Tarsal Onboarding Guide
Forward logs to Panther using Tarsal
Last updated
Was this helpful?
Forward logs to Panther using Tarsal
Last updated
Was this helpful?
simplifies ingestion of security data by providing prebuilt connectors that require minimal setup or maintenance. You can use Tarsal to quickly ingest data from various sources into Panther using either an or . This guide explains how to set up both integration methods.
In addition to the SaaS and cloud log sources available in Tarsal, you can capture Linux endpoint data by setting up kflow as a source—.
You have an active Tarsal account.
You have access to one or more source data accounts.
Create a Source Connector in Tarsal for the data you want to forward to Panther by following the setup instructions for that source, found in .
Follow Panther's .
For the Auth method, select .
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
If you created an HTTP source in Panther in Step 2, follow the instructions in the HTTP Destination Connector tab, below. Alternatively, if you created an S3 source in Panther in Step 2, follow the instructions in the S3 Destination Connector tab.
To create an HTTP Destination Connector in Tarsal:
In Tarsal, click Destinations > Add Destination.
Click Panther (HTTP Source).
Fill in the form fields:
Name: Enter a descriptive name, e.g., Panther HTTP destination.
Description (optional): Enter more information about the destination, if desired.
Bearer Token: Paste the bearer token you generated in Panther in Step 2.
HTTP Ingest URL: Paste the HTTP endpoint you generated in Panther in Step 2.
This value is visible after HTTP source creation in Panther by navigating to its details page.
Click Test.
Click Save.
To configure a Flow in Tarsal:
In Tarsal, click Flows, then Add Flow.
Fill in the form fields:
Name: Give the Flow a descriptive name.
Description (optional): Enter more information about the Flow, if desired.
Source: Select the Source Connector you created in Step 1.
Destination: Select the Destination Connector you created in Step 3.
Click Save.
All events forwarded from Tarsal include a t_event_time field. This can be used in to set isEventTime: true.
To create an S3 Destination Connector in Tarsal, follow .
is an open source tool that uses to capture a wide array of system and network events from Linux endpoints. You can use kflow in a wide range of applications, from malware detection to tracing data movement—then use the to ingest kflow data streams into Tarsal.
Learn more about kflow in the .