Splunk Add-On to collect audit log events from Github Enterprise Cloud

Related tags

Logginggithub-audit-log-monitoring-add-on-for-splunk
Overview

GitHub Enterprise Audit Log Monitoring

Splunk modular input plugin to fetch the enterprise audit log from GitHub Enterprise

Support for modular inputs in Splunk Enterprise 5.0 and later enables you to add new types of inputs to Splunk Enterprise that are treated as native Splunk Enterprise inputs.

This modular input makes an HTTPS request to the GitHub Enterprise's Audit Log REST API endpoint at a definable interval to fetch audit log data.

Splunk modular input demo

Prerequisites

  • Splunk Heavy Forwarder v8.0+
  • Python 3.7+
  • GitHub Enterprise Cloud

Installation

  1. Download the latest release from Splunkbase.

  2. On a Splunk heavy forwarder, go to Apps > Manage Apps.

  3. On the Apps page, click Install app from file, and upload the SPL file you downloaded from Splunkbase. If an existing copy of the app already exists, check the Upgrade app checkbox.

  4. Generate a Personal Access Token in GitHub Enterprise with the site_admin scope.

Configuration

Personal Access Token Scope

These are the required scopes for the personal access token allowing the module to fetch the audit log entries successfully:

  • admin:enterprise Full control of enterprises
    • manage_billing:enterprise Read and write enterprise billing data
    • read:enterprise Read enterprise profile data

Input Fields

Modular input configuration view

  • name

    • This is name of your instance. You can have multiple modular inputs running simultaneously. However, this isn't recommended for this module.
    • Accepts: alpha-numeric, white spaces, and symbol characters
    • Example: GHE-enterprise-name

  • Hostname

    • This is the hostname of your GitHub Enterprise instance. Make sure there are no leading protocols (e.g. http:///https://) or trailing slashes (/) in the URL provided. This could either be a FQDN or an IP address. Don't append paths beyond the TLD.
    • Example: api.github.com

  • Enterprise

    • The enterprise name for which to fetch audit log events.

  • Personal Access Token

    • This is your personal access token that you generate for your account or a service account in GitHub Enterprise. This module requires that you create the personal access token with the site_admin scope. This is a very sensitive token so make sure to keep it secure at all times!
    • Security: The personal access token is encrypted and stored in Splunk's password storage. After you configure it the first time it will be replaced in Splunk's UI with a unique identifier. This identifier will be used by the module to fetch the personal access token before making the API request to GitHub Enterprise.
    • Accepts: a 40-character token
    • Example: d0e117b6ad471der3rjdowcc401a95d09202119f

  • Event Types

    • The audit log contains multiple event types. This field allows you to specify which events to include:
      • web: returns web (non-Git) events
      • git: returns Git events
      • allL returns both web and Git events
    • Go to the Splunk docs for more details.

  • Maximum Entries Per Run

    • The maximum number of events / entries to fetch each time the script runs. To understand how to calculate the maximum number of entries and interval to best fit your organization, go to the Tweaking throughput section.

  • Verify Self-Signed Certificates

    • This is a parameter passed to the get() method in the Requests library. If the checkbox is cheked then the SSL certificate will be verified like a browser does and requests will throw a SSLError if it’s unable to verify the certificate. Uncheck this box if you are using self-signed certificates.

  • Debug Mode

    • The personal access token will be leaked in the splunkd logs. DO NOT ENABLE unless you are ready to update your personal access token.
    • If you are experiencing issues and the module isn't operating as intended, you can enable this mode to see the module's debugging information in the splunkd logs.

  • Interval

    • Takes a cron expression as defined in the Splunk docs.
    • Example: 30 * * * *
      • At minute 30 of every hour. For example, if you set this CRON job at 11:02, your job will begin running at 11:30, 12:30, 1:30, etc...
    • Example: */5 * * * *
      • Every 5 minutes
    • Example: 300
      • Every 300 seconds or 5 minutes

Tweaking throughput

This modular input fetches events by calling the Enterprise Audit Log API. This API returns a maximum of 100 events / entries per page. The pagination algorithm can fetch events up to the maximum entries per run you defined. It's important to tweak the maximum entries per run and interval parameters to have the ability to fetch your data in a timely manner and stay as close to real time as possible.

