Splunk git hub audit logs error

    We have installed following two apps in our splunk environment to get data into our splunk enterprise environment

    1. GitHub App for Splunk [https://splunkbase.splunk.com/app/5596/]
    2. GitHub Audit Log Monitoring Add-On for Splunk[https://splunkbase.splunk.com/app/5595/]

    We have configured both webhook and access token based ingestion setup to get logs into splunk but we are getting following errors and not able to see the data in dashboard

    05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.dowjones.net/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/3.3/graphql"} host = ip-10-146-86-30.win.dowjones.netlog_level = ERRORsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd

    5/11/22 8:59:00.164 PM 05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" response.status_code, response.url, response.text

    image

    image

    image

    image

    image

    My new index name is "github"

    image

    It seems nothing is working from Audit logs.

    Any troubleshooting steps would be helpful

    opened by indreshgithub1 1
  • Error running in Splunk Cloud on IDM server

    Error running in Splunk Cloud on IDM server

    Here is the error message: 03-14-2022 20:58:00.323 +0000 ERROR ExecProcessor [19747 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 403 - url: https://api.github.com/enterprises/myriadgenetics/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Must have admin rights to Repository.","documentation_url":"https://docs.github.com/rest/reference/enterprise-admin#get-the-audit-log-for-an-enterprise"}

    It has admin:enterprise permission. We have not hit our rate either. What else can I look for or at?

    Thanks

    opened by larrys 1
  • Only available in GHE Cloud

    Only available in GHE Cloud

    The documentation says:

    Prerequisites

    • Splunk Heavy Forwarder v8.0+
    • Python 3.7+
    • GitHub Enterprise Cloud

    I'm wondering whether or not GHE Cloud is needed, or if you can use GHE on-prem as well for this application - it's not clear from the docs whether this is supported, or if GHE on-prem customers need to upgrade to a certain version before using, etc...

    opened by arcsector 1
  • Enhancement Request: Allow configuring an index that doesn't reside on the Splunk Enterprise where this add-on resides

    Enhancement Request: Allow configuring an index that doesn't reside on the Splunk Enterprise where this add-on resides

    We place this add-on onto a heavy forwarder for data collection, and then send data to indexer cluster where indexes reside. Therefore, when we configure the data input in UI, the index we want to send data to doesn't exist, and not available to select in the drop down menu. Even if we modify the inputs.conf manually and change the index name, the data will be not forwarded.

    We ended up creating an index locally where the Add-on is installed, and because of the outputs.conf is set to forward (and not indexed locally), this allows the Add-on to send data to the index reside in our indexer cluster.

    opened by jenipherc 1
  • License?

    License?

    What is the license of this repo? I see under /lib/ some files are Splunk copyright under Apache license. I'm mostly curious about the Github eventlog client and classes, if that helps.

    Thank you.

    opened by evilensky 1
  • Modular input not listed in Splunk after installing

    Modular input not listed in Splunk after installing

    I've installed this add-on from Splunkbase on a 9.0.1 and 9.0.0 environments and in both cases the "GitHub Enterprise Audit Log Monitoring" modular input, as shown in the screenshot in the readme of this repo, is appearing post installation. Am I missing a step?

    opened by vector-sec 0
Releases(v1.1.1)
  • v1.1.1(Nov 29, 2021)

  • v1.1.0(Oct 15, 2021)

    What's Changed

    • Update prerequisites by @josepalafox in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/1
    • Add gitignore and update FAQ by @Link- in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/2
    • README: Update instructions with correct PAT name by @beardofedu in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/6

    New Contributors

    • @josepalafox made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/1
    • @Link- made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/2
    • @beardofedu made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/6

    Full Changelog: https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/compare/v1.0.0...v1.1.0

    Source code(tar.gz)
    Source code(zip)
Owner
Splunk GitHub
Splunk GitHub
Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Luca 2 Mar 27, 2022
pyEventLogger - a simple Python Library for making customized Logs of certain events that occur in a program

pyEventLogger is a simple Python Library for making customized Logs of certain events that occur in a program. The logs can be fully customized and can be printed in colored format or can be stored in a file.

Siddhesh Chavan 2 Nov 3, 2022
Track Nano accounts and notify via log file or email

nano-address-notifier Track accounts and notify via log file or email Required python libs

Joohansson (Json) 4 Nov 8, 2021
Summarize LSF job properties by parsing log files.

Summarize LSF job properties by parsing log files of workflows executed by Snakemake.

