Tarsal Onboarding Guide

Forward logs to Panther using Tarsal

Overview

Tarsal simplifies ingestion of security data by providing prebuilt connectors that require minimal setup or maintenance. You can use Tarsal to quickly ingest data from various sources into Panther using either an HTTP Source or S3 Source. This guide explains how to set up both integration methods.

In addition to the SaaS and cloud log sources available in Tarsal, you can capture Linux endpoint data by setting up kflow as a source—learn more about kflow below.

How to forward logs to Panther using Tarsal

Prerequisites

You have an active Tarsal account.
You have access to one or more source data accounts.

Step 1: Create a Source Connector in Tarsal

Create a Source Connector in Tarsal for the data you want to forward to Panther by following the setup instructions for that source, found in Tarsal's documentation.

Step 2: Create an HTTP or S3 source in Panther

Follow Panther's instructions for configuring an HTTP Source.
- For the Auth method, select Bearer.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

All events forwarded from Tarsal include a t_event_time field. This can be used in custom log schemas to set isEventTime: true.

Example:

- name: t_event_time
  type: timestamp
  isEventTime: true

Step 3: Create a Destination Connector in Tarsal

If you created an HTTP source in Panther in Step 2, follow the instructions in the HTTP Destination Connector tab, below. Alternatively, if you created an S3 source in Panther in Step 2, follow the instructions in the S3 Destination Connector tab.

To create an HTTP Destination Connector in Tarsal:

In Tarsal, click Destinations > Add Destination.
Click Panther (HTTP Source).
Fill in the form fields:
- Name: Enter a descriptive name, e.g., Panther HTTP destination.
- Description (optional): Enter more information about the destination, if desired.
- Bearer Token: Paste the bearer token you generated in Panther in Step 2.
- HTTP Ingest URL: Paste the HTTP endpoint you generated in Panther in Step 2.
  - This value is visible after HTTP source creation in Panther by navigating to its details page.
Click Test.
Click Save.

You can reuse this Destination Connector in multiple Flows.

Step 4: Configure a Flow in Tarsal

To configure a Flow in Tarsal:

In Tarsal, click Flows, then Add Flow.
Fill in the form fields:
- Name: Give the Flow a descriptive name.
- Description (optional): Enter more information about the Flow, if desired.
- Source: Select the Source Connector you created in Step 1.
- Destination: Select the Destination Connector you created in Step 3.
Click Save.

Using Tarsal kflow to ingest Linux endpoint data

Tarsal kflow is an open source tool that uses eBPF to capture a wide array of system and network events from Linux endpoints. You can use kflow in a wide range of applications, from malware detection to tracing data movement—then use the kflow Source Connector to ingest kflow data streams into Tarsal.

Learn more about kflow in the Tarsal documentation.

PreviousObservo Onboarding Guide NextTech Partner Log Source Integrations

Last updated 6 days ago