Sending GitHub Enterprise Logs to Google SecOps – Webhooks vs. Audit Log Streaming

[Zorghost]

Select Topic Area

Question

Body

Hello,

I want to send logs from GitHub Enterprise to Google SecOps. The events I’m focusing on are Security and Audit events.
I found that GitHub Enterprise allows setting up webhooks, which seems like a straightforward way to ingest logs.

Before proceeding, I’d like to clarify a few points:

1. What is the difference between webhooks and audit log streaming?
2. If I want to send both security and audit logs, are webhooks a viable option?
3. Should I set up an enterprise-level or organization-level webhook for this use case?

Any insights or guidance would be greatly appreciated!

[queenofcorgis]

👋🏼 @Zorghost thank you for posting!

Audit log streaming is gonna be the way to go. You will want to stream it into a storage bucket, then consume that in Google SecOps.

1. Webhooks don’t have all the events that are in the audit log. Webhooks are also not guaranteed so it’s possible to lose events.
2. No. As mentioned, webhooks don’t have all the events.
3. At the recommendation of one of our technical experts, they would use the Audit log streaming at the enterpriselevel to get the best visibility across the entire environment.