Splunk Modular input Plugin to Fetch The Enterprise Audit Log From GitHub Enterprise

GitHub Enterprise Audit Log Monitoring

Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise

Support for modular inputs in Splunk Enterprise 5.0 and later enables you to add new types of inputs to Splunk Enterprise that are treated as native Splunk Enterprise inputs.

This modular input makes an HTTPS request to the GitHub Enterprise’s Audit Log REST API endpoint at a definable interval to fetch audit log data.

Prerequisites

  • Splunk Heavy Forwarder v8.0+
  • Python 3.7+
  • GitHub Enterprise Cloud

Installation

  1. Download the latest release from  Splunkbase.
  2. On a Splunk heavy forwarder, go to Apps > Manage Apps.
  3. On the Apps page, click Install app from file, and upload the SPL file you downloaded from Splunkbase. If an existing copy of the app already exists, check the Upgrade app checkbox.
  4. Generate a Personal Access Token in GitHub Enterprise with the site_admin scope.

Configuration

Personal Access Token Scope

These are the required scopes for the personal access token allowing the module to fetch the audit log entries successfully:

  • [x] admin:enterprise Full control of enterprises
  • [x] manage_billing:enterprise Read and write enterprise billing data
  • [x] read:enterprise Read enterprise profile data

#monitoring #github #logging

Splunk Modular input Plugin to Fetch The Enterprise Audit Log From GitHub Enterprise