Example:

Enterprise Events per minute Maximum entries per run Interval API calls used Guidance
Evil-Corp 1000 1000 /1 ** * 600 per hour The modular input should be able to handle this with ease.
Poizen-Inc 5000 5000 /1 ** * 3000 per hour We are approaching API rate limit per hour. Depending on latency, 5000 entries = 50 API calls per minute. One minute might not be sufficient to fetch all this data.
Monsters-Inc 10000 2000 /1 ** * 1200 per hour You will be fetching events with a slight delay.

Use cases

Github App for Splunk

Along with this modular input we're providing a Github App for Splunk that makes use of the collected audit log events to give you an overview of the activities across your enterprise.

You can install it via the Manage Apps page.

Make sure to replace the [STANZA_NAME] placeholder with the name of your modular input instance (the first field in the input parameters configured in the previous section).

Sample activity dashboard screenshot

FAQs

How is my Personal Access Token secured?

On the first run the modular input will identify that your personal access token (PAT) isn't encrypted. It will encrypt your PAT and store it in Splunk's credentials manager. It will replace the plain text PAT with an md5 hash of an identifying key.

Your personal access token is only visible in plain text from the time you configure the modular input instance until the first run.

Does the interval field access only cron syntax?

No, you can enter the number of seconds instead.

I enabled debug mode, what now?

If you've enabled debug mode be ready to change your personal access token because it will most likely be leaked into the Splunk logs in plain text.

Why can't I use a GitHub app instead of a personal access token?

GitHub apps can't be installed on the enterprise level. The REST API requires enterprise admin privileges which are out of scope for GitHub apps.

Can I use this with GitHub Enterprise Server?

This tool has been designed to consume the Enterprise Audit Log API which is not available for GitHub Enterprise Server because the audit log on the latter can be forwarded via log forwarding directly to Splunk without the need to poll for data.

Support

Support for Github Audit Log Monitoring Add-On for Splunk is run through Github Issues. Open a new issue for any support issues or for feature requests. You may also open a pull request if you'd like to contribute additional dashboards, eventtypes for webhooks, or enhancements.

Troubleshooting

Read logs in Splunk

You can use this search query to fetch all the logs belonging to this module when Debug Mode is enabled.

index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ghe_audit_log_monitoring

Test the modular input for syntax problems

Run this test if you don't see anything in the logs (which is a highly unlikely scenario). This will display any syntax errors if there are any.

sudo $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/bin/ghe_audit_log_monitoring.py

Where are state files stored?

State files for enterprises are stored in this directory:

$SPLUNK_HOME/etc/apps/ghe_audit_log_monitoring/state/
Comments
  • Support Request: Receiving 404 Error on Hostname

    Support Request: Receiving 404 Error on Hostname

    Hello,

    We're working on using the GitHub Audit Log Monitoring Add-On to pull logs from GitHub Enterprise into Splunk, but we're receiving 404 errors for our URL. We'd like some clarification on formatting the hostname and enterprise fields. The documentation states to remove leading protocols (http://, etc.), but the and app interface and screenshot provided are explicitly using the leading protocol. Can we confirm which formatting to use?

    Additionally, is there a way to find out which hostname/URL to use? Will this always be api.github.com (which is the URL we use since it's hosted)? Or is there some URL on GitHub Enterprise that our admins can find?

    Any input would be greatly appreciated. Thank you.

    opened by alecvogelsang-deltek 8
  • Support for proxy?

    Support for proxy?

    Hi,

    We want to use this app on our on-premise HF to pull the audit logs from our github.com enterprise and orgs. Our HF is behind a corporate proxy, but we cannot seem to find any option to provide the proxy setup for this modular input app?

    Could you tell me if this is supported, and if not, if it is part of your roadmap to support this in the near future?

    Thanks!

    enhancement 
    opened by twuytens 7
  • Get security data in splunk

    Get security data in splunk

    GHAS - Dependabots, secret scanning, and code scanning data needed in splunk. Splunk team mentioned that they are using webhooks to get the data. How do we configure to get those details?

    opened by BrittanyCrowell-E16398 7
  • Github add-on Error with Data Inputs

    Github add-on Error with Data Inputs

    Hello Team!

    I have configured the github-audit-log-monitoring-add-on-for-splunk with and continuously getting below errors, can someone please help me here?

