All Apps and Add-ons

How to pair Github app for Splunk with Github Audit log monitoring app?

Maaz
Engager

Hello, I am new to the Splunk and my first task is to pair "github app for splunk" with "Github Audit log monitoring app", to get the visualization for the logs. Can anyone help me or guid me what should be done once the Github App for Splunk is installed? 

"Github Audit log Monitoring Add on for Splunk" is capturing the logs but need some guidance on how Github App for Splunk can be paired with it for visualization. 

Thanks in advance, 

Labels (1)
Tags (1)

indreshdowjones
Explorer

@vinod743374 

Have you installed the following App?

https://splunkbase.splunk.com/app/5595/#/details

indreshdowjones_0-1659698418669.png

 

0 Karma

vinod743374
Communicator

@indreshdowjones  Thanks for the response 

MicrosoftTeams-image.png


I just installed the app that u said in the previous message.
I Configured like below image but I didn't get anything in my index, any solution or idea that will help us.


0 Karma

vinod743374
Communicator

Hello,
can you help us with, how you add the git hub audit log,

We installed the app but we did not find the option in data inputs tab to add the logs.



0 Karma

Murali
Explorer

Hi Vinod ,

Is this fixed from your end?

0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

Hi @Maaz , the dashboards for the GitHub App for Splunk use a macro to make it easy to use, so once the data is being indexed by the Add-On, you should update the Macro in the App to point to the index the data is being stored in. 

0 Karma

indreshdowjones
Explorer

@derkkila-splunk @Maaz 

My Github index name is "github" and HEC source name is source="http:github_token

Do i need to add or update source as well with Index? which method is correct ?

Method 1

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit)
  • github_webhooks
    • index=github 

Method 2

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit) OR
  • OR (index="github" source=source="http:github_token")
  • github_webhooks
    • index=github source=source="http:github_token")
Tags (1)
0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

@indreshdowjones 

For the audit related dashboards, the only macro needed to be modified is the `github_source` macro. And for you I'd probably update it to just read as (index="github" source="http:github_token")

indreshdowjones
Explorer

@derkkila-splunk Thanks.

0 Karma

indreshdowjones
Explorer

Its working now with Method -1.

Thanks its resolved now

 

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...