# Observo Onboarding Guide

## Overview

[Observo](https://www.observo.ai/) allows you to ingest logs from various sources, structure, optimize, and enrich them, then forward them to Panther using an [HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http) or [S3 Source](https://docs.panther.com/data-onboarding/data-transports/aws/s3).

Observo can help you send your on-premises data to Panther. It has both cloud and self-hosted solutions, supporting a wide range of sources including S3, Kafka, Fluent, Logstash, HTTP, socket, and various GCP and Azure services.\\

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-4c8e150d9df38429cc5c505e59c80b24d8110271%2Fimage.png?alt=media" alt="A flow diagram shows Sources > observo.ai > Panther" width="563"><figcaption></figcaption></figure>

## How to forward logs to Panther using Observo

### Prerequisite

* Within your environment in your VPC, you have deployed an Observo Site. An Observo Site is the data plane which communicates with the control plane (Observo Cloud).

### Step 1: Configure a source in Observo

1. In your [Observo console](https://app.observo.ai/), click **Sources**, then **Add a new Source**.
2. Complete the **Add Source** form.\
   ![An "Add Source" form has various fields like Source Type, Name, and Description.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9eb73d401573c23ba0a95923d7d48f0e6405943d%2Fimage.png?alt=media)
3. Click **Next** to continue configuring the source, then click **Save**.

### Step 2: Create a Data Transport source in Panther

To ingest Observo logs, create either a S3 Source or HTTP Source. Follow one of the instructions sets below:

* [Panther's instructions for configuring a S3 Source](https://docs.panther.com/data-transports/aws/s3#how-set-up-an-aws-s3-bucket-log-source-in-panther).\
  ![A page titled "Create AWS S3 source" is shown, with a form titled, "Configure your source." There are various fields, e.g., "Name, "AWS Account ID," etc.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-56bd0d560c0412afc4d122a27d9ab1daa22cc94f%2FScreenshot%202024-04-24%20at%209.59.38%20AM.png?alt=media)
* [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http).
  * For the authentication method, use a [bearer token](https://docs.panther.com/data-transports/http#bearer). Copy the token value and store it in a secure location, as you will need it in the following steps.
  * Data sent to this source is subject to the [HTTP Source payload requirements](https://docs.panther.com/data-transports/http#payload-requirements).
  * After the HTTP Source has finished completing, copy its URL and store it in a secure location, as you will need it in the following steps.\
    ![A "Create HTTP source" header is above a form with various fields like Source Name, Schemas - Optional, and Auth method. the Source Name has a value of "Observo HTTP Source"](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c927a2ebe6c5eebf8af94dbd33e75f0b5df85c45%2Fimage.png?alt=media)

### Step 3: Create a destination for Panther in Observo

Set up a destination in Observo to send logs to whichever type of data transport source you configured in Step 2:

{% tabs %}
{% tab title="S3 destination" %}
To create a S3 destination in Observo:

* In your [Observo console](https://app.observo.ai/), click **Destinations**, then **Add a new Destination**.
* Fill in the **Add Destination** form:
  * **Destination Type**: Select **AWS S3**.
  * **Name**: Enter a descriptive name.
  * **Bucket**: Enter the name of your S3 bucket.
  * **Encoding Codec**: Select **JSON**.
  * **Region**: Enter the AWS region your bucket is in.\
    ![](https://lh7-us.googleusercontent.com/ca8g1BnX4Yc-m7EC9-H1n01yP7fB1ep2RWKHQAiit2AZXbdD3HXhJmHxG0Bul_CaMTWJaaue6ci2u4r09hbCn70EBXm3GYcs9oZukRz3ThwjzEgd6N2O5WNQz6rChCQlBA28V9zg13Yk925lWEwPJ9E)
* Click **Save**.
  {% endtab %}

{% tab title="HTTP destination" %}
To create an HTTP destination in Observo:

* In your [Observo console](https://app.observo.ai/), click **Destinations**, then **Add a new Destination**.
* Fill in the **Add Destination** form:
  * **Destination Type**: Select **HTTP**.
  * **Name**: Enter a descriptive name.
  * **URL/URI**: Enter the HTTP URL you generated in Step 2.
  * **Encoding Codec**: Select **JSON**.
  * **Auth Strategy**: Choose **Bearer**.
  * **Auth Token**: Enter the bearer token you used in Step 2.\
    ![An "Add Destination" form is shown, with various fields, e.g., "Destination Type," "Name," "Bucket," etc. At the bottom are "Cancel" and "Save" buttons.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-eb257bd90b3dd4e0290d3d5fc4f9395692d0098a%2Fimage.png?alt=media)
* Click **Save**.
  {% endtab %}
  {% endtabs %}

### Step 4: Create a pipeline in Observo

In Observo, a pipeline connects a data source to a destination. You can optionally add transforms to your pipeline. Transforms can be used to structure, enrich, filter, mask, and redact personal information from your data.

1. In your [Observo console](https://app.observo.ai/), click **Pipelines**, then **Add a new Pipeline**.
2. Configure the pipeline:
   * For the source, select the source you created in Step 1.
   * For the destination, select the destination you created in Step 3.
   * (Optional) Add any desired transforms.
3. Click **Save pipeline**, then **Deploy**.\
   ![A "Panther VPC Flow Logs" header is over a "Confirmation" sub-header. There are fields for Pipeline Name and Description (optional). At the bottom, a Save pipeline button is expanded, showing a menu with "Save as draft" and "Deploy"](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-d76f843d5f8dff1f22c80ca796e3faadd2393a15%2F2024-04-19_13-10-29.png?alt=media)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/data-pipeline-tools/observo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.