All Apps and Add-ons

How to pair Github app for Splunk with Github Audit log monitoring app?

Maaz
Engager

Hello, I am new to the Splunk and my first task is to pair "github app for splunk" with "Github Audit log monitoring app", to get the visualization for the logs. Can anyone help me or guid me what should be done once the Github App for Splunk is installed? 

"Github Audit log Monitoring Add on for Splunk" is capturing the logs but need some guidance on how Github App for Splunk can be paired with it for visualization. 

Thanks in advance, 

Labels (1)
Tags (1)

indreshdowjones
Explorer

@vinod743374 

Have you installed the following App?

https://splunkbase.splunk.com/app/5595/#/details

indreshdowjones_0-1659698418669.png

 

0 Karma

vinod743374
Communicator

@indreshdowjones  Thanks for the response 

MicrosoftTeams-image.png


I just installed the app that u said in the previous message.
I Configured like below image but I didn't get anything in my index, any solution or idea that will help us.


0 Karma

vinod743374
Communicator

Hello,
can you help us with, how you add the git hub audit log,

We installed the app but we did not find the option in data inputs tab to add the logs.



0 Karma

Murali
Explorer

Hi Vinod ,

Is this fixed from your end?

0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

Hi @Maaz , the dashboards for the GitHub App for Splunk use a macro to make it easy to use, so once the data is being indexed by the Add-On, you should update the Macro in the App to point to the index the data is being stored in. 

0 Karma

indreshdowjones
Explorer

@derkkila-splunk @Maaz 

My Github index name is "github" and HEC source name is source="http:github_token

Do i need to add or update source as well with Index? which method is correct ?

Method 1

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit)
  • github_webhooks
    • index=github 

Method 2

  • github_source
    (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit) OR
  • OR (index="github" source=source="http:github_token")
  • github_webhooks
    • index=github source=source="http:github_token")
Tags (1)
0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

@indreshdowjones 

For the audit related dashboards, the only macro needed to be modified is the `github_source` macro. And for you I'd probably update it to just read as (index="github" source="http:github_token")

indreshdowjones
Explorer

@derkkila-splunk Thanks.

0 Karma

indreshdowjones
Explorer

Its working now with Method -1.

Thanks its resolved now

 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...