All Apps and Add-ons

Why after installing the GitHub Add-On for Splunk but I am not seeing any data?

smcdonald20
Path Finder

Hello,

I have installed the GitHub Add-On for Splunk but I am not currently not seeing any data.

I think I have possibly entered the incorrect input fields, but I'm not sure where in GitHub I can find these fields.

Has anyone set this up before and could show me where the input fields are in GitHub?

smcdonald20_0-1644346012110.png

 

Thanks,

Sophie

Labels (2)
0 Karma

Viacheslav
Loves-to-Learn Lots

Hello,

@smcdonald20 which Addon and App do you use for GitHub audit logs ?
We trying to get working

https://splunkbase.splunk.com/app/6254

and https://splunkbase.splunk.com/app/5596 

but there is no field Hostname.

We do not see any Audit logs.

@derkkila-splunk Should these versions to work with API or it is only streaming logs from GitHub to Splunk is supported?

Thank you in advance.

0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

@Viacheslav The add-on is the data collection mechanism. If you are using GitHub SaaS, it can poll the API for the audit logs OR you can use the Audit Log streaming built into GitHub and use the sourcetype that is included in the Add-on. If you are using GitHub Enterprise Server or their on-prem product, you'll send the syslog data to a Splunk Connect for Syslog endpoint that takes advantage of the sourcetypes in the add-on.

The App is the visualization component and is only there to provide out of the box dashboards and alerts.

I like to refer to the documentation in the GitHub repo for the App for how to set up different configurations based on your specific needs: https://github.com/splunk/github_app_for_splunk/

If that doesn't help, please feel free to message or email me directly.

0 Karma

Viacheslav
Loves-to-Learn Lots

@derkkila-splunk Yes, we use github.com, but we do not get logs.

We do not use streaming to Splunk.

We would like to get logs via API. 

But during setup of addon as input we do not see ability to set Hostname.

Is it expected?

I've tested token to get Audit logs via API and it works for Org and Enterprise levels.

On input we set Org, but nothing is coming on Splunk.

I've spent time on doc of addon and app and sometimes it (doc) looks outdated. 

0 Karma

Viacheslav
Loves-to-Learn Lots

We followed this instruction https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs which looks pretty real to what we had in GUI.

But we do not get any logs.

@derkkila-splunk could you suggest how we can troubleshoot what could be wrong?

Thank you in advance.

0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

@Viacheslav There should be internal logs that can help

index=_internal source="/opt/splunk/var/log/splunk/Splunk_TA_github_utils.log"

 

I would take the output from that and open a support case with Splunk Support.

0 Karma

Viacheslav
Loves-to-Learn Lots

@derkkila-splunk 
thank you for the answer.
We are going to open Support ticket.

0 Karma

Murali
Explorer

Hello ,

Speaking about the Splunk Add-on for Github, I'm in the midst of getting it installed in my Cloud Environment for the first time.  

However , I'm just curious or not sure , how the logs will be sent to the add-on from GitHub. Do we just need the input in place or we need the Splunk Connect for Syslog ( SC4S)?

Can someone please help?

 

Thanks

Murali

0 Karma

indreshdowjones
Explorer

@derkkila-splunk @smcdonald20 @cbehr 

I have the following error in my logs any suggestion

05-13-2022 15:25:00.249 -0400 ERROR ExecProcessor - message from "/splunk/bin/python3.7 /splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.com/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: Not Found

 

Tags (1)
0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

based on the inclusion of graphql in the URL, I'm going to guess you changed the hostname in the config. For pretty much everyone, the hostname should stay as api.github.com.

If you update that and are still getting errors, please reach out via email derkkila at splunk.

 

0 Karma

indreshdowjones
Explorer

Its fixed now.

0 Karma

derkkila-splunk
Splunk Employee
Splunk Employee

Almost everyone will use the default hostname for the API, so that shouldn't be changed.

If you are a GitHub Enterprise Cloud customer, the account type will be "enterprise". However if you are using a paid GitHub organization at the "GitHub Enterprise" billing tier, you'll enter "organization" for the account type. For an easy way to tell, go to your user icon in the upper right corner and if the menu includes an entry called "Your Enterprises", then you are a GitHub Enterprise Cloud customer, otherwise you are a paid Organization.

The Enterprise name is the name of the  Enterprise or Organization that you are a member of. This can be found in the URL, something like "https://github.com/**Enterprise Name".

To troubleshoot the Add-On I recommend looking at index=_internal and including the string "ghe" in the search to look for errors from the Add-On. If there is an error, there should be a message with a status code in the logs.

0 Karma

cbehr
Loves-to-Learn Lots

#samesies 

have entered the info a few times and can see all fo them trying in the debug, but not sure how to remove the bad ones...

 

 

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...