# Tarsal Onboarding Guide

## Overview

[Tarsal](https://tarsal.co/) simplifies ingestion of security data by providing prebuilt connectors that require minimal setup or maintenance. You can use Tarsal to quickly ingest data from various sources into Panther using either an [HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http) or [S3 Source](https://docs.panther.com/data-onboarding/data-transports/aws/s3). This guide explains how to set up both integration methods.

In addition to the SaaS and cloud log sources available in Tarsal, you can capture Linux endpoint data by setting up kflow as a source—[learn more about kflow below](#using-tarsal-kflow-to-ingest-linux-endpoint-data).

## How to forward logs to Panther using Tarsal

### Prerequisites

* You have an active Tarsal account.
* You have access to one or more source data accounts.

### Step 1: Create a Source Connector in Tarsal

* Create a Source Connector in Tarsal for the data you want to forward to Panther by following the setup instructions for that source, found in [Tarsal's documentation](https://docs.tarsal.cloud/docs/sources).

### Step 2: Create an HTTP or S3 source in Panther

{% tabs %}
{% tab title="HTTP Source" %}

* Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther).
  * For the **Auth method**, select [Bearer](https://docs.panther.com/data-transports/http#bearer).
  * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements).
  * Do not proceed to the next step until the creation of your HTTP endpoint has completed.
    {% endtab %}

{% tab title="S3 Source" %}

* Follow [Panther's instructions for configuring an S3 Source](https://docs.panther.com/data-transports/aws/s3#how-set-up-an-aws-s3-bucket-log-source-in-panther).
  {% endtab %}
  {% endtabs %}

{% hint style="info" %}
All events forwarded from Tarsal include a `t_event_time` field. This can be used in [custom log schemas](https://docs.panther.com/data-onboarding/custom-log-types) to set `isEventTime: true`.

Example:

```yaml
- name: t_event_time
  type: timestamp
  isEventTime: true
```

{% endhint %}

### Step 3: Create a Destination Connector in Tarsal

If you created an HTTP source in Panther in Step 2, follow the instructions in the **HTTP Destination Connector** tab, below. Alternatively, if you created an S3 source in Panther in Step 2, follow the instructions in the **S3 Destination Connector** tab.

{% tabs %}
{% tab title="HTTP Destination Connector" %}
To create an HTTP Destination Connector in Tarsal:

1. In Tarsal, click **Destinations** > **Add Destination**.
2. Click **Panther (HTTP Source)**.
3. Fill in the form fields:
   * **Name**: Enter a descriptive name, e.g., `Panther HTTP destination`.
   * **Description** (optional): Enter more information about the destination, if desired.
   * **Bearer Token**: Paste the bearer token you generated in Panther in Step 2.
   * **HTTP Ingest URL**: Paste the HTTP endpoint you generated in Panther in Step 2.
     * This value is visible after HTTP source creation in Panther by navigating to its details page.
4. Click **Test**.
5. Click **Save**.
   {% endtab %}

{% tab title="S3 Destination Connector" %}

* To create an S3 Destination Connector in Tarsal, follow [these instructions in the Tarsal documentation](https://docs.tarsal.cloud/docs/destination-aws-s3).

Note: Data will be delivered in Newline Delimited JSON (ndjson) format.
{% endtab %}
{% endtabs %}

{% hint style="info" %}
You can reuse this Destination Connector in multiple Flows.
{% endhint %}

### Step 4: Configure a Flow in Tarsal

To configure a Flow in Tarsal:

1. In Tarsal, click **Flows**, then **Add Flow**.
2. Fill in the form fields:
   * **Name**: Give the Flow a descriptive name.
   * **Description** (optional): Enter more information about the Flow, if desired.
   * **Source**: Select the Source Connector you created in Step 1.
   * **Destination**: Select the Destination Connector you created in Step 3.
3. Click **Save**.

## Using Tarsal kflow to ingest Linux endpoint data

[Tarsal kflow](https://tarsal.co/kflow/) is an open source tool that uses [eBPF](https://en.wikipedia.org/wiki/EBPF) to capture a wide array of system and network events from Linux endpoints. You can use kflow in a wide range of applications, from malware detection to tracing data movement—then use the [kflow Source Connector](https://docs.tarsal.cloud/docs/source-kflow) to ingest kflow data streams into Tarsal.

Learn more about kflow in the [Tarsal documentation](https://docs.tarsal.cloud/docs/source-kflow).