Streaming the audit logs for organizations in your enterprise account

About exporting audit data

You can extract audit log and Git events data from GitHub in multiple ways:

• Go to the Audit log page in GitHub and click Export.
  For more information, see "Viewing the audit logs for organizations in your enterprise account" and "Exporting the audit log."
• Use the API to poll for new audit log events.
  For more information, see "Using the audit log API."
• Set up GitHub to stream audit data as events are logged.

About audit log streaming

To help protect your intellectual property and maintain compliance for your organization, you can use streaming to keep copies of your audit log data and monitor:

• Access to your organization or repository settings
• Changes in permissions
• Added or removed users in an organization, repository, or team
• Users being promoted to admin
• Changes to permissions of a GitHub App
• Git events, such as cloning, fetching, and pushing

The benefits of streaming audit data include:

• Data exploration. You can examine streamed events using your preferred tool for querying large quantities of data. The stream contains both audit events and Git events across the entire enterprise account.
• Data continuity. You can pause the stream for up to seven days without losing any audit data.
• Data retention. You can keep your exported audit logs and Git data as long as you need to.

Enterprise owners can set up, pause, or delete a stream at any time. The stream exports the audit data for all of the organizations in your enterprise.

Setting up audit log streaming

GitHub supports streaming of audit data to either Splunk or Azure Event Hubs.

Setting up streaming to Splunk

To stream audit logs to Splunk's HTTP Event Collector (HEC) endpoint you must make sure that the endpoint is configured to accept HTTPS connections. For more information, see the Splunk documentation article "Set up and use HTTP Event Collector in Splunk Web."

1. In the top-right corner of GitHub, click your profile photo, then click Your enterprises.

2. In the list of enterprises, click the enterprise you want to view.

3. In the enterprise account sidebar, click Settings.

4. Under " Settings", click Audit log.

5. Click the Log streaming tab.

6. Click Configure stream and select Splunk.

7. On the configuration page, enter:

   • The domain on which the application you want to stream to is hosted.

     If you are using Splunk Cloud, Domain should be http-inputs-<host>, where host is the domain you use in Splunk Cloud. For example: http-inputs-mycompany.splunkcloud.com.

   • The port on which the application accepts data.
     

     If you are using Splunk Cloud, Port should be 443 if you haven't changed the port configuration. If you are using the free trial version of Splunk Cloud, Port should be 8088.

   • A token that GitHub can use to authenticate to the third-party application.

8. Leave the Enable SSL verification check box selected.

   Audit logs are always streamed as encrypted data, however, with this option selected, GitHub verifies the SSL certificate of your Splunk instance when delivering events. SSL verification helps ensure that events are delivered to your URL endpoint securely. You can clear the selection of this option, but we recommend you leave SSL verification enabled.

9. Click Check endpoint to verify that GitHub can connect to the Splunk endpoint.

10. After you have successfully verified the endpoint, click Save.

Setting up streaming to Azure Event Hubs

Before setting up a stream in GitHub, you must first have an event hub namespace in Microsoft Azure. Next, you must create an event hub instance within the namespace. You'll need the details of this event hub instance when you set up the stream. For details, see the Microsoft documentation, "Quickstart: Create an event hub using Azure portal."

You need two pieces of information about your event hub: its instance name and the connection string.

On Microsoft Azure portal:

1. In the left menu select Entities. Then select Event Hubs. The names of your event hubs are listed.
2. Make a note of the name of the event hub you want to stream to.
3. Click the required event hub. Then, in the left menu, select Shared Access Policies.
4. Select a shared access policy in the list of policies, or create a new policy.
5. Click the button to the right of the Connection string-primary key field to copy the connection string.

On GitHub:

1. In the top-right corner of GitHub, click your profile photo, then click Your enterprises.

2. In the list of enterprises, click the enterprise you want to view.

3. In the enterprise account sidebar, click Settings.

4. Under " Settings", click Audit log.

5. Click the Log streaming tab.

6. Click Configure stream and select Azure Event Hubs.

7. On the configuration page, enter:

   • The name of the Azure Event Hubs instance.
   • The connection string.

8. Click Check endpoint to verify that GitHub can connect to the Azure endpoint.

9. After you have successfully verified the endpoint, click Save.

Pausing audit log streaming

Pausing the stream allows you to perform maintenance on the receiving application without losing audit data. Audit logs are stored for up to seven days on GitHub and are then exported when you unpause the stream.

1. Display the "Log streaming" tab, as described above.
2. Click Pause stream.
3. A confirmation message is displayed. Click Pause stream to confirm.

When the application is ready to receive audit logs again, click Resume stream to restart streaming audit logs.

Deleting the audit log stream

1. Display the "Log streaming" tab, as described above.
2. Click Delete stream.
3. A confirmation message is displayed. Click Delete stream to confirm.