# Fluentd Onboarding Guide

## Overview

{% hint style="warning" %}
Consider using [Fluent Bit](/data-onboarding/data-pipeline-tools/fluent-bit-onboarding-guide.md) instead of Fluentd to forward logs to Panther. Fluent Bit is easier to set up and less resource intensive than Fluentd.
{% endhint %}

This guide is aimed to help you quickly set up the necessary AWS resources that can be used to onboard data from various utilities and sources like Fluentd, Syslog, Windows Events, GCP Audit logs, and more.

Fluentd supports Firehose and S3 destination plugins. We have provided sample CloudFormation templates below that can be customized to fit your environment.

Once the template has been deployed and the resources have been created, return to the log source guide to continue configuring the log source.

### Firehose to S3 Template (Recommended) <a href="#firehose-to-s3-template-recommended" id="firehose-to-s3-template-recommended"></a>

{% hint style="info" %}
The Fluentd Firehose plugin is generally more performant than the Fluentd S3 plugin
{% endhint %}

<figure><img src="/files/-Meb7NrYAeEO2k1Evl3s" alt="The image shows a diagram: Fluentd > Firehose > S3 > Panther"><figcaption></figcaption></figure>

#### **Resources**:

This template creates a Kinesis Firehose resource, an S3 bucket, configures permissions to write to the Firehose stream, the Firehose stream to send its logs to S3, and permissions for Firehose to write to the S3 bucket.

#### **Pipeline:**

After deploying the template, save the outputs for use in the Fluentd configurations.

The outputs of this template are:

* InstanceProfileName - The profile that can be used to assume the role with correct permissions
* S3Bucket - The S3bucket that firehose will send events to
* FirehoseSendDataRoleArn - Arn of the role to write to Firehose
* FirehoseName - The firehose stream name

The template can be found here: [CloudFormation Template.](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-fluentd-firehose.yml)

### S3 Template <a href="#s3-template" id="s3-template"></a>

{% hint style="warning" %}
As mentioned above, this template is less performant than the Firehose template and is not recommended unless necessary
{% endhint %}

<figure><img src="/files/-Meb8D87ze6S7x4F3s5p" alt="The image shows a diagram: Fluentd > S3 > Panther"><figcaption></figcaption></figure>

### **Resources**:

This template creates an S3 bucket and permissions to write to the created bucket.

### **Pipeline:**

After deploying the template, you must create an access token in IAM for the user that was created.

The outputs of this template are:

* FluentdUser - IAM user to be used within the Fluentd configuration
* S3Bucket - The bucket that was created to use within the Fluentd configuration

The template can be found here: [CloudFormation Template](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-fluentd-s3.yml).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/data-pipeline-tools/fluentd.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.