# SQS Source

## Overview

Panther supports configuring [Amazon Simple Queue Service (SQS)](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html) as a Data Transport to pull events from your queue into your Panther account.

The steps below enable you to set up an SQS source and give you permissions to send data to that queue. Panther pulls events from that queue and allows you to write rules and run queries on the processed data.

{% hint style="info" %}
SQS has a [maximum message size](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html) of 1,048,576 bytes (1 MiB). If you expect to send messages larger than this, consider using an [S3 source](https://docs.panther.com/data-onboarding/data-transports/aws/s3) instead.
{% endhint %}

{% hint style="warning" %}
If you are a [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) customer, create any log source infrastructure in a separate AWS account from the one your Panther deployment resides in.
{% endhint %}

See the diagram below to understand how data flows from your application(s) into Panther using SQS (in [SaaS](https://docs.panther.com/system-configuration/panther-deployment-types#saas)):

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-883d110f008c625e23a95e253bdcccf6a5cc1aab%2FData_Transport_SQS.png?alt=media" alt="A diagram shows how data flows from a customer application into Panther, using the SQS Data Transport. The flow is as follows: customer AWS application(s) like Lambda, S3, SNS, etc., SQS (which also takes in Allowed AWS ARNs), Panther application, parse &#x26; normalize, real-time detections, Long term retention in Snowflake, Alerts generated, and Alert destination"><figcaption></figcaption></figure>

## How to set up an SQS log source in Panther

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. In the upper right corner, click **Create New**.
3. Click the **AWS SQS Queue** tile.
4. On the **Configure** page, fill in the fields as follows:
   * **Name**: Enter a descriptive name for your source.
   * **Log Types**: From the drop-down, select all log types that you wish to monitor.
   * **Allowed AWS Principals**: List all ARNs of the AWS principals that will be allowed to publish messages to your SQS queue.
   * **Allowed Source ARNs:** List all ARNs of the AWS resources (SNS topics, S3 buckets, etc.) that can publish messages to your SQS queue.
     * **Note**: If none of **Allowed AWS Principal ARNs** and **Allowed Source ARNs** properties are set, only Principals of the AWS account where Panther is deployed will be able to publish messages to the queue.
5. Click **Setup**.
6. On the **Log Format** page, select the [stream type](https://docs.panther.com/custom-log-types/reference#stream-type) of the incoming logs:
   * **Auto**
   * **Lines**
   * **JSON**
   * **JSON Array**
7. Click **Continue**. You will be directed to a success screen:

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e55cedf82c6a6adc66ec5c14ebdcb164c3b1dcca%2FScreenshot%202023-08-03%20at%204.33.30%20PM.png?alt=media" alt="The success screen reads, &#x22;Everything looks good! Panther will now automatically pull &#x26; process logs from your account&#x22;" width="281"><figcaption></figcaption></figure>

   * You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
   * If you have not done so already, click **Attach or Infer Schemas** to attach one or more schemas to the source.
   * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

     <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c48119abd559990173004bde99ff4907fdd2ded2%2FScreenshot%202023-08-03%20at%204.26.54%20PM.png?alt=media" alt="The &#x22;Trigger an alert when no events are processed&#x22; toggle is set to YES. The &#x22;How long should Panther wait before it sends you an alert that no events have been processed&#x22; setting is set to 1 Day" width="320"><figcaption></figcaption></figure>

To view your newly created source, click **View Log Source**.

* Manage your AWS SQS source here for data and events processed, overall health, source schemas, alarm configuration, etc.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3ae8d9cb610066f74ffe4a8cc9d519419b92c0e1%2Flog-source-data.png?alt=media" alt="This page displays Data Metrics such as data processed, events processed, and data processed by log type. To view this data, click on a log source."><figcaption></figcaption></figure>

## Viewing ingested logs

After your log source is configured, you can search ingested data using [Search](https://docs.panther.com/search/search-tool) or [Data Explorer](https://docs.panther.com/search/data-explorer).