    03-25-2022 04:10:07.349 +0000 ERROR ExecProcessor [6894 ExecProcessorSchedulerThread] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /enterprises/XXX/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb26fa058d0>: Failed to establish a new connection: [Errno 110] Connection timed out'))

    opened by bitfluencer 2
  • Enhancement request: Adding the name of the inputs (stanza name) into logs

    Enhancement request: Adding the name of the inputs (stanza name) into logs

    It would be easier to trace / troubleshoot if the stanza name or the input name is showing up in the logs. We were troubleshooting 2 failed inputs, and it was a bit difficult to know which log event is associated with which input.

    opened by jenipherc 2
  • Splunk git hub audit logs error

    Splunk git hub audit logs error

    We have installed following two apps in our splunk environment to get data into our splunk enterprise environment

    1. GitHub App for Splunk [https://splunkbase.splunk.com/app/5596/]
    2. GitHub Audit Log Monitoring Add-On for Splunk[https://splunkbase.splunk.com/app/5595/]

    We have configured both webhook and access token based ingestion setup to get logs into splunk but we are getting following errors and not able to see the data in dashboard

    05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.dowjones.net/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/3.3/graphql"} host = ip-10-146-86-30.win.dowjones.netlog_level = ERRORsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd

    5/11/22 8:59:00.164 PM 05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" response.status_code, response.url, response.text

    image

    image

    image

    image

    image

    My new index name is "github"

    image

    It seems nothing is working from Audit logs.

    Any troubleshooting steps would be helpful

    opened by indreshgithub1 1
  • Error running in Splunk Cloud on IDM server

    Error running in Splunk Cloud on IDM server

    Here is the error message: 03-14-2022 20:58:00.323 +0000 ERROR ExecProcessor [19747 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 403 - url: https://api.github.com/enterprises/myriadgenetics/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Must have admin rights to Repository.","documentation_url":"https://docs.github.com/rest/reference/enterprise-admin#get-the-audit-log-for-an-enterprise"}

    It has admin:enterprise permission. We have not hit our rate either. What else can I look for or at?

    Thanks

    opened by larrys 1
  • Only available in GHE Cloud

    Only available in GHE Cloud

    The documentation says:

    Prerequisites

    • Splunk Heavy Forwarder v8.0+
    • Python 3.7+
    • GitHub Enterprise Cloud

    I'm wondering whether or not GHE Cloud is needed, or if you can use GHE on-prem as well for this application - it's not clear from the docs whether this is supported, or if GHE on-prem customers need to upgrade to a certain version before using, etc...

    opened by arcsector 1
  • Enhancement Request: Allow configuring an index that doesn't reside on the Splunk Enterprise where this add-on resides

    Enhancement Request: Allow configuring an index that doesn't reside on the Splunk Enterprise where this add-on resides

    We place this add-on onto a heavy forwarder for data collection, and then send data to indexer cluster where indexes reside. Therefore, when we configure the data input in UI, the index we want to send data to doesn't exist, and not available to select in the drop down menu. Even if we modify the inputs.conf manually and change the index name, the data will be not forwarded.

    We ended up creating an index locally where the Add-on is installed, and because of the outputs.conf is set to forward (and not indexed locally), this allows the Add-on to send data to the index reside in our indexer cluster.

    opened by jenipherc 1
  • License?

    License?

    What is the license of this repo? I see under /lib/ some files are Splunk copyright under Apache license. I'm mostly curious about the Github eventlog client and classes, if that helps.

    Thank you.

    opened by evilensky 1
  • Modular input not listed in Splunk after installing

    Modular input not listed in Splunk after installing

    I've installed this add-on from Splunkbase on a 9.0.1 and 9.0.0 environments and in both cases the "GitHub Enterprise Audit Log Monitoring" modular input, as shown in the screenshot in the readme of this repo, is appearing post installation. Am I missing a step?

    opened by vector-sec 0
Releases(v1.1.1)

  • v1.1.1(Nov 29, 2021)

  • v1.1.0(Oct 15, 2021)

    What's Changed

    • Update prerequisites by @josepalafox in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/1
    • Add gitignore and update FAQ by @Link- in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/2
    • README: Update instructions with correct PAT name by @beardofedu in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/6

    New Contributors

    • @josepalafox made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/1
    • @Link- made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/2
    • @beardofedu made their first contribution in https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/pull/6

    Full Changelog: https://github.com/splunk/github-audit-log-monitoring-add-on-for-splunk/compare/v1.0.0...v1.1.0

    Source code(tar.gz)
    Source code(zip)

  • v1.0.0(Jun 15, 2021)

Owner
Splunk GitHub
Splunk GitHub
GitHub Repository
A Python package which supports global logfmt formatted logging.

