Skip to main content
Sumo Logic

Collect Logs for GitHub

This procedure explains how to collect logs from GitHub.

The Sumo Logic App for GitHub connects to your GitHub repository at the Organization or Repository level and ingests GitHub events via a webhook. These events populate the preconfigured dashboards to give you a complete overview of your GitHub’s branch, issues, pull requests, user activity, and security events.

Event Types

The Sumo Logic App for GitHub ingests GitHub events via a webhook. Sumo Logic ingests all events, but only uses the following events in the dashboards:

  • Fork
  • Issues
  • Membership
  • Public
  • Pull
  • Pull_request
  • Push
  • Repository
  • Team_add

For more information about GitHub events, refer to the GitHub documentation.

Log Types

The Sumo Logic App for GitHub gathers statistics and events from the GitHub Remote API on each host.

For an introduction to GitHub Events, see: A Beginner's Guide to GitHub Events.

First, configure a Collector and Source in Sumo Logic, then configure a GitHub Webhook using the HTTP Source Address created in Sumo Logic.

Configure Hosted Collector to Receive GitHub Events

In this step, you create a Hosted Collector to receive Webhook Events from Github and set up an HTTP Source on it.

  1. Configure a Hosted Collector, or select an existing hosted collector for the HTTP Source.
  2. Configure an HTTP Source on the Hosted Collector.
    • For Source Category, enter any string to tag the output collected from this Source, such as GitHub.
    • Click +Add Field and provide the following:
      • Field Name. _convertHeadersToFields
      • Value. true
    • Click Save and make note of the HTTP address for the Source. You will supply it when you configure the GitHub Webhook in the next section.


Configure a GitHub Webhook

In GitHub, configure a Webhook to connect to your Sumo Logic HTTP Source. You can configure the Webhook at the Organization or Repository level. Once configured, it will be triggered each time one or more subscribed events occur in that Organization or Repository.

You can create up to 20 Webhooks for each event on each specific organization or repository.

To configure a GitHub Webhook

  1. Sign in to your GitHub account.
  2. Go to your Organization.
  3. Go to Settings > Webhooks.
  4. Click Add Webhook. The Add Webhook form appears.
  5. Enter Webhook form data as follows:
    1. Payload URL. Enter the Sumo Logic HTTP Source Address from the source setup step.
    2. Content type. Select application/json.
    3. Secret. Leave blank.
    4. Which events would you like to trigger this Webhook? Select Send me everything.
    5. Active. Check the box.
  6. Click Add Webhook.

Enable GitHub Event tagging at Sumo Logic

Sumo Logic needs to understand the event type for incoming events. To enable this, the x-github-event event type needs to be enabled. To enable this, perform the following steps in the Sumo Logic console:

  1. From Sumo Logic, go to Manage Data > Logs > Fields.
  2. Add Field ‎x-github-event‎.


Sample Log Messages

GitHub sends all fields in the payload, documented according to Event Type.

  "action": "opened",
  "issue": {
    "url": "",
    "number": 1347,
  "repository" : {
    "id": 1296269,
    "full_name": "octocat/Hello-World",
    "owner": {
      "login": "octocat",
      "id": 1,
  "sender": {
    "login": "octocat",
    "id": 1,

Query Samples

Commits Over Time

"commits" ""
| json "commits[*].id[*]", "", "" as commit_size, repo_name, user
| where commit_size != "[]"
| replace(commit_size, ",","") as Ccommit_size
| (length(commit_size) - length(Ccommit_size) + 1) as num_commits
| timeslice 1d
| count by _timeslice

Members Added or Removed

| json "action", "scope", "member.login", "", "member.type", "", "team.permission", "organization.login" as action, scope, member_name, member_id, member_type, team_name, team_permission, org_login
| count by member_id, action, team_name, org_login, member_name, team_permission
| order by action, member_id
| fields member_name, action, team_name, org_login, team_permission

Total Number Open Issues

| json "action", "", "issue.number", "issue.title" , "issue.state", "issue.created_at", "issue.updated_at", "issue.closed_at", "issue.body", "issue.user.login", "issue.url", "", "repository.open_issues_count" as axn, issue_ID, issue_num, issue_title, state, createdAt, updatedAt, closedAt, body, user, url, repo_name, repoOpenIssueCnt
| withtime repoOpenIssueCnt
| most_recent (repoopenissuecnt_withtime) as number_issues by repo_name
| number (number_issues)