Streaming the audit logs for organizations in your enterprise account

You can stream audit and Git events data from GitHub to an external data management system.

Enterprise owners can configure audit log streaming.

About exporting audit data

You can extract audit log and Git events data from GitHub in multiple ways:

Currently, audit log streaming is supported for multiple storage providers.

  • Amazon S3
  • Azure Blob Storage
  • Azure Event Hubs
  • Google Cloud Storage
  • Splunk

About audit log streaming

To help protect your intellectual property and maintain compliance for your organization, you can use streaming to keep copies of your audit log data and monitor:

  • 对组织或仓库设置的访问
  • 权限更改
  • 组织、仓库或团队中添加或删除的用户
  • 被提升为管理员的用户
  • GitHub 应用程序 权限的更改
  • Git 事件,如克隆、获取和推送

The benefits of streaming audit data include:

  • Data exploration. You can examine streamed events using your preferred tool for querying large quantities of data. The stream contains both audit events and Git events across the entire enterprise account.
  • Data continuity. You can pause the stream for up to seven days without losing any audit data.
  • Data retention. You can keep your exported audit logs and Git data as long as you need to.

Enterprise owners can set up, pause, or delete a stream at any time. The stream exports the audit data for all of the organizations in your enterprise.

Setting up audit log streaming

You set up the audit log stream on GitHub Enterprise Cloud by following the instructions for your provider.

Setting up streaming to Amazon S3

To stream audit logs to Amazon's S3 endpoint, you must have a bucket and access keys. For more information, see Creating, configuring, and working with Amazon S3 buckets in the the AWS documentation. Make sure to block public access to the bucket to protect your audit log information.

To set up audit log streaming from GitHub you will need:

  • The name of your Amazon S3 bucket
  • Your AWS access key ID
  • Your AWS secret key

For information on creating or accessing your access key ID and secret key, see Understanding and getting your AWS credentials in the AWS documentation.

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  5. Click the Log streaming tab.

  6. Click Configure stream and select Amazon S3.

    Choose Amazon S3 from the drop-down menu

  7. On the configuration page, enter:

    • The name of the bucket you want to stream to. For example, auditlog-streaming-test.
    • Your access key ID. For example, ABCAIOSFODNN7EXAMPLE1.
    • Your secret key. For example, aBcJalrXUtnWXYZ/A1MDENG/zPxRfiCYEXAMPLEKEY.

    Enter the stream settings

  8. Click Check endpoint to verify that GitHub can connect and write to the Amazon S3 endpoint.

    Check the endpoint

  9. After you have successfully verified the endpoint, click Save.

Setting up streaming to Azure Blob Storage

Before setting up a stream in GitHub, you must first have created a storage account and a container in Microsoft Azure. For details, see the Microsoft documentation, "Introduction to Azure Blob Storage."

To configure the stream in GitHub you need the URL of a SAS token.

On Microsoft Azure portal:

  1. On the Home page, click Storage Accounts.

  2. Click the name of the storage account you want to use, then click Containers.

    The Containers link in Azure

  3. Click the name of the container you want to use.

  4. Click Shared access tokens.

    The shared access token link in Azure

  5. In the Permissions drop-down menu, change the permissions to only allow Create and Write.

    The permissions drop-down menu

  6. Set an expiry date that complies with your secret rotation policy.

  7. Click Generate SAS token and URL.

  8. Copy the value of the Blob SAS URL field that's displayed. You will use this URL in GitHub.

On GitHub:

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  5. Click the Log streaming tab.

  6. Click Configure stream and select Azure Blob Storage.

    Choose Azure Blob Storage from the drop-down menu

  7. On the configuration page, enter the blob SAS URL that you copied in Azure. The Container field is auto-filled based on the URL.

    Enter the stream settings

  8. Click Check endpoint to verify that GitHub can connect and write to the Azure Blob Storage endpoint.

    Check the endpoint

  9. After you have successfully verified the endpoint, click Save.

Setting up streaming to Azure Event Hubs

Before setting up a stream in GitHub, you must first have an event hub namespace in Microsoft Azure. Next, you must create an event hub instance within the namespace. You'll need the details of this event hub instance when you set up the stream. For details, see the Microsoft documentation, "Quickstart: Create an event hub using Azure portal."

You need two pieces of information about your event hub: its instance name and the connection string.

