Observo Onboarding Guide

Overview

Observo allows you to ingest logs from various sources, structure, optimize, and enrich them, then forward them to Panther using an HTTP Source or S3 Source.

Observo can help you send your on-premises data to Panther. It has both cloud and self-hosted solutions, supporting a wide range of sources including S3, Kafka, Fluent, Logstash, HTTP, socket, and various GCP and Azure services.

How to forward logs to Panther using Observo

Prerequisite

• Within your environment in your VPC, you have deployed an Observo Site. An Observo Site is the data plane which communicates with the control plane (Observo Cloud).

Step 1: Configure a source in Observo

1. In your Observo console, click Sources, then Add a new Source.

3. Click Next to continue configuring the source, then click Save.

Step 2: Create a Data Transport source in Panther

To ingest Observo logs, create either a S3 Source or HTTP Source. Follow one of the instructions sets below:

• Panther's instructions for configuring an HTTP Source.

  • For the authentication method, use a bearer token. Copy the token value and store it in a secure location, as you will need it in the following steps.

  • Data sent to this source is subject to the HTTP Source payload requirements.

Step 3: Create a destination for Panther in Observo

Set up a destination in Observo to send logs to whichever type of data transport source you configured in Step 2:

Step 4: Create a pipeline in Observo

In Observo, a pipeline connects a data source to a destination. You can optionally add transforms to your pipeline. Transforms can be used to structure, enrich, filter, mask, and redact personal information from your data.

1. In your Observo console, click Pipelines, then Add a new Pipeline.

2. Configure the pipeline:

   • For the source, select the source you created in Step 1.

   • For the destination, select the destination you created in Step 3.

   • (Optional) Add any desired transforms.