# Github Github audit logs provide visibility into your codebase's security and administrative activities across repositories. These logs capture critical events about your Github repositories including authentication changes, access control modifications, and policy updates. They also track aspects of your codebase such as code scanning alerts, secret scanning detections, and Dependabot activity. These logs are useful for maintaining compliance, investigating security incidents, detecting unauthorized access, and understanding administrative changes across your GitHub enterprise. This guide walks through how to set up Github audit logs in Scanner Collect, using Github log streaming to send logs directly to Scanner’s HEC (HTTP Event Collector) receiver. ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Click **Select a Source Type**. * Choose **Github**. Click Next. ### Step 2: Configure the Source * Set a Display Name such as `my-org-github-logs`. Click Next. ### Step 3: Configure Destination * Select the S3 bucket where you want raw logs delivered. * (Optional) Enter a bucket prefix. The default is fine for most setups. * Choose the Scanner index where searchable logs should go. * Leave the Source Label as the default: `github`. Click Next. ### Step 4: Transform and Enrich * Keep the default transformation step: **Normalize to ECS - Github** * This maps Github log fields to the Elastic Common Schema (ECS) to support cross-source queries and detections. * Keep **Parse JSON Columns** enabled to automatically extract data from any stringified JSON fields. * (Optional) Add additional transformation or enrichment steps as desired. Click Next. ### Step 5: Timestamp Extraction Leave the default settings to extract timestamps from the timestamp fields. Click Next. ### Step 6: Review and Create * Review your configuration. * Click Create Source. After creation, Scanner will display a unique token and a HEC domain. Keep these handy, as they will be needed in the next step. ### Step 7: Configure in Github * Log in to `github.com` with an account with permissions to manage your enterprise. * Navigate to the settings page for your enterprise: * Click your profile photo. * Click **Settings**. * Click **Switch settings context** (which is underneath your account name), then select your enterprise. * Click **Audit log** on the left. * Click **Log streaming**. * Click **Configure stream** -> **Splunk**. * Set the **Domain** field to the HEC domain from the previous step. * Set the **Port** field to `443`. * Set the **Token** field to the token from the previous step. * Ensure "Enable SSL verification" is checked. * Click **Check endpoint**. * Click **Save**. ### That’s It Once routing is complete, logs will flow from Github → Scanner HTTP Receiver → S3 → Scanner index.