GitHub Webhooks are a great way to collect rich information as it occurs. You can easily enable webhooks within the GitHub UI and can even select specific actions on which to trigger a webhook call to Splunk. This is only available at the Organization level and will require this to be done for each Org as desired. To do so, you'll need to configure Splunk as a receiver and then setup the webhooks within GitHub.
Splunk's HTTP Event Collector (HEC) is a quick and easy endpoint built to receive data from other producers like GitHub.
- Under Settings > Data Inputs, click HTTP Event Collector
- Assuming HEC is enabled, click the New Token button
- You can provide any name you want, however it is recommended to use something that will easily identify it like
github_webhooksor similar based on your company's naming conventions, if they exist. - Unless required by your Splunk administrator, the rest of this page can be left as is and continue onto the next step.
- You'll want to click
selectfor Source Type, and a new selection box will appear below that. - Under the Application option, there should be an entry for
github_json, however you may need to use the little search bar to find it. - For App Context, you'll want to select Splunk App for GitHub
- Next select the index created for this data. If none exist, create a new Index. Names like
githubor the like are recommended, depending on corporate naming conventions. - Lastly, click the Review button and confirm the data is correct and hit Submit.
Your token is now available to collect data, however we'll need to enable that token to allow Query String Authentication using that token. For this, you'll need command line access to your Splunk environment or be using a deployment server to deploy apps to Splunk.
To enable Query String Authentication, you'll need to update the inputs.conf file within the Splunk App for GitHub local directory. In that file, there will be a stanza with the name and value of the token you created. At the end of that stanza, you'll need to add allowQueryStringAuth = true and then restart Splunk. This is best done with the help of your Splunk team, so please reach out to them for assistance on this step.
Webhooks are a simple push mechanism that will send an event each time the webhook is triggered. Unfortunately, Webhooks are unique to each Organization and will need to be setup for each Org as desired. To do this, a user will need to be an Admin for the Org.
- In your GitHub Organization Settings page, select Webhooks from the menu on the left.
- On this page, you'll see all the existing Webhooks, click the Add webhook button to add one to send data to Splunk.
- The Payload URL will be the Splunk HTTP Event Collector endpoint that was enabled above. It should look something like:
https://YOUR SPLUNK URL:8088/services/collector/raw?token=THE TOKEN FROM ABOVE. The default port of 8088 may be different for your Splunk Environment, so please confirm the HEC port with your Splunk Admin team. - For Content Type, you'll want to select
application/jsonas the best option. - You can choose to send just
pushevents, All events, or manually select specific events from the list available. However, only some events have related Splunk eventtypes available to differentiate them within Splunk. See the table of available eventtypes below. - Once you click Add Webhook, a sample event will be triggered and it's status and response from the HTTP Event Collector should show below. Confirm that the response is OK. Otherwise triage as needed based on the HTTP Response provided.
Once that is complete and webhooks are triggering, you'll want to update the macro used for Webhook based dashboards. To do this:
- In Splunk, under Settings > Advanced Search, you'll see an entry for Macros, click that.
- There is a macro called
github_webhooks, you'll need to update it to specify the Index used by the HTTP Event Collector token created earlier. Once saved, any dashboards that report on Webhook events should automatically start displaying data.
| Splunk Eventtype | GitHub Webhook Event | Description |
|---|---|---|
| GitHub::Repo | Repositories | Repository created, deleted, archived, unarchived, publicized, privatized, edited, renamed, or transferred. |
| GitHub::Push | Pushes | Git push to a repository. |
| GitHub::PullRequest | Pull requests | Pull request opened, closed, reopened, edited, assigned, unassigned, review requested, review request removed, labeled, unlabeled, synchronized, ready for review, converted to draft, locked, unlocked, auto merge enabled, auto merge disabled, milestoned, or demilestoned. |
| GitHub::PullRequest::Review | Pull request reviews | Pull request review submitted, edited, or dismissed. |
| GitHub::CodeScanning | Code scanning alerts | Alerts identified by CodeQL and other 3rd party/OSS scanning tools. |
| GitHub::VulnerabilityAlert | Repository vulnerability alerts | Dependabot alert (aka dependency vulnerability alert) created, resolved, or dismissed on a repository. |
| GitHub::SecretScanning | Secret scanning alerts | Secrets scanning alert created, resolved, or reopened. |