Fortinet black logo

External Systems Configuration Guide

GitLab API

GitLab API

Integration points

Protocol Information collected Used for
syslog 15 Log files including production.log and application.log – over 130 event types pre-fixed with 'GitLab-' Security and Compliance
API Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified. Security and Compliance

Event Types

In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.

Rules

No defined rules.

Reports

In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.

Syslog Integration

Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.

FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for 'GitLab'.

Use cases covered via syslog:

  • Failed and Successful Login
  • Git command execution
  • Git API requests

To test for received GitLab events received via syslog:

  1. Login to FortiSIEM.
  2. Go to ANALYTICS.
  3. Click Edit Filters and Time Range:
    1. Choose Attributes option.
    2. Create Search condition 'Event Type CONTAIN GitLab'.
    3. Select Time Range: Last 1 hour
    4. Click Apply & Run.
  4. See the GitLab events on the GUI.

API Integration

FortiSIEM can also pull logs from GitLab using GitLab API.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for 'GitLab'.

Use cases covered via API:

  • Code commit – note that the current API does not capture committed files.
  • Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
  • User created, deleted, modified

For more details, see here.

Configuring GitLab Server

Create a personal access token to be used for FortiSIEM communication.

  1. Login to your GitLab account.
  2. Go to your Profile settings.
  3. Go to Access tokens.
  4. Choose a name and optionally an expiry date for the token.
  5. Choose the desired scopes: api is required.
  6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again.

For more details, see here.

Configuring FortiSIEM for GitLab API

Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New to create a GitLab credential.
  4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:

    Settings

    Description

    NameEnter a name for the credential
    Device Type GitLab GitLab (Vendor = GitLab, Model = Gitlab)
    Access Protocol GitLab API
    Pull Interval The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes.
    Password ConfigManual
    Account NameEnter an account name.
    Personal Access TokenEnter the token you obtained in Configuring GitLab Server.
    Description Description of the device
  5. Enter an IP range to Credential Association:
    1. Enter the IP of GitLab Server.
    2. Select the credential created in step 4 above.
    3. Click Save.
  6. Select the entry in step 4 above and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.

To test for received GitLab events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the GitLab entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.

Sample Event

[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id":185,"name":"user1","state":"active","username":" user1","web_url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_id":null,"target_iid":null,"target_title":null,"target_type":null}

GitLab API

Integration points

Protocol Information collected Used for
syslog 15 Log files including production.log and application.log – over 130 event types pre-fixed with 'GitLab-' Security and Compliance
API Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified. Security and Compliance

Event Types

In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.

Rules

No defined rules.

Reports

In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.

Syslog Integration

Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.

FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for 'GitLab'.

Use cases covered via syslog:

  • Failed and Successful Login
  • Git command execution
  • Git API requests

To test for received GitLab events received via syslog:

  1. Login to FortiSIEM.
  2. Go to ANALYTICS.
  3. Click Edit Filters and Time Range:
    1. Choose Attributes option.
    2. Create Search condition 'Event Type CONTAIN GitLab'.
    3. Select Time Range: Last 1 hour
    4. Click Apply & Run.
  4. See the GitLab events on the GUI.

API Integration

FortiSIEM can also pull logs from GitLab using GitLab API.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for 'GitLab'.

Use cases covered via API:

  • Code commit – note that the current API does not capture committed files.
  • Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
  • User created, deleted, modified

For more details, see here.

Configuring GitLab Server

Create a personal access token to be used for FortiSIEM communication.

  1. Login to your GitLab account.
  2. Go to your Profile settings.
  3. Go to Access tokens.
  4. Choose a name and optionally an expiry date for the token.
  5. Choose the desired scopes: api is required.
  6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again.

For more details, see here.

Configuring FortiSIEM for GitLab API

Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New to create a GitLab credential.
  4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:

    Settings

    Description

    NameEnter a name for the credential
    Device Type GitLab GitLab (Vendor = GitLab, Model = Gitlab)
    Access Protocol GitLab API
    Pull Interval The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes.
    Password ConfigManual
    Account NameEnter an account name.
    Personal Access TokenEnter the token you obtained in Configuring GitLab Server.
    Description Description of the device
  5. Enter an IP range to Credential Association:
    1. Enter the IP of GitLab Server.
    2. Select the credential created in step 4 above.
    3. Click Save.
  6. Select the entry in step 4 above and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.

To test for received GitLab events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the GitLab entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.

Sample Event

[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id":185,"name":"user1","state":"active","username":" user1","web_url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_id":null,"target_iid":null,"target_title":null,"target_type":null}