GitLab Content Pack
GitLab is a complete DevOps platform offering Git-based source code management, CI/CD automation, security scanning, and project collaboration. This technology pack processes GitLab logs, providing normalization and enrichment of common events of interest.
Supported Versions
-
GitLab version 17.9 and later
Requirements
-
Graylog server with valid Enterprise license running version 6.1.3 or later
-
GitLab version 17.9 or later
-
Raw HTTP input configured in Graylog for audit event streaming
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:GitLab Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "GitLab Event Log Messages"
Log Collection and Delivery
GitLab audit events are delivered to Graylog via HTTP audit event streaming. A Raw HTTP input must be configured in Graylog, and GitLab must be configured to stream audit events to that input. For on-premise installations, Filebeat can be used to ship log files.
Raw HTTP Input Setup
Configure GitLab audit event streaming to Graylog:
-
Create a global Raw HTTP input in Graylog
-
Set field 'event_source_product' to 'GitLab-web'
-
In GitLab, configure HTTP destination for audit event streaming
-
Configure input routing in Illuminate Customization tab
What is Provided
-
Parsing rules to extract GitLab logs into Graylog schema compatible fields
-
Graylog Information Model message categorization
-
GIM enforcement fields populated for IAM, HTTP, and detection events (service_name, application_name, event_outcome, event_action, source_reference, destination_reference)
-
Dashboards for GitLab event visualization
GIM Categorization
GIM categorization is provided for the following event types:
| Event Type | gim_event_type_code | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|
| authenticated_with_* | 100000 | authentication | authentication.logon | logon |
| authenticated_with_two_factor, authenticated_with_webauthn | 100502 | authentication | authentication.credential validation | mfa |
| login_failed_with_* | 100000 | authentication | authentication.logon | logon |
| member_created, user_created, *_token_created (success only), deploy_key_added | 110000 | iam | iam.object create | account created |
| group_created | 110002 | iam | iam.object create | group created |
| member_destroyed, user_destroyed, *_token_revoked, deploy_key_removed | 110500 | iam | iam.object delete | account deleted |
| group_destroyed | 110501 | iam | iam.object delete | group deleted |
| member_updated, user_*_updated | 111000 | iam | iam.object modify | account modified |
| custom_admin_role_assigned_to_user, *_link_created | 111001 | iam | iam.object modify | privileges assigned |
| custom_admin_role_unassigned_from_user, *_link_removed | 111002 | iam | iam.object modify | privileges removed |
| password_reset_*, user_password_updated | 111004 | iam | iam.object modify | password change |
| group_saml_member_added | 111007 | iam | iam.object modify | group member added |
| ban_user, user_blocked, user_deactivate | 111501 | iam | iam.object disable | account disabled |
| unban_user, unblock_user, user_activate, user_approved | 112001 | iam | iam.object enable | account enabled |
| API/Production logs | 180200 | http | http.communication | http communication |
| security_policy_create/delete/update | 220500 | audit | audit.policy | audit policy changed |
| Vulnerability webhooks, security_policy_violations_detected | 300000 | detection | detection.network_detection | ids_detection |
Fields Extracted by This Pack
Parsed Fields
These are the fields extracted and mapped by the GitLab content pack.
| Original Field Name | Field Name | Example Value | Field Type | Description |
|---|---|---|---|---|
| $.action | vendor_event_action | show | string | Native GitLab action |
| $.method | http_request_method | GET | string | HTTP request method |
| $.path | file_path | /api/v4/projects | string | Request path |
| $.url | http_request_path | http://127.0.0.1:8080/api/v4/internal/allowed | string | Full request URL |
| $.status | http_response_code | 200 | long | HTTP response status code |
| $.remote_ip | source_ip | 10.2.3.2 | string | Client source IP address |
| $.time | event_created | 2024-10-29T12:49:42.123Z | string | Event timestamp |
| $.severity | vendor_event_severity | INFO | string | GitLab native severity level |
| $.message | vendor_event_description | User was created | string | Native event description |
| $.username | user_name | admin | string | GitLab username |
| $.user_id | user_id | 1 | string | GitLab user ID |
| $.author_id | user_id | 1 | string | Audit event author ID (fallback for user_id) |
| $.author_name | user_name | Administrator | string | Audit event author name (fallback for user_name) |
| $.correlation_id | vendor_correlation_id | 01GYDSAKAN2SPZPAMJNRWW5H8S | string | Request correlation identifier |
| $.controller | vendor_controller | Projects::IssuesController | string | Rails controller name |
| $.format | vendor_format | html | string | Response format |
| $.ua | http_user_agent | Mozilla/5.0... | string | HTTP user agent string |
| $.pid | process_id | 1234 | string | Process ID |
| $.uid | process_uid | gitlab-www | string | Process user ID |
| $.command | process_command_line | git-upload-pack | string | Git command executed |
| $.host | host_hostname | gitlab.example.com | string | Server hostname |
| $.event_type | vendor_event_type | member_created | string | Audit event type identifier |
| $.entity_type | vendor_entity_type | User | string | Audit entity type |
| $.entity_id | vendor_entity_id | 123 | string | Audit entity ID |
| $.target_type | vendor_target_type | User | string | Audit target type |
| $.target_id | vendor_target_id | 456 | string | Audit target ID |
| $.target_details | vendor_target_details | user@example.com | string | Audit target details |
| $.change | vendor_change | access_level | string | Changed attribute name |
| $.from | vendor_from | Developer | string | Previous value of changed attribute |
| $.to | vendor_to | Maintainer | string | New value of changed attribute |
| $.success | vendor_event_outcome | true | string | Native event outcome |
| $.error | event_error_description | connection refused | string | Error description |
| $.duration_s | vendor_duration_s | 0.12 | string | Request duration in seconds |
| $.db_duration_s | vendor_db_duration_s | 0.01 | string | Database query duration in seconds |
| $.view_duration_s | vendor_view_duration_s | 0.05 | string | View rendering duration in seconds |
| $.cpu_s | vendor_cpu_s | 0.02 | string | CPU time in seconds |
| $.queue_duration_s | vendor_queue_duration_s | 0.001 | string | Queue wait duration in seconds |
| $.gitaly_calls | vendor_gitaly_calls | 5 | string | Number of Gitaly RPC calls |
| $.gitaly_duration_s | vendor_gitaly_duration_s | 0.03 | string | Gitaly call duration in seconds |
| $.redis_calls | vendor_redis_calls | 3 | string | Number of Redis calls |
| $.redis_duration_s | vendor_redis_duration_s | 0.002 | string | Redis call duration in seconds |
| $.class | vendor_class | ProjectImportWorker | string | Sidekiq job class |
| $.queue | vendor_queue | default | string | Sidekiq queue name |
| $.jid | vendor_jid | abc123 | string | Sidekiq job ID |
| $.job_status | vendor_job_status | done | string | Sidekiq job status |
| $.object_kind | vendor_object_kind | vulnerability | string | Webhook object kind |
| $.object_attributes.title | vendor_object_title | REXML DoS vulnerability | string | Object title (vulnerability name) |
| $.object_attributes.severity | vendor_event_severity | critical | string | Vulnerability severity |
| $.object_attributes.state | vendor_object_state | confirmed | string | Vulnerability state |
| $.object_attributes.url | http_request_path | https://example.com/.../vulnerabilities/1 | string | Vulnerability URL |
| $.mail_subject | email_subject | New issue created | string | Email notification subject |
| $.token_id | vendor_token_id | 1 | string | API token identifier |
| $.token_type | vendor_token_type | PersonalAccessToken | string | Token type |
| $.details.author_class | vendor_author_class | User | string | Audit detail author class |
| $.details.change | vendor_details_change | access_level | string | Audit detail change type |
| Mapped | event_action | allowed | string | Normalized event action |
| Mapped | event_outcome | success | string | Normalized event outcome |
| Mapped | event_severity | informational | string | Normalized event severity |
| Mapped | event_severity_level | 1 | long | Numeric severity level |
| Mapped | source_user_name | admin | string | Source user performing the action |
| Mapped | gim_event_type_code | 110000 | string | GIM event type code |
| Mapped | alert_signature | REXML DoS vulnerability | string | Alert signature for vulnerability events |
| Mapped | alert_category | vulnerability | string | Alert category for vulnerability events |
GitLab Spotlight Content Pack
The following dashboards are included with this content pack:
GitLab Events Overview
User Overview
Web Overview
