Monitoring Log Sources

Monitor log source data ingestion and health


Once a log source is onboarded in Panther, you can monitor data processing metrics and the log source's health within the log sources list or on the log source's operations page in the Panther Console. You can also attach new schemas and view raw data associated with the log source.

At Configure > Log Sources - the Log Sources Overview page - you can view ingestion stats for all log sources combined.

How to monitor overall log source ingestion

The log ingestion monitoring summary on the Log Sources Overview page shows data from the current month: Your total number of log sources, unhealthy log sources, a mini-trend chart of the events flow, the amount and the volume of the processed events, the volume of filtered events, and the ingestion quota progression. If you are nearing your data ingestion capacity limit, you will see a notification banner above the summary.

To view a list of only the unhealthy log sources, click the number under Unhealthy in the dashboard.

To see more detailed charts with configurable timeframes, click the Analytics Dashboard tab:

View the following additional charts within the Analytics Dashboard tab:

  • Events over time by log type

  • Filtered out events

  • Events processed (volume)

  • Data stored per source

    • Click a log source on the chart to see the associated schemas for that source and that source's contribution to the ingestion quota.

  • Data stored per log type

  • Average data latency by log type

To adjust the timeframe of the charts, use the date picker in the upper right corner.

Viewing filtered event volume

To view metrics on events filtered out using ingestion filters:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click the Analytics Dashboard tab.

  3. In the Data Ingestion Dashboard, click the Filtered Out Events tab.

    • See the Filtered Events data points.

How to monitor individual log sources

Using the log sources list

The table of log sources found at Configure > Log Sources contains monitoring and health information for each log source. Scroll to the right to see additional columns, such as Volume, Log filters, Data filtered, and Classification errors.

Using a log source's operations page

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click on any log source in the list to view that log source's operations page.

Viewing the log source Overview

The Overview tab displays actionable log source metrics and health information. The Basic Info section displays frequently used, click-to-copy metadata, as well as the ingestion pipeline status.

Source statuses

All statuses display the most recent timestamp for when that event occurred.

  • Source Created: Log source configuration is complete and Panther should be able to ingest log data from the source.

  • Last Data Received: Log data is available for normalization.

  • Last Data Ingested: Log data has been processed and normalized.

Overview stats

Overview stats

All data visualizations reflect the time period selected in the date picker.

  • Vol. of data processed: The amount of uncompressed log data that has been successfully processed and normalized for the selected time period.

  • % of total processed data: The amount of uncompressed log data ingested by this log source vs. the amount of all log data ingested for the selected time period.

  • # of events processed: The number of successfully processed and normalized events for the selected time period.

  • Data Processed by Log Type (chart): The amount of data ingested by the log type (the type of data).

  • Events (chart): The number of events processed.

Viewing the log source schemas

At the top of the operations page, click the Schemas tab to see all schemas that are parsing and normalizing the data for this source.

If you are looking at a custom log source that uses a Data Transport, you will be able to add or remove schemas here.

In the list of schemas, on the right side of a schema's tile, click View Data. You will be redirected to Search with pre-filled selections that you can run to view data associated with the schema for that source.

View log source raw data

This feature is only available to log sources onboarded with the S3 transport method.

The permission View Log Source Raw Data is required. By default, only users with the Admin role have this permission.

When onboarding an S3 log source with or without log types, you get direct access to the log source's raw data that Panther receives.

To access the log source's raw data:

  1. Log in to the Panther Console.

  2. In the left sidebar menu, click Configure > Log Sources.

  3. Click the Schemas tab then the Edit button

In the Schema Configuration, you can view events for a specific time range. Optionally, you can limit results by applying filters for the S3 key prefix and a search string to match each event.

Viewing the log source health

At the top of the operations page, click the Health tab to see all system health alerts related to the health of the log source you are viewing.

This page displays errors related to data classification, log drop-off, S3 Get.Object, and permissions.

You can learn more about these error types in the documentation: System Health Notifications.

Viewing the log source configuration

In the upper right side of the operations page, click Configuration to see the log source's configuration details.

  • Click Delete to delete the log source and associated configurations.

  • Click Edit to update the existing configuration.

Last updated