derkkila-splunk
commented
3 years ago There is a slight delay between when the audit event is created and when it gets streamed. Created a new sourcetype github_audit that uses the @timestamp field for establishing the Splunk event timestamp. Otherwise, streamed logs work exactly the same as TA fetched ones.
Is your feature request related to a problem? Please describe. With GitHub adding Audit log streaming as a service, please make sure that those events will work alongside audit log events collected via the GitHub Audit Log Monitoring Add-On for Splunk or via syslog forwarding from GitHub Enterprise Server.
Describe the solution you'd like Streamed audit logs appear in the Audit dashboards
Describe alternatives you've considered n/a
Additional context n/a