Skip to main content
Sumo Logic

Collect Logs for GitHub

This procedure explains how to collect logs from GitHub.

The Sumo Logic App for GitHub connects to your GitHub repository at the Organization or Repository level, and ingests GitHub events via a webhook. These events populate the preconfigured dashboards to give you a complete overview of your GitHub’s branch, issues, pull requests, user activity, and security events.

Event Types

The Sumo Logic App for GitHub ingests GitHub events via a webhook. Sumo Logic ingests all events, but only uses the following events in the dashboards:

  • Fork
  • Issues
  • Membership
  • Public
  • Pull
  • Pull_request
  • Push
  • Repository
  • Team_add

For more information about GitHub events, refer to the GitHub documentation.

Log Types

The Sumo Logic App for GitHub gathers statistics and events from the GitHub Remote API on each host.

For an introduction to GitHub Events, see: A Beginner's Guide to GitHub Events.

First, configure a collector and source in Sumo Logic, then configure a GitHub Webhook using the HTTP Source Address created in Sumo Logic.

Configure a Collector

Configure a Hosted Collector.

Configure a Source

  1. Add an HTTP Source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required.
    2. Description. (Optional)
    3. Source Host. Sumo Logic uses the hostname assigned by the OS unless you enter a different host name.
    4. Source Category. Enter any string to tag the output collected from this source, such as GitHub. (The Source Category metadata field is a fundamental building block to organize and label sources. For details see Best Practices.)
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. Select Extract timestamp information from log file entries.
    2. Time Zone. Use the time zone from the log file.
    3. Timestamp Format. The timestamp format is automatically detected.
    4. Enable Multiline Processing. Select Detect messages spanning multiple lines and Infer Boundaries - Detect message boundaries automatically.
  4. Click Save.
  5. Save the HTTP Source Address. You will need this to configure the GitHub Webhook.

Configure a GitHub Webhook

In GitHub, configure a webhook to connect to your Sumo Logic HTTP Source. You can configure the webhook at the Organization or Repository level. Once configured, it will be triggered each time one or more subscribed events occurs in that Organization or Repository.

You can create up to 20 webhooks for each event on each specific organization or repository.

To configure a GitHub Webhook

  1. Sign in to your GitHub account.
  2. Go to your Organization.
  3. Go to Settings > Webhooks.
  4. Click Add webhook. The Add webhook form appears.
  5. Enter webhook form data as follows:
    1. Payload URL. Enter the Sumo Logic HTTP Source Address
    2. Content type. Select application/json.
    3. Secret. Leave blank.
    4. Which events would you like to trigger this webhook? Select Send me everything.
    5. Active. Check the box.
  6. Click Add webhook.

Sample Log Messages

GitHub sends all fields in the payload, documented according to Event Type.

{
  "action": "opened",
  "issue": {
    "url": "https://api.github.com/repos/octocat/Hello-World/issues/1347",
    "number": 1347,
    ...
  },
  "repository" : {
    "id": 1296269,
    "full_name": "octocat/Hello-World",
    "owner": {
      "login": "octocat",
      "id": 1,
      ...
    },
    ...
  },
  "sender": {
    "login": "octocat",
    "id": 1,
    ...
  }
}

Query Samples

Commits Over Time

"commits" "https://api.github.com/repos"
| json "commits[*].id[*]", "repository.name", "pusher.name" as commit_size, repo_name, user
| where commit_size != "[]"
| replace(commit_size, ",","") as Ccommit_size
| (length(commit_size) - length(Ccommit_size) + 1) as num_commits
| timeslice 1d
| count by _timeslice

Members Added or Removed

| json "action", "scope", "member.login", "member.id", "member.type", "team.name", "team.permission", "organization.login" as action, scope, member_name, member_id, member_type, team_name, team_permission, org_login
| count by member_id, action, team_name, org_login, member_name, team_permission
| order by action, member_id
| fields member_name, action, team_name, org_login, team_permission

Total Number Open Issues

| json "action", "issue.id", "issue.number", "issue.title" , "issue.state", "issue.created_at", "issue.updated_at", "issue.closed_at", "issue.body", "issue.user.login", "issue.url", "repository.name", "repository.open_issues_count" as axn, issue_ID, issue_num, issue_title, state, createdAt, updatedAt, closedAt, body, user, url, repo_name, repoOpenIssueCnt
| withtime repoOpenIssueCnt
| most_recent (repoopenissuecnt_withtime) as number_issues by repo_name
| number (number_issues)