Merge branch 'main' into leftrightleft-docs-fix

Author: leftrightleft

README.md

@@ -8,8 +8,8 @@ The GitHub App for Splunk is designed to work with the following data sources:
 
 * [GitHub Audit Log Monitoring Add-On For Splunk](./docs/ghe_audit_logs.MD): Audit logs from GitHub Enterprise Cloud.
 * [Github.com Webhooks](./docs/github_webhooks.MD): A select set of webhook events like Push, PullRequest, and Repo.
-* [GitHub Enterprise Server Syslog Forwarder](https://docs.github.com/en/enterprise-server/admin/user-management/monitoring-activity-in-your-enterprise/log-forwarding): Audit and Application logs from GitHub Enterprise Server.
-* [GitHub Enterprise Collectd monitoring](./docs/splunk_collectd_forwarding_for_ghes.MD): Performance and Infrastructure metrics from GitHub Enterprise Server.
+* [Github Enterprise Server Syslog Forwarder](./docs/ghes_syslog_setup.MD): Audit and Application logs from Github Enterprise Server.
+* [Github Enterprise Collectd monitoring](./docs/splunk_collectd_forwarding_for_ghes.MD): Performance and Infrastructure metrics from Github Enterprise Server.
 
 ## Dashboard Instructions
 
@@ -18,7 +18,7 @@ The GitHub App for Splunk is designed to work with the following data sources:
 The GitHub App for Splunk is available for download from [Splunkbase](https://splunkbase.splunk.com/app/5596/). For Splunk Cloud, refer to [Install apps in your Splunk Cloud deployment](https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/SelfServiceAppInstall). For non-Splunk Cloud deployments, refer to the standard methods for Splunk Add-on installs as documented for a [Single Server Install](http://docs.splunk.com/Documentation/AddOns/latest/Overview/Singleserverinstall) or a [Distributed Environment Install](http://docs.splunk.com/Documentation/AddOns/latest/Overview/Distributedinstall).
 
 **This app should be installed on both your search head tier as well as your indexer tier.**
- 
+
 ### Configuration
 
 ![Settings>Advanced Search>Search macros](./docs/images/macros.png)

docs/ghes_syslog_setup.MD

@@ -0,0 +1,25 @@
+# Sending GitHub Enterprise Server Logs to Splunk
+
+GitHub Enterprise Server comes with syslog-ng built in to send data to platforms like Splunk: https://docs.github.com/en/enterprise-server@3.3/admin/user-management/monitoring-activity-in-your-enterprise/log-forwarding. Following those directions will allow you to easily onboard logs to Splunk. However, The GitHub App for Splunk comes with enhancements for those logs that will allow you to search more efficently.
+
+## Sources and Transformations
+
+ The syslog feed from GitHub Enterprise Server contains ALL application logs including audit logs, web server logs, database logs, etc. Being able to differentiate the logs is critical. This app includes the ability to overwrite the source of events with the log type out of the box. However, for this to happen, you must use the sourcetype of `GithubEnterpriseServerLog` or duplicate that stanza from the default `props.conf` file into a custom stanza in your local copy. When setting up a TCP input you have the ability to force that specific sourcetype. This will enable easy filtering of log files to their specific process.
+
+## Default `props.conf`
+
+```
+[GithubEnterpriseServerLog]
+DATETIME_CONFIG =
+LINE_BREAKER = ([\r\n]+)
+NO_BINARY_CHECK = true
+category = Application
+pulldown_type = true
+TIME_FORMAT =
+TZ =
+EXTRACT-audit_event = github_audit\[\d+\]\:\s(?<audit_event>.*)
+EXTRACT-audit_fields = \"(?<_KEY_1>.*?)\"\:\"*(?<_VAL_1>.*?)\"*,
+EXTRACT-github_log_type = \d+\:\d+\:\d+\s\d+\-\d+\-\d+\-\d+\s(?<github_log_type>.*?)\:
+EXTRACT-github_document_id = \"_document_id\"\:\"(?<document_id>.*?)\"
+FIELDALIAS-source = github_log_type AS source
+```