Monitoring Log Sources

How to monitor data metrics, log source health, and schemas for individual log sources.


Once a log source is onboarded in Panther, you can monitor data processing metrics and the log source's health on the log source's operations page in the Panther Console. You can also attach new schemas and view raw data associated with the log source.
At Configure > Log Sources - the Log Sources Overview page - you can view ingestion stats for all log sources combined.

How to monitor overall log source ingestion

Log ingestion monitoring is in open beta starting with Panther version 1.85, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
The log ingestion monitoring summary on the Log Sources Overview page shows your total number of log sources, unhealthy log sources, a mini-trend chart of the events flow, the amount and the volume of the processed events, and the volume of filtered events. The data in the summary at the top of the page is based on the current month.
To view a list of only the unhealthy log sources, click the number under Unhealthy in the dashboard.
To see more detailed charts with configurable timeframes, click More in the upper right corner of the dashboard:
To expand the log monitoring data, click More on the right side of the log source dashboard.
The page will expand to display additional charts:
  • Events over time by log type
  • Filtered out events
  • Events processed (volume)
  • Data stored per source
    • Click a log source on the chart to see the associated schemas for that source and that source's contribution to the ingestion quota.
  • Data stored per log type
  • Average data latecy by log type
The log monitoring page shows data about your log types
To adjust the timeframe of the charts, use the date picker in the upper right corner.

How to monitor individual log sources

Finding the Log Source operations page

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click on any log source in the list to view that log source's operations page.

Viewing the Log Source Overview

The Overview tab displays actionable log source metrics and health information. The Basic Info section displays frequently used, click-to-copy metadata, as well as the ingestion pipeline status.
Source Statuses
All statuses display the most recent timestamp for when that event occurred.
  • Source Created: Log source configuration is complete and Panther should be able to ingest log data from the source.
  • Last Data Received: Log data is available for normalization.
  • Last Data Ingested: Log data has been processed and normalized.
On a log sources's page, in the Overview tab, there is a "Source Status" section. It displays timestamps for Source Created, Last Data Received, and Last Data Ingested.
Overview Stats
Overview Stats
All data visualizations reflect the time period selected in the date picker.
  • Vol. of data processed: The amount of uncompressed log data that has been successfully processed and normalized for the selected time period.
  • % of total processed data: The amount of uncompressed log data ingested by this log source vs. the amount of all log data ingested for the selected time period.
  • # of events processed: The number of successfully processed and normalized events for the selected time period.
  • Data Processed by Log Type (chart): The amount of data ingested by the log type (the type of data).
  • Events (chart): The number of events processed.
The Overview tab of a log source page shows various metrics, e.g., Vol. of data processed and % of total processed data, as well as graphs like Data Processed by Log Type

Viewing the Log Source Schemas

At the top of the operations page, click the Schemas tab to see all schemas that are parsing and normalizing the data for this source.
If you are looking at a custom log source that uses a Data Transport, you will be able to add or remove schemas here.

View in Query Builder

On the right side of a schema in the list, click View Data. You will be redirected to the Query Builder with pre-filled selections that you can run to view data associated with the schema for the source.

View log source raw data

This feature is only available to log sources onboarded with the S3 transport method.
The permission View Log Source Raw Data is required. By default, only users with the Admin role have this permission.
When onboarding an S3 log source with or without log types, you get direct access to the log source's raw data that Panther receives.
To access the log source's raw data:
  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click the Schemas tab then the Edit button
In the Schema Configuration, you can view events for a specific time range. Optionally, you can limit results by applying filters for the S3 key prefix and a search string to match each event.
The schema configuration page shows raw data at the bottom. The filters above the data are set to search for the keyword "GET" with the prefix "AWSLogs."

Viewing the Log Source Health

At the top of the operations page, click the Health tab to see all system health alerts related to the health of the log source you are viewing.
This page displays errors related to data classification, log drop-off, S3 Get.Object, and permissions.
You can learn more about these error types in the documentation: System Health Notifications.

Viewing the Log Source Configuration

In the upper right side of the operations page, click Configuration to see the log source's configuration details.
  • Click Delete to delete the log source and associated configurations.
  • Click Edit to update the existing configuration.