All Apps and Add-ons

How to pair Github app for Splunk with Github Audit log monitoring app?

Maaz
Engager

Hello, I am new to the Splunk and my first task is to pair "github app for splunk" with "Github Audit log monitoring app", to get the visualization for the logs. Can anyone help me or guid me what should be done once the Github App for Splunk is installed? 

"Github Audit log Monitoring Add on for Splunk" is capturing the logs but need some guidance on how Github App for Splunk can be paired with it for visualization. 

Thanks in advance, 

Labels (1)
Tags (1)

indreshdowjones
Explorer

@vinod743374 

Have you installed the following App?

https://splunkbase.splunk.com/app/5595/#/details

indreshdowjones_0-1659698418669.png

 

0 Karma

vinod743374
Communicator

@indreshdowjones  Thanks for the response 

MicrosoftTeams-image.png


I just installed the app that u said in the previous message.
I Configured like below image but I didn't get anything in my index, any solution or idea that will help us.


0 Karma

vinod743374
Communicator

Hello,
can you help us with, how you add the git hub audit log,

We installed the app but we did not find the option in data inputs tab to add the logs.



0 Karma

Murali
Explorer

Hi Vinod ,

Is this fixed from your end?

0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

Hi @Maaz , the dashboards for the GitHub App for Splunk use a macro to make it easy to use, so once the data is being indexed by the Add-On, you should update the Macro in the App to point to the index the data is being stored in. 

0 Karma

indreshdowjones
Explorer

@derkkila-splunk @Maaz 

My Github index name is "github" and HEC source name is source="http:github_token

Do i need to add or update source as well with Index? which method is correct ?

Method 1

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit)
  • github_webhooks
    • index=github 

Method 2

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit) OR
  • OR (index="github" source=source="http:github_token")
  • github_webhooks
    • index=github source=source="http:github_token")
Tags (1)
0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

@indreshdowjones 

For the audit related dashboards, the only macro needed to be modified is the `github_source` macro. And for you I'd probably update it to just read as (index="github" source="http:github_token")

indreshdowjones
Explorer

@derkkila-splunk Thanks.

0 Karma

indreshdowjones
Explorer

Its working now with Method -1.

Thanks its resolved now

 

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...