GitLab API
- Integration Points
- Event Types
- Rules
- Reports
- Syslog Integration
- API Integration
- Configuring GitLab Server
- Configuring FortiSIEM for GitLab API
- Sample Event
Integration Points
Protocol | Information collected | Used for |
---|---|---|
syslog | 15 Log files including production.log and application.log – over 130 event types pre-fixed with 'GitLab-' | Security and Compliance |
API | Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified. |
Security and Compliance |
Event Types
In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.
Rules
No defined rules.
Reports
In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.
Syslog Integration
Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.
FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log.
Currently, over 134 GitLab event types are parsed. To see the event types:
- Login to FortiSIEM.
- Go to RESOURCES > Event Types.
- Search for 'GitLab'.
Use cases covered via syslog:
- Failed and Successful Login
- Git command execution
- Git API requests
To test for received GitLab events received via syslog:
- Login to FortiSIEM.
- Go to ANALYTICS.
- Click Edit Filters and Time Range:
- Choose Attributes option.
- Create Search condition 'Event Type CONTAIN GitLab'.
- Select Time Range: Last 1 hour
- Click Apply & Run.
- See the GitLab events on the GUI.
API Integration
FortiSIEM can also pull logs from GitLab using GitLab API.
Currently, over 134 GitLab event types are parsed. To see the event types:
- Login to FortiSIEM.
- Go to RESOURCES > Event Types.
- Search for 'GitLab'.
Use cases covered via API:
- Code commit – note that the current API does not capture committed files.
- Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
- User created, deleted, modified
For more details, see here.
Configuring GitLab Server
Create a personal access token to be used for FortiSIEM communication.
- Login to your GitLab account.
- Go to your Profile settings.
- Go to Access tokens.
- Choose a name and optionally an expiry date for the token.
- Choose the desired scopes: api is required.
- Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again.
For more details, see here.
Configuring FortiSIEM for GitLab API
Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.
- Login to FortiSIEM.
- Go to ADMIN > Setup > Credentials.
- Click New to create a GitLab credential.
- In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:
Settings Description
Name Enter a name for the credential Device Type GitLab GitLab (Vendor = GitLab, Model = Gitlab) Access Protocol GitLab API Pull Interval The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes. Password Config Manual Account Name Enter an account name. Personal Access Token Enter the token you obtained in Configuring GitLab Server. Description Description of the device - Enter an IP range to Credential Association:
- Enter the IP of GitLab Server.
- Select the credential created in step 4 above.
- Click Save.
- Select the entry in step 4 above and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.
To test for received GitLab events:
- Go to ADMIN > Setup > Pull Events.
- Select the GitLab entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.
Sample Event
[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id":185,"name":"user1","state":"active","username":" user1","web_url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_id":null,"target_iid":null,"target_title":null,"target_type":null}