Overview

GitHub, Inc. is a provider of Internet hosting for software development and version control using Git.
Organizations that manage their code on GitHub may view and export various logs regarding the platform.

Supported data types

  • Github Audit Logs (Cloud) - The audit log allows organization admins to quickly review the actions performed by members of their organization. It includes details such as who performed the action, what the action was, and when it was performed.

    • A typical log line will look like this:

      {"action":"git.fetch","_document_id":"ALU1IEsheliktHvAm-RvYA==","actor_location":{"country_code":"US"},"transport_protocol":2,"transport_protocol_name":"ssh","repository":"<repo>/<path>","repo":"<repo>/<path>","repository_public":false,"actor":"jenkins-deployer","org":"<name>","business":"<name>","business_id":3423,"user":"","@timestamp":1642538183423}
      CODE
  • Github Audit Logs (Server) - This is a similar log, differing by originating from an on-prem Github server, instead of from Github’s SaaS offering.

    • A typical log line will look like this:

      Mar  1 12:40:42 github-<costumers_name>-<country_code> babeld[17431]: ts=2022-03-01T12:40:42.395820Z pid=1 tid=70 version=52e3281 proto=http id=314174f56617653de832ca869597af56 http_url="/<something>/<something>.git/info/refs?service=git-upload-pack" http_ua="git/2.26.2" ip=10.10.10.10 xff_ip=10.10.10.10 repo=<something>/<something> cmd=git-upload-pack ac_ms=8.561 duration_ms=8.663 sr=1646138442387.153 ss=1646138442395.816 fs_sent=0 fs_recv=0 client_recv=429 client_sent=0 fsc_ms=0.000 gpv=2 log_level=INFO msg="http op done: (401)" http_status=401 handler_code=0 imode=0
      CODE

Note - these logs are only available for GitHub Enterprise owners, through both GitHub Enterprise Cloud and GitHub Enterprise Server.

Sending data to Hunters

Once in the bucket, Hunters will collect the data and ingest it.