SQS Source

Onboarding AWS SQS Logs as a Data Transport log source in the Panther Console

Overview

Panther supports configuring Amazon Simple Queue Service (SQS) as a Data Transport to pull events from your queue into your Panther account.

The steps below enable you to set up an SQS source and give you permissions to send data to that queue. Panther pulls events from that queue and allows you to write rules and run queries on the processed data.

SQS has a max message size of 256KB. If you expect to send messages bigger than this, consider using an S3 source instead.

See the diagram below to understand how data flows from your application(s) into Panther using SQS (in SaaS):

How to set up an SQS log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Click the Custom Log Formats tile.
In the AWS SQS Queue tile on the slide-out panel, click Start.
On the Configure page, fill in the fields as follows:
- Name: Enter a descriptive name for your source.
- Log Types: From the drop-down, select all log types that you wish to monitor.
- Allowed AWS Principals: List all ARNs of the AWS principals that will be allowed to publish messages to your SQS queue.
- Allowed Source ARNs: List all ARNs of the AWS resources (SNS topics, S3 buckets, etc.) that can publish messages to your SQS queue.
  - Note: If none of Allowed AWS Principal ARNs and Allowed Source ARNs properties are set, only Principals of the AWS account where Panther is deployed will be able to publish messages to the queue.
Click Setup.
On the Log Format page, select the stream type of the incoming logs:
- Auto
- Lines
- JSON
- JSON Array
Click Continue. You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

To view your newly created source, click View Log Source.

Manage your AWS SQS source here for data and events processed, overall health, source schemas, alarm configuration, etc.

Viewing ingested logs

After your log source is configured, you can search ingested data using Search or Data Explorer.

PreviousCloudWatch Logs Source NextSNS Source

Last updated 11 months ago

Was this helpful?

Overview

Panther supports configuring Amazon Simple Queue Service (SQS) as a Data Transport to pull events from your queue into your Panther account.

SQS has a max message size of 256KB. If you expect to send messages bigger than this, consider using an S3 source instead.

See the diagram below to understand how data flows from your application(s) into Panther using SQS (in SaaS):

How to set up an SQS log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

In the upper right corner, click Create New.

Click the Custom Log Formats tile.

In the AWS SQS Queue tile on the slide-out panel, click Start.

On the Configure page, fill in the fields as follows:

Name: Enter a descriptive name for your source.
Log Types: From the drop-down, select all log types that you wish to monitor.
Allowed AWS Principals: List all ARNs of the AWS principals that will be allowed to publish messages to your SQS queue.
Allowed Source ARNs: List all ARNs of the AWS resources (SNS topics, S3 buckets, etc.) that can publish messages to your SQS queue.
- Note: If none of Allowed AWS Principal ARNs and Allowed Source ARNs properties are set, only Principals of the AWS account where Panther is deployed will be able to publish messages to the queue.

Click Setup.

On the Log Format page, select the stream type of the incoming logs:

Auto
Lines
JSON
JSON Array

Click Continue. You will be directed to a success screen:

You can optionally enable one or more Detection Packs.
If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

To view your newly created source, click View Log Source.

Manage your AWS SQS source here for data and events processed, overall health, source schemas, alarm configuration, etc.