On Microsoft Azure portal:

  1. Search for "Event Hubs".

    The Azure portal search box

  2. Select Event Hubs. The names of your event hubs are listed.

    A list of event hubs

  3. Make a note of the name of the event hub you want to stream to.

  4. Click the required event hub. Then, in the left menu, select Shared Access Policies.

  5. Select a shared access policy in the list of policies, or create a new policy.

    A list of shared access policies

  6. Click the button to the right of the Connection string-primary key field to copy the connection string.

    The event hub connection string

On GitHub:

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  5. Click the Log streaming tab.

  6. Click Configure stream and select Azure Event Hubs.

    Choose Azure Events Hub from the drop-down menu

  7. On the configuration page, enter:

    • The name of the Azure Event Hubs instance.
    • The connection string.

    Enter the stream settings

  8. Click Check endpoint to verify that GitHub can connect and write to the Azure Events Hub endpoint.

    Check the endpoint

  9. After you have successfully verified the endpoint, click Save.

Setting up streaming to Google Cloud Storage

To set up streaming to Google Cloud Storage, you must create a service account in Google Cloud with the appropriate credentials and permissions, then configure audit log streaming in GitHub Enterprise Cloud using the service account's credentials for authentication.

  1. Create a service account for Google Cloud. You do not need to set access controls or IAM roles for the service account. For more information, see Creating and managing service accounts in the Google Cloud documentation.

  2. Create a JSON key for the service account, and store the key securely. For more information, see Creating and managing service account keys in the Google Cloud documentation.

  3. If you haven't created a bucket yet, create the bucket. For more information, see Creating storage buckets in the Google Cloud documentation.

  4. Give the service account the Storage Object Creator role for the bucket. For more information, see Using Cloud IAM permissions in the Google Cloud documentation.

  5. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  6. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  7. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  8. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  9. Click the Log streaming tab.

  10. Select the Configure stream drop-down menu and click Google Cloud Storage.

    Screenshot of the "Configure stream" drop-down menu

  11. Under "Bucket", type the name of your Google Cloud Storage bucket.

    Screenshot of the "Bucket" text field

  12. Under "JSON Credentials", paste the entire contents of the file for your service account's JSON key.

    Screenshot of the "JSON Credentials" text field

  13. To verify that GitHub can connect and write to the Google Cloud Storage bucket, click Check endpoint.

    Screenshot of the "Check endpoint" button

  14. After you have successfully verified the endpoint, click Save.

Setting up streaming to Splunk

To stream audit logs to Splunk's HTTP Event Collector (HEC) endpoint you must make sure that the endpoint is configured to accept HTTPS connections. For more information, see Set up and use HTTP Event Collector in Splunk Web in the Splunk documentation.

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  5. Click the Log streaming tab.

  6. Click Configure stream and select Splunk.

    Choose Splunk from the drop-down menu

  7. On the configuration page, enter:

    • The domain on which the application you want to stream to is hosted.

      If you are using Splunk Cloud, Domain should be http-inputs-<host>, where host is the domain you use in Splunk Cloud. 例如:http-inputs-mycompany.splunkcloud.com

    • The port on which the application accepts data.

      If you are using Splunk Cloud, Port should be 443 if you haven't changed the port configuration. If you are using the free trial version of Splunk Cloud, Port should be 8088.

    • A token that GitHub can use to authenticate to the third-party application.

    Enter the stream settings

  8. Leave the Enable SSL verification check box selected.

    Audit logs are always streamed as encrypted data, however, with this option selected, GitHub verifies the SSL certificate of your Splunk instance when delivering events. SSL verification helps ensure that events are delivered to your URL endpoint securely. You can clear the selection of this option, but we recommend you leave SSL verification enabled.

  9. Click Check endpoint to verify that GitHub can connect and write to the Splunk endpoint. Check the endpoint

  10. After you have successfully verified the endpoint, click Save.

Pausing audit log streaming

Pausing the stream allows you to perform maintenance on the receiving application without losing audit data. Audit logs are stored for up to seven days on GitHub.com and are then exported when you unpause the stream.

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  5. Click the Log streaming tab.

  6. Click Pause stream.

    Pause the stream

  7. A confirmation message is displayed. Click Pause stream to confirm.

When the application is ready to receive audit logs again, click Resume stream to restart streaming audit logs.

Deleting the audit log stream

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在“ Settings(设置)”下,单击 Audit log(审核日志)在企业帐户侧边栏中的 Audit log(审核日志)选项卡

  5. Click the Log streaming tab.

  6. Click Delete stream.

    Delete the stream

  7. A confirmation message is displayed. Click Delete stream to confirm.

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。