GitHub Enterprise

Configure GitHub Enterprise audit log streaming to forward audit and Git events to Radiant Security via Amazon S3.

In this guide, you will configure GitHub Enterprise audit log streaming to forward audit and Git events to Radiant Security via Amazon S3. GitHub Enterprise's audit log records security-relevant activity across your enterprise, including sign-ins, repository actions, organization and team changes, branch protection changes, and OAuth and personal access token activity, and can stream these events to an S3 bucket in near-real time. This integration covers both GitHub Enterprise Cloud and GitHub Enterprise Server.

Prerequisites

AWS account with permissions to create or modify S3 buckets, SNS topics, and IAM policies
Owner (enterprise administrator) access to GitHub Enterprise
An S3 bucket where GitHub will store logs (follow this AWS guide to create one: Create an S3 bucket)
One of the following authentication methods for GitHub to write to your bucket:
- OpenID Connect (recommended). An IAM role and an IAM identity provider for GitHub's audit-log OIDC issuer. No long-lived credentials are stored on GitHub
- Access keys. An IAM user with an Access Key ID and Secret Access Key that has s3:PutObject permission on the bucket

Configure GitHub Enterprise

Prepare the AWS side

Ensure that you have your S3 bucket information at hand. Block all public access on the bucket. GitHub writes audit log files into your bucket as gzipped JSON-line files with the extension .json.log.gz. Radiant decompresses these on ingestion.

For full vendor instructions, refer to GitHub's documentation on Streaming the audit log for your enterprise.

Choose one of the following authentication methods.

In the AWS IAM console, create a new OpenID Connect identity provider with the following values:
- Provider URL: https://oidc-configuration.audit-log.githubusercontent.com
- Audience: sts.amazonaws.com
Create an IAM role that trusts the OIDC provider you just created, scoped to your GitHub enterprise. Use the trust policy template provided in GitHub's documentation.
Attach a policy to the role that allows s3:PutObject on your bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGitHubAuditLogPutObject",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
    }
  ]
}

Replace <YOUR_BUCKET_NAME> with the bucket you created. Save the Role ARN. You will need it when configuring GitHub.

Create an IAM user dedicated to this integration (for example, github-audit-log-streaming).
Attach a policy to the user that allows s3:PutObject on your bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGitHubAuditLogPutObject",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
    }
  ]
}

Replace <YOUR_BUCKET_NAME> with the bucket you created.
Generate an Access Key ID and Secret Access Key for the user. Store both securely. You will need them when configuring GitHub.

Configure audit log streaming in GitHub

For detailed vendor instructions, refer to Streaming the audit log for your enterprise.

Sign in to GitHub as an enterprise owner and navigate to your enterprise.
On the top menu bar, click Settings.
In the left sidebar, click Audit log, then click Log streaming.
Click Configure stream and select Amazon S3.
Configure the connection:
- Bucket: your S3 bucket name (for example, radiant-github-audit-logs)
- Region: the AWS region where your bucket is located
- Authentication:
  - If using OpenID Connect, select OpenID Connect and enter the Role ARN from Step 1.
  - If using access keys, select Access keys and enter the Access Key ID and Secret Access Key from Step 1.
Click Check endpoint to verify GitHub can connect and write to the bucket.
Once the check succeeds, click Save.

Confirm logs are arriving

Wait a few minutes, then open your S3 bucket. You should see GitHub-written objects with names ending in .json.log.gz accumulating in your bucket.

If no objects appear within approximately 10 minutes, return to Audit log > Log streaming in GitHub and re-run Check endpoint.

Note your configuration details

Save the following information. You will need it for the next steps.

S3 bucket name
S3 bucket path or prefix (for GitHub Enterprise this is typically the bucket root, unless you scoped the role to a sub-prefix)
AWS region where your bucket is located

Configure S3 and add the data connector in Radiant Security

Now that GitHub is writing audit logs to your S3 bucket, complete the setup by following the Configure Amazon S3 to forward logs to Radiant Security guide. That guide walks through:

Configuring the bucket policy and creating an SNS topic.
Adding the Amazon Web Services S3 data connector in Radiant Security.
Configuring S3 event notifications so new objects trigger ingestion.

When working through that guide, use the following GitHub-specific values:

Data feed: select GitHub Enterprise.
Expected file extension: .json.log.gz. Logs written by GitHub already match this format.
Event notification prefix: match the location where GitHub is writing in your bucket. For most GitHub Enterprise configurations this is the bucket root, unless you scoped the IAM role or access key to a sub-prefix.

Verify ingestion

After GitHub Enterprise begins forwarding, confirm events are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"github_enterprise".
Confirm recent events appear.

Allow several minutes for events to be parsed, indexed, and available for search.

PreviousGoogle Cloud Security Command Center (SCC)NextGoogle Workspace

Last updated 18 days ago

Was this helpful?