Hello,
I have installed the GitHub Add-On for Splunk but I am not currently not seeing any data.
I think I have possibly entered the incorrect input fields, but I'm not sure where in GitHub I can find these fields.
Has anyone set this up before and could show me where the input fields are in GitHub?
Thanks,
Sophie
Hello,
@smcdonald20 which Addon and App do you use for GitHub audit logs ?
We trying to get working
https://splunkbase.splunk.com/app/6254
and https://splunkbase.splunk.com/app/5596
but there is no field Hostname.
We do not see any Audit logs.
@derkkila-splunk Should these versions to work with API or it is only streaming logs from GitHub to Splunk is supported?
Thank you in advance.
@Viacheslav The add-on is the data collection mechanism. If you are using GitHub SaaS, it can poll the API for the audit logs OR you can use the Audit Log streaming built into GitHub and use the sourcetype that is included in the Add-on. If you are using GitHub Enterprise Server or their on-prem product, you'll send the syslog data to a Splunk Connect for Syslog endpoint that takes advantage of the sourcetypes in the add-on.
The App is the visualization component and is only there to provide out of the box dashboards and alerts.
I like to refer to the documentation in the GitHub repo for the App for how to set up different configurations based on your specific needs: https://github.com/splunk/github_app_for_splunk/
If that doesn't help, please feel free to message or email me directly.
@derkkila-splunk Yes, we use github.com, but we do not get logs.
We do not use streaming to Splunk.
We would like to get logs via API.
But during setup of addon as input we do not see ability to set Hostname.
Is it expected?
I've tested token to get Audit logs via API and it works for Org and Enterprise levels.
On input we set Org, but nothing is coming on Splunk.
I've spent time on doc of addon and app and sometimes it (doc) looks outdated.
We followed this instruction https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs which looks pretty real to what we had in GUI.
But we do not get any logs.
@derkkila-splunk could you suggest how we can troubleshoot what could be wrong?
Thank you in advance.
@Viacheslav There should be internal logs that can help
index=_internal source="/opt/splunk/var/log/splunk/Splunk_TA_github_utils.log"
I would take the output from that and open a support case with Splunk Support.
@derkkila-splunk
thank you for the answer.
We are going to open Support ticket.
Hello ,
Speaking about the Splunk Add-on for Github, I'm in the midst of getting it installed in my Cloud Environment for the first time.
However , I'm just curious or not sure , how the logs will be sent to the add-on from GitHub. Do we just need the input in place or we need the Splunk Connect for Syslog ( SC4S)?
Can someone please help?
Thanks
Murali
@derkkila-splunk @smcdonald20 @cbehr
I have the following error in my logs any suggestion
05-13-2022 15:25:00.249 -0400 ERROR ExecProcessor - message from "/splunk/bin/python3.7 /splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.com/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: Not Found
based on the inclusion of graphql in the URL, I'm going to guess you changed the hostname in the config. For pretty much everyone, the hostname should stay as api.github.com.
If you update that and are still getting errors, please reach out via email derkkila at splunk.
Its fixed now.
Almost everyone will use the default hostname for the API, so that shouldn't be changed.
If you are a GitHub Enterprise Cloud customer, the account type will be "enterprise". However if you are using a paid GitHub organization at the "GitHub Enterprise" billing tier, you'll enter "organization" for the account type. For an easy way to tell, go to your user icon in the upper right corner and if the menu includes an entry called "Your Enterprises", then you are a GitHub Enterprise Cloud customer, otherwise you are a paid Organization.
The Enterprise name is the name of the Enterprise or Organization that you are a member of. This can be found in the URL, something like "https://github.com/**Enterprise Name".
To troubleshoot the Add-On I recommend looking at index=_internal and including the string "ghe" in the search to look for errors from the Add-On. If there is an error, there should be a message with a status code in the logs.
#samesies
have entered the info a few times and can see all fo them trying in the debug, but not sure how to remove the bad ones...