github

New in version 4.3.0.

Note

This module only works on Windows, Linux and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.

XML section name

<github>
</github>

Configuration options of the GitHub module.

Options

Options

Allowed values

enabled

yes, no

only_future_events

yes, no

interval

A positive number + suffix

time_delay

A positive number + suffix

curl_max_size

A positive number + suffix

api_auth

N/A

api_auth\org_name

Any string

api_auth\api_token

Any string

api_parameters

N/A

api_parameters\event_type

web, git, all

enabled

Enabled the GitHub wodle.

Default value

yes

Allowed values

yes, no

only_future_events

Set it to yes to collect events generated since the Wazuh manager was started.

By default, when Wazuh starts it will only read all log content from GitHub since the manager started.

Default value

yes

Allowed values

yes, no

interval

The interval between Wazuh wodle executions.

Note

When Wazuh starts, it waits for the configured time interval before running the first scan, unless the module has already been running before and the only_future_events option is set to no.

Default value

10m

Allowed values

A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)

time_delay

Specifies the delay time of the scan respect to the current time, by default it is 1 second.

Default value

1s

Allowed values

A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)

curl_max_size

Specifies the maximum size allowed for the GitHub API response.

Default value

1M

Allowed values

A positive number that should contain a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes).

api_auth

This block configures the credential for the authentication with the GitHub REST API.

Warning

In case of invalid configuration, after the third scan attempt, a warning message is generated in the log file and an alert is triggered.

Options

Allowed values

api_auth\org_name

Any string

api_auth\api_token

Any string

api_auth\org_name

Name of your organization in GitHub.

Default value

N/A

Allowed values

Any string

api_auth\api_token

Personal access token to authenticate with the GitHub API.

Default value

N/A

Allowed values

Any string

Note

This block can be repeated to give the possibility to connect with more than one organization on GitHub.

api_parameters

This block configures the internal options in the GitHub REST API.

Options

Allowed values

api_parameters\event_type

Any string

api_parameters\event_type

The event types to include:

  • web: returns web (non-Git) events.

  • git: returns Git events.

  • all: returns both web and Git events.

Default value

all

Allowed values

web, git, all

Example of configuration

<github>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <time_delay>1s</time_delay>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <org_name>dummy</org_name>
        <api_token>ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg</api_token>
    </api_auth>
    <api_parameters>
        <event_type>all</event_type>
    </api_parameters>
</github>

Example of multiple organizations

<github>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <time_delay>10s</time_delay>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>no</only_future_events>
    <api_auth>
        <org_name>dummy1</org_name>
        <api_token>ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg</api_token>
    </api_auth>
    <api_auth>
        <org_name>dummy2</org_name>
        <api_token>ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg</api_token>
    </api_auth>
    <api_parameters>
        <event_type>git</event_type>
    </api_parameters>
</github>