GitLab API
- Integration Points
- Event Types
- Rules
- Reports
- Syslog Integration
- API Integration
- Configuring GitLab Server
- Configuring FortiSIEM for GitLab API
- Sample Event
Integration Points
| Protocol | Information collected | Used For |
|---|---|---|
| syslog | 15 Log files including production.log and application.log – over 130 event types pre-fixed with 'GitLab-' | Security and Compliance |
| API | Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified. |
Security and Compliance |
Event Types
In RESOURCES > Event Types, enter "GitLab" in the main content panel Search... field to see the events associated with this device.
Rules
No defined rules.
Reports
In RESOURCES > Reports, enter "GitLab" in the main content panel Search... field to see the reports associated with this device.
Syslog Integration
In FortiSIEM 7.x, there are two methods to send GitLab syslogs. Of the two methods, Fortinet recommends sending syslog via rsyslog forwarding.
Syslog via Rsyslog Forwarding
To use rsyslog to collect and send GitLab logs via syslog, take the following steps:
Note: For detailed information on GitLab logs, see https://docs.gitlab.com/ee/administration/logs/.
-
Locate where your GitLab installation is writing log files, such as error or access logs. The typical location is provided here:
/var/log/gitlab/gitlab-rails//home/git/gitlab/log/ -
Locate the rsyslog.conf file on your GitLab server. The typical location is provided here:
/etc/rsyslog.conf -
Add the
imfile moduleto your rsyslog.conf file in the modules section.module(load="imfile" PollingInterval="10") -
Insert the following lines for GitLab logs in your rsyslog.conf file.
input(type="imfile" File="/path/to/application_json.log" Tag=" GitLab_Application:" Severity="info" Facility="local6")
Notes:
-
The
Tag=line is critical as this string is matched in the FortiSIEM parser, do NOT modify it from the example above. -
The
Tag=line is case sensitive. -
In addition to application_json.log in this step, you can also add the following suggested log files
- production_json.log
- api_json.log
- git_json.log
- Integrations_json.log
- audit_json.log
- gitlab-shell.log
- auth_json.log
- exceptions_json.log
by inserting the following lines for each additional log you wish to add.
input(type="imfile" File="/path/to/<suggested_log>"
Tag=" <log type>:"Example: To add git_json.log, you would make the following changes:
input(type="imfile" File="/path/to/git_json.log"Tag=" GitLab_GitRepo:"
-
-
Place the following in the rules section in your rsyslog.conf file.
local6.* @<FortiSIEM collector IP or hostname>:514
Note: Replace
<FortiSIEM collector IP or hostname>with the IP address or hostname of your actual FortiSIEM collector. -
Restart rsyslog by running the following command.
systemctl restart rsyslog -
Confirm that logs are arriving. Ensure that your firewall(s) allow UDP 514 inbound to target IP.
Example Log
<13>Feb 21 13:07:48 gitlab-test.example.com GitLab_Application: {"severity":"INFO","time":"2024-02-21T21:07:48.922Z","correlation_id":"01HQ6QXZPDZARVY2F2TJCHNJC1","meta.caller_id":"PipelineProcessWorker","meta.remote_ip":"192.0.2.0","meta.feature_category":"continuous_integration","meta.root_namespace":"devops","meta.client_id":"client/1122","meta.root_caller_id":"POST /api/:version/jobs/request","message":"Enqueuing hooks for Pipeline 772217: running","class":"Ci::Pipeline","pipeline_id":772217,"project_id":2642,"pipeline_status":"running"}
How It Works: The bolded section in the example log matches the Tag= definition in the rsyslog.conf file. This unique string is matched in the FortiSIEM GitLabLogParser.
Syslog via GitLab remote_syslog
Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.
FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log.
Currently, over 134 GitLab event types are parsed. To see the event types:
- Login to FortiSIEM.
- Go to RESOURCES > Event Types.
- Search for "GitLab".
Use cases covered via syslog:
- Failed and Successful Login
- Git command execution
- Git API requests
To test for received GitLab events received via syslog:
- Login to FortiSIEM.
- Go to ANALYTICS.
- Click the Edit Filters and Time Range... field:
- Choose the Event Attribute option.
- Create the Search condition
Attribute: Event Type
Operator: CONTAIN
Value: GitLab - Change Time Range to be Last 1 Hour
- Click Apply & Run.
- See the GitLab events on the GUI.
API Integration
FortiSIEM can also pull logs from GitLab using GitLab API.
Currently, over 134 GitLab event types are parsed. To see the event types:
- Login to FortiSIEM.
- Go to RESOURCES > Event Types.
- Search for "GitLab".
Use cases covered via API:
- Code commit – note that the current API does not capture committed files.
- Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
- User created, deleted, modified
For more details, see here.
Configuring GitLab Server
Create a personal access token to be used for FortiSIEM communication.
- Login to your GitLab account.
- Go to your Profile settings.
- Go to Access tokens.
- Choose a name and optionally an expiry date for the token.
- Choose the desired scopes: api is required.
- Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again.
For more details, see here.
Configuring FortiSIEM for GitLab API
Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.
- Login to FortiSIEM.
- Go to ADMIN > Setup > Credentials.
- In Step 1: Enter Credentials, click New to create a GitLab credential.
- Enter these settings in the Access Method Definition dialog box:
Settings Description
Name Enter a name for the credential Device Type GitLab GitLab (Vendor = GitLab, Model = Gitlab) Access Protocol GitLab API Pull Interval The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes. Password Config Manual Account Name Enter an account name. Personal Access Token Enter the token you obtained in Configuring GitLab Server. Description Description of the device - In Step 2: Enter IP Range to Credential Associations, click New.
- In IP/Host Name, enter the IP of GitLab Server.
- Select the Credential created in step 4 above.
- Click Save.
- Select the entry in step 3 above, click the Test drop-down list and select Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.
To test for received GitLab events:
- Go to ADMIN > Setup > Pull Events.
- Select the GitLab entry and click Report.
The system will take you to the ANALYTICS tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.
Sample Event
[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id":185,"name":"user1","state":"active","username":" user1","web_url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_type":"branch"},"serverIp":"192.0.2.0","serverName":"abc.com","target_id":null,"target_iid":null,"target_title":null,"target_type":null}