Audit Log Streaming to Datadog - Beta Feedback

[boylejj]

The purpose of this discussion is to collect feedback from Enterprises participating in the private beta for configuring audit log streaming to a Datadog endpoint. GHEC administrators interested in participating in the private beta should reach out to your GitHub account manager or contact our sales team to make the feature available for your enterprise.

Setting up streaming to Datadog

To set up streaming to Datadog, you must create a client token or an API key in Datadog, then configure audit log streaming in GitHub Enterprise Cloud using the token for authentication. You do not need to create a bucket or other storage container in Datadog.

After you set up streaming to Datadog, you can see your audit log data by filtering by "github.audit.streaming." For more information, see Log Management.

1. If you don't already have a Datadog account, create one.

2. In Datadog, generate a client token or an API key, then click Copy key. For more information, see API and Application Keys in Datadog Docs.

3. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

4. In the list of enterprises, click the enterprise you want to view.

5. In the enterprise account sidebar, click Settings.

6. Under " Settings", click Audit log.

7. Under "Audit log", click Log streaming.

8. Select the Configure stream dropdown menu and click Datadog.

9. Under "Token", paste the token you copied earlier.

10. Select the "Site" dropdown menu and click your Datadog site. To determine your Datadog site, compare your Datadog URL to the table in Datadog sites in Datadog Docs.

11. To verify that GitHub can connect and write to the Datadog endpoint, click Check endpoint.

12. After you have successfully verified the endpoint, click Save.

13. After a few minutes, confirm that audit log data is appearing on the Logs tab in Datadog. If audit log data is not appearing, confirm that your token and site are correct in GitHub.

[cardoppler]

Hi @boylejj ! I have followed the steps above but no luck with receiving logs in DD. What's the best way to get support; here or via email? I am not sure if posting screenshots in this thread is the most appropriate thing to do 😅 (although it might help others!)

[boylejj]

@cardoppler, feel free to send an email summarizing what you're seeing to me and @maxprit. We'll work through the challenges you're seeing, and adjust the instructions as appropriate.

[avgalani]

hi @boylejj, we're also encountering the same issue.

We've followed the instructions to the letter and by all means it should work, however we don't see any logs popping into Datadog.
We were sure to select the correct region for our Datadog instance (EU1), as well as to use a valid API key.

[boylejj]

@avgalani, we believe we found the cause of the issue and have shipped a fix. Please try again and let me know if you're still experiencing issues.

[greta-ramaneckaite]

Hi @boylejj,
I've encountered a strange bug inside the logs. I'm working on setting up some Detection Rules for monitoring public repository creation and I spotted that some logs contain actor's location:
If an actor modifies a repositories access from public to private - there is a location in the log. But when an actor creates a public repository or modifies it from private to public - there is no location. For our configuration - we would like to see the opposite instead.
Is it possible to toggle this or maybe enable the location specification for all of the logs?

Example section from a log:
actor_location { country_code: RO }

[boylejj]

@greta-ramaneckaite ... Thanks for the feedback. What you're seeing is currently the expected behavior, as any activity tied to public repositories will not have location related information (IP address or actor_location) included in the audit log entry.

That being said, I can certainly understand why this information would be very important when a private repository is made public. Particularly, determining if this was done by mistake by someone or done maliciously by a bad actor. I will get this written up and loaded into our backlog for consideration and prioritization.

[greta-ramaneckaite]

Thanks @boylejj !

[PeterFagans]

So I was following the above instructions but I don't seem to have a drop down box per section 8:

Is it because I already have a stream setup?

[cardoppler]

Hi @PeterFagans - Yes, I had the same issue, it looks like it's not possible to have both active at the same time. Only after deleting the existing old stream (to S3), I could see the new option to setup "Streaming to DataDog".

[PeterFagans]

Thank you! Thats what I thought but wanted confirmation before I blew away the S3 connector

[boylejj]

@PeterFagans and @cardoppler.... How helpful would it be to be able to configure multiple streams? I can see value in being able to have a test and prod for streams to that same endpoint. But, are there instances where you would like to stream the same enterprise audit log to two different endpoints?

[PeterFagans]

I could see a situation where you want to additionally stream the logs to a secure place for archival purposes where you are confident that nothing was manipulated or for backup. Also it might be handy to be able to parse the stream ahead of time so you could direct the stream to various endpoints by repo. Peter

…

On Fri, Aug 26, 2022 at 11:18 AM Jim Boyle ***@***.***> wrote: @PeterFagans <https://github.com/PeterFagans> and @cardoppler <https://github.com/cardoppler>.... How helpful would it be to be able to configure multiple streams? I can see value in being able to have a test and prod for streams to that same endpoint. But, are there instances where you would like to stream the same enterprise audit log to two different endpoints? — Reply to this email directly, view it on GitHub <#21347 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUU24EGIU6KXWUV75D6VHRTV3DN3NANCNFSM54WF6OYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[ozonni]

why is this feature only available for enterprises account and not just for account on enterprises pricing plan?

[dpihlaja]

Not sure if this product is still in Beta or not - but I'm trying to track down where the maintainers live for the github->dd audit log streaming integration for an issue with the integration @boylejj (your github profile makes it seem like you are still the PM of this product)

The integration dashboard in Datadog is broken so will throw down some details here. I started a Slack thread in the Datadog Public Integrations channel here which is just me talking to myself (not expecting any official responses there, just dunno what support department to hit up here)

Dashboard widgets are currently using this attribute in the queries:

@github.event

However these are the attributes actually on the current logs: `

@action:git.fetch
@evt.action:git.fetch

To fix this, can either change the widget to pick one of the existing attributes, or if nothing else is using those facets, change the pipeline processor to remap to @github.event instead.

(sidenote; why bother preserving the parent attributes here.... some legacy backwards compatibility thing? This creates larger logs with duplicate information that creates multiple ways of doing the same thing, which leads to multiple flows to maintain)