Provide Instructions to Ingest GitLab Logs in to Splunk Enterprise

Problem to solve

Users of Splunk Enterprise want the ability to ingest GitLab logs (specifically Audit Logs) in to Splunk to analyse them. GitLab doesn't offer official instructions on the best way to do this nor does it have support for Splunk HTTP forwarders.

Further details

  • This is a proposed first-step to deeper Splunk integration.
  • A proposed second-iteration would be to add support for HTTP event forwarding, rather than log-file monitoring so that SaaS customers can also benefit from this.

Proposal

  • Provide detailed documentation on how to set up Splunk to ingest everything in /log on a self-managed instance of GitLab using a Directory data input which will monitor file changes.
    • SaaS will not be supported as group managers will not have access to this.
  • This should be in the context of a self-hosted Splunk Enterprise instance on a separate machine with direct network access to a self-hosted GitLab instance.

Who can address the issue

  • Someone with knowledge of Splunk.

Other links/references

Screenshot_2020-10-27_at_10.16.32

Screenshot_2020-10-27_at_10.15.42

Edited by Max Woolf