Monitoring Log Sources
How to monitor data metrics, log source health, and schemas for individual log sources.
Last updated
How to monitor data metrics, log source health, and schemas for individual log sources.
Last updated
Once a log source is onboarded in Panther, you can monitor data processing metrics and the log source's health within the log sources list or on the log source's operations page in the Panther Console. You can also attach new schemas and view raw data associated with the log source.
At Configure > Log Sources - the Log Sources Overview page - you can view ingestion stats for all log sources combined.
The log ingestion monitoring summary on the Log Sources Overview page shows data from the current month: Your total number of log sources, unhealthy log sources, a mini-trend chart of the events flow, the amount and the volume of the processed events, the volume of filtered events, and the ingestion quota progression. If you are nearing your data ingestion capacity limit, you will see a notification banner above the summary.
To view a list of only the unhealthy log sources, click the number under Unhealthy
in the dashboard.
To see more detailed charts with configurable timeframes, click the Analytics Dashboard tab:
View the following additional charts within the Analytics Dashboard tab:
Events over time by log type
Filtered out events
Events processed (volume)
Data stored per source
Click a log source on the chart to see the associated schemas for that source and that source's contribution to the ingestion quota.
Data stored per log type
Average data latency by log type
To adjust the timeframe of the charts, use the date picker in the upper right corner.
To view metrics on events filtered out using ingestion filters:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click the Analytics Dashboard tab.
In the Data Ingestion Dashboard, click the Filtered Out Events tab.
See the Filtered Events data points.
The table of log sources found at Configure > Log Sources contains monitoring and health information for each log source. Scroll to the right to see additional columns, such as Volume, Log filters, Data filtered, and Classification errors.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click on any log source in the list to view that log source's operations page.
The Overview tab displays actionable log source metrics and health information. The Basic Info section displays frequently used, click-to-copy metadata, as well as the ingestion pipeline status.
All statuses display the most recent timestamp for when that event occurred.
Source Created: Log source configuration is complete and Panther should be able to ingest log data from the source.
Last Data Received: Log data is available for normalization.
Last Data Ingested: Log data has been processed and normalized.
All data visualizations reflect the time period selected in the date picker. Events are included based on their ingestion time, or p_parse_time
values.
Vol. of data processed: The amount of uncompressed log data that has been successfully processed and normalized for the selected time period.
% of total processed data: The amount of uncompressed log data ingested by this log source vs. the amount of all log data ingested for the selected time period.
# of events processed: The number of successfully processed and normalized events for the selected time period.
Data Processed by Log Type (chart): The amount of data ingested by the log type (the type of data).
Events (chart): The number of events processed.
Note: There is a corresponding table for each log type.
At the top of the operations page, click the Schemas tab to see all schemas that are parsing and normalizing the data for this source.
If you are looking at a custom log source that uses a Data Transport, you will be able to add or remove schemas here.
In the list of schemas, on the right side of a schema's tile, click View Data. You will be redirected to Search with pre-filled selections that you can run to view data associated with the schema for that source.
This feature is only available to log sources onboarded with the S3 transport method.
The permission View Log Source Raw Data
is required. By default, only users with the Admin role have this permission.
When onboarding an S3 log source with or without log types, you get direct access to the log source's raw data that Panther receives.
To access the log source's raw data:
Log in to the Panther Console.
In the left sidebar menu, click Configure > Log Sources.
Click the Schemas tab then the Edit button
In the Schema Configuration, you can view events for a specific time range. Optionally, you can limit results by applying filters for the S3 key prefix and a search string to match each event.
At the top of the operations page, click the Health tab to see all system health alerts related to the health of the log source you are viewing.
This page displays errors related to data classification, log drop-off, S3 Get.Object, and permissions.
You can learn more about these error types in the documentation: System Health Notifications.
In the upper right side of the operations page, click Configuration to see the log source's configuration details.
Click Delete to delete the log source and associated configurations.
Click Edit to update the existing configuration.