Kim 4 Jan 9, 2022
蓝鲸日志平台(BK-LOG)是为解决分布式架构下日志收集、查询困难的一款日志产品,基于业界主流的全文检索引擎

蓝鲸日志平台(BK-LOG)是为解决分布式架构下日志收集、查询困难的一款日志产品,基于业界主流的全文检索引擎,通过蓝鲸智云的专属 Agent 进行日志采集,提供多种场景化的采集、查询功能。

腾讯蓝鲸 102 Dec 22, 2022
Greppin' Logs: Leveling Up Log Analysis

This repo contains sample code and example datasets from Jon Stewart and Noah Rubin's presentation at the 2021 SANS DFIR Summit titled Greppin' Logs. The talk was centered around the idea that Forensics is Data Engineering and Data Science, and should be approached as such. Jon and Noah focused on the core (Unix) command line tools useful to anyone analyzing datasets from a terminal, purpose-built tools for handling structured tabular and JSON data, Stroz Friedberg's open source multipattern search tool Lightgrep, and scaling with AWS.

Stroz Friedberg 20 Sep 14, 2022
Monitor and log Network and Disks statistics in MegaBytes per second.

iometrics Monitor and log Network and Disks statistics in MegaBytes per second. Install pip install iometrics Usage Pytorch-lightning integration from

Leo Gallucci 17 May 3, 2022
Translating symbolicated Apple JSON format crash log into our old friends :)

CrashTranslation Translating symbolicated Apple JSON format crash log into our old friends :) Usage python3 translation.py -i {input_sybolicated_json_

Kam-To 11 May 16, 2022
loghandler allows you to easily log messages to multiple endpoints.

loghandler loghandler allows you to easily log messages to multiple endpoints. Using Install loghandler via pip pip install loghandler In your code im

Mathias V. Nielsen 2 Dec 4, 2021
Log processor for nginx or apache that extracts user and user sessions and calculates other types of useful data for bot detection or traffic analysis

Log processor for nginx or apache that extracts user and user sessions and calculates other types of useful data for bot detection or traffic analysis

David Puerta Martín 1 Nov 11, 2021
A simple package that allows you to save inputs & outputs as .log files

wolf_dot_log A simple package that allows you to save inputs & outputs as .log files pip install wolf_dot_log pip3 install wolf_dot_log |Instructions|

Alpwuf 1 Nov 16, 2021
This is a wonderful simple python tool used to store the keyboard log.

Keylogger This is a wonderful simple python tool used to store the keyboard log. Record your keys. It will capture passwords and credentials in a comp

Rithin Lehan 2 Nov 25, 2021
Fuzzy-logger - Fuzzy project is here Log all your pc's actions Simple and free to use Security of datas !

Fuzzy-logger - ➡️⭐ Fuzzy ⭐ project is here ! ➡️ Log all your pc's actions ! ➡️ Simple and free to use ➡️ Security of datas !

natrix_dev 2 Oct 2, 2022
This is a DemoCode for parsing through large log files and triggering an email whenever there's an error.

LogFileParserDemoCode This is a DemoCode for parsing through large log files and triggering an email whenever there's an error. There are a total of f

null 2 Jan 6, 2022
Python script to scan log files/system for unauthorized access around system

checkLogs Python script to scan log files/system for unauthorized access around Linux systems Table of contents General info Getting started Usage Gen

James Kelly 1 Feb 25, 2022
HTTP(s) "monitoring" webpage via FastAPI+Jinja2. Inspired by https://github.com/RaymiiOrg/bash-http-monitoring

python-http-monitoring HTTP(s) "monitoring" powered by FastAPI+Jinja2+aiohttp. Inspired by bash-http-monitoring. Installation can be done with pipenv

itzk 39 Aug 26, 2022
This open-source python3 script is a builder to the very popular token logger that is on my github that many people use.

Discord-Logger-Builder This open-source python3 script is a builder to the very popular token logger that is on my github that many people use. This i

Local 4 Nov 17, 2021
Example Of Splunk Search Query With Python And Splunk Python SDK

SSQAuto (Splunk Search Query Automation) Example Of Splunk Search Query With Python And Splunk Python SDK installation: ➜ ~ git clone https://github.c

AmirHoseinTangsiriNET 1 Nov 14, 2021
Yet another Django audit log app, hopefully the simplest one.

django-easy-audit Yet another Django audit log app, hopefully the easiest one. This app allows you to keep track of every action taken by your users.

Natán 510 Jan 2, 2023
Office365 (Microsoft365) audit log analysis tool

Office365 (Microsoft365) audit log analysis tool The header describes it all WHY?? The first line of code was written long time before other colleague

Anatoly 1 Jul 27, 2022