Python Logfmter A Python package which supports global logfmt formatted logging. Install $ pip install logfmter Usage Before integrating this library,

Joshua Taylor Eppinette 15 Dec 29, 2022
A cool logging replacement for Python.

Welcome to Logbook Travis AppVeyor Supported Versions Latest Version Test Coverage Logbook is a nice logging replacement. It should be easy to setup,

1.4k Nov 11, 2022
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

LDAP Monitor Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! With this tool you can quickly

Podalirius 500 Dec 28, 2022
This open-source python3 script is a builder to the very popular token logger that is on my github that many people use.

Discord-Logger-Builder This open-source python3 script is a builder to the very popular token logger that is on my github that many people use. This i

Local 4 Nov 17, 2021
Token Logger with python

Oxy Token Stealer Features Grabs discord tokens Grabs chrome passwords Grabs edge passwords Nothing else, I don't feel like releasing full on malware

oxy 1 Feb 12, 2022
Python logging made (stupidly) simple

Loguru is a library which aims to bring enjoyable logging in Python. Did you ever feel lazy about configuring a logger and used print() instead?... I

13.7k Jan 02, 2023
Prettify Python exception output to make it legible.

pretty-errors Prettifies Python exception output to make it legible. Install it with python -m pip install pretty_errors If you want pretty_errors to

Iain King 2.6k Jan 04, 2023
Docker container log aggregation with Elasticsearch, Kibana & Filebeat

Epilog Dead simple container log aggregation with ELK stack Preface Epilog aims to demonstrate a language-agnostic, non-invasive, and straightfo

Redowan Delowar 23 Oct 26, 2022
A python logging library

logi v1.3.4 instolation the lib works on python 3x versions pip install logi examples import import logi log = logger(path='C:/file path', timestamp=T

2 Jul 06, 2022
Greppin' Logs: Leveling Up Log Analysis

This repo contains sample code and example datasets from Jon Stewart and Noah Rubin's presentation at the 2021 SANS DFIR Summit titled Greppin' Logs. The talk was centered around the idea that Forens

Stroz Friedberg 20 Sep 14, 2022
Rich is a Python library for rich text and beautiful formatting in the terminal.

Rich 中文 readme • lengua española readme • Läs på svenska Rich is a Python library for rich text and beautiful formatting in the terminal. The Rich API

Will McGugan 41.5k Jan 07, 2023
Discord-Image-Logger - Discord Image Logger With Python

Discord-Image-Logger A exploit I found in discord. Working as of now. Explanatio

111 Dec 31, 2022
A colored formatter for the python logging module

Log formatting with colors! colorlog.ColoredFormatter is a formatter for use with Python's logging module that outputs records using terminal colors.

Sam Clements 778 Dec 26, 2022
Beautifully colored, quick and simple Python logging

Python Quick Logging | QLogging Beautifully colored, quick and simple Python logging. This logger is based on Python logging package Screenshots: Term

45 Sep 25, 2022
Small toolkit for python multiprocessing logging to file

Small Toolkit for Python Multiprocessing Logging This is a small toolkit for solving unsafe python mutliprocess logging (file logging and rotation) In

Qishuai 1 Nov 10, 2021
Outlog it's a library to make logging a simple task

outlog Outlog it's a library to make logging a simple task!. I'm a lazy python user, the times that i do logging on my apps it's hard to do, a lot of

ZSendokame 2 Mar 05, 2022
A new kind of Progress Bar, with real time throughput, eta and very cool animations!

alive-progress :) A new kind of Progress Bar, with real-time throughput, eta and very cool animations! Ever found yourself in a remote ssh session, do

Rogério Sampaio de Almeida 4k Dec 30, 2022
Robust and effective logging for Python 2 and 3.

Robust and effective logging for Python 2 and 3.

Chris Hager 1k Jan 04, 2023
Monitoring plugin to check disk io with Icinga, Nagios and other compatible monitoring solutions

check_disk_io - Monitor disk io This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check the disk io. It uses

DinoTools 3 Nov 15, 2022
This is a key logger based in python which when executed records all the keystrokes of the system it has been executed on .

This is a key logger based in python which when executed records all the keystrokes of the system it has been executed on

Purbayan Majumder 0 Mar 28, 2022