# Fluent Bit Onboarding Guide ## Overview Fluent Bit is a flexible tool for pushing logs to Panther's HTTP endpoints. You can use Fluent Bit to stream logs to Panther [HTTP sources](/data-onboarding/data-transports/http.md). While this guide only explains how to configure Fluent Bit with an HTTP source, it is also possible to stream to an [S3 source](/data-onboarding/data-transports/aws/s3.md). If you would like to stream logs to an S3 source, see the examples on [Fluent Bit Configuration Examples](/data-onboarding/data-pipeline-tools/fluent-bit-onboarding-guide/fluent-bit-configuration-examples.md). ### Panther-managed integrations using Fluent Bit Panther offers managed log source integrations leveraging Fluent Bit. Panther manages the schemas associated with these log sources, and provides specialized onboarding instructions. To onboard any of the below sources, follow the instructions on its page: * [Auditd Logs](/data-onboarding/supported-logs/auditd-logs.md) * [Docker Logs](/data-onboarding/supported-logs/docker.md) * [Envoy Logs](/data-onboarding/supported-logs/envoy.md) * [Windows Event Logs](/data-onboarding/supported-logs/windows-event-logs.md) ## How to set up a custom integration using Fluent Bit If the Panther-managed integrations leveraging Fluent Bit don't fit your use case, you can set up a custom integration using Fluent Bit and a custom schema. ### Prerequisites * Follow Fluent Bit's [Getting Started with Fluent Bit](https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit) documentation to set up account forwarding. * Fluent Bit can run on Linux, Windows, Mac, Kubernetes, Docker, and other environments. ### Step 1: Create a custom schema in Panther * Follow [Panther's instructions for creating a custom schema](/data-onboarding/custom-log-types.md#how-to-define-a-custom-schema) for your source's logs. ### Step 2: Create a HTTP source in Panther * Follow [Panther's instructions for configuring an HTTP Source](/data-onboarding/data-transports/http.md). * For the authentication method, [Shared Secret](/data-onboarding/data-transports/http.md#shared-secret) is recommended for its simplicity. ### Step 3: Configure Fluent Bit to forward to the HTTP endpoint 1. Create a new Fluent Bit configuration file by following [Fluent Bit's documentation](https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file). * Set `[INPUT]` variables. * Set `[OUTPUT]` variables: * **Host**: Enter your Panther URL. * Example: `logs.instance-name.runpanther.net` * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 2 of this process), starting with `/http/`. * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a` * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 2. * **Name**: Set to `http`. * **TLS**: Set to `ON`. * **Port**: Set to `443`. 2. Start Fluent Bit, passing the path to your new configuration file. * For more examples, see the documentation pages in [Panther-managed integrations using Fluent Bit](#panther-managed-integrations-using-fluent-bit). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/data-pipeline-tools/fluent-bit-onboarding-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.