All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to pair Github app for Splunk with Github Audit log monitoring app?

Maaz
Engager
‎11-29-2021 02:15 PM

Hello, I am new to the Splunk and my first task is to pair "github app for splunk" with "Github Audit log monitoring app", to get the visualization for the logs. Can anyone help me or guid me what should be done once the Github App for Splunk is installed? 

"Github Audit log Monitoring Add on for Splunk" is capturing the logs but need some guidance on how Github App for Splunk can be paired with it for visualization. 

Thanks in advance, 

Tags (1)
Reply

indreshdowjones
Explorer
‎08-05-2022 04:30 AM

@vinod743374 

Have you installed the following App?

https://splunkbase.splunk.com/app/5595/#/details

indreshdowjones_0-1659698418669.png

 

0 Karma
Reply

vinod743374
Communicator
‎08-05-2022 06:35 AM

@indreshdowjones  Thanks for the response 

MicrosoftTeams-image.png


I just installed the app that u said in the previous message.
I Configured like below image but I didn't get anything in my index, any solution or idea that will help us.


0 Karma
Reply

vinod743374
Communicator
‎08-04-2022 11:58 PM

Hello,
can you help us with, how you add the git hub audit log,

We installed the app but we did not find the option in data inputs tab to add the logs.



0 Karma
Reply

Murali
Explorer
‎11-25-2022 01:51 AM

Hi Vinod ,

Is this fixed from your end?

0 Karma
Reply

derkkila-splunk
Splunk Employee
Splunk Employee
‎02-14-2022 06:11 AM

Hi @Maaz , the dashboards for the GitHub App for Splunk use a macro to make it easy to use, so once the data is being indexed by the Add-On, you should update the Macro in the App to point to the index the data is being stored in. 

0 Karma
Reply

indreshdowjones
Explorer
‎05-13-2022 12:17 PM

@derkkila-splunk @Maaz 

My Github index name is "github" and HEC source name is source="http:github_token

Do i need to add or update source as well with Index? which method is correct ?

Method 1

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit)
  • github_webhooks
    • index=github 

Method 2

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit) OR
  • OR (index="github" source=source="http:github_token")
  • github_webhooks
    • index=github source=source="http:github_token")
Tags (1)
0 Karma
Reply

derkkila-splunk
Splunk Employee
Splunk Employee
‎05-16-2022 07:45 AM

@indreshdowjones 

For the audit related dashboards, the only macro needed to be modified is the `github_source` macro. And for you I'd probably update it to just read as (index="github" source="http:github_token")

Reply

indreshdowjones
Explorer
‎05-16-2022 07:47 AM

@derkkila-splunk Thanks.

0 Karma
Reply

indreshdowjones
Explorer
‎05-15-2022 06:02 AM

Its working now with Method -1.

Thanks its resolved now

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...