Panther Log Forwarder (Beta)
Forward logs from your on-premises devices to Panther using the Panther Log Forwarder
Overview
The Panther Log Forwarder