Github

Github audit logs provide visibility into your codebase's security and administrative activities across repositories. These logs capture critical events about your Github repositories including authentication changes, access control modifications, and policy updates. They also track aspects of your codebase such as code scanning alerts, secret scanning detections, and Dependabot activity. These logs are useful for maintaining compliance, investigating security incidents, detecting unauthorized access, and understanding administrative changes across your GitHub enterprise.

This guide walks through how to set up Github audit logs in Scanner Collect, using Github log streaming to send logs directly to Scanner’s HEC (HTTP Event Collector) receiver.

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

  • Click Create New Source.

  • Click Select a Source Type.

  • Choose Github.

  • For Ingest Method, select Splunk HEC.

  • For Destination, select Scanner.

If you only want logs stored in your S3 data lake (without indexing or detection), choose AWS S3 Only. This guide assumes you’re using Scanner as the destination.

Click Next.

Step 2: Configure the Source

  • Set a Display Name such as my-org-github-logs.

Click Next.

Step 3: Configure Destination

  • Select the S3 bucket where you want raw logs delivered.

  • (Optional) Enter a bucket prefix. The default is fine for most setups.

  • Choose the Scanner index where searchable logs should go.

  • Leave the Source Label as the default: github.

Click Next.

Step 4: Transform and Enrich

  • Keep the default transformation step: Normalize to ECS - Github

    • This maps Github log fields to the Elastic Common Schema (ECS) to support cross-source queries and detections.

  • Keep Parse JSON Columns enabled to automatically extract data from any stringified JSON fields.

  • (Optional) Add additional transformation or enrichment steps as desired.

Click Next.

Step 5: Timestamp Extraction

Leave the default settings to extract timestamps from the timestamp fields.

Click Next.

Step 6: Review and Create

  • Review your configuration.

  • Click Create Source.

After creation, Scanner will display a unique token and a HEC domain. Keep these handy, as they will be needed in the next step.

Step 7: Configure in Github

  • Log in to github.com with an account with permissions to manage your enterprise.

  • Navigate to the settings page for your enterprise:

    • Click your profile photo.

    • Click Settings.

    • Click Switch settings context (which is underneath your account name), then select your enterprise.

  • Click Audit log on the left.

  • Click Log streaming.

  • Click Configure stream -> Splunk.

  • Set the Domain field to the HEC domain from the previous step.

  • Set the Port field to 443.

  • Set the Token field to the token from the previous step.

  • Ensure "Enable SSL verification" is checked.

  • Click Check endpoint.

  • Click Save.

That’s It

Once routing is complete, logs will flow from Github → Scanner HTTP Receiver → S3 → Scanner index.

PreviousFastlyNextGoogle Cloud Platform (GCP) Audit

Last updated

Was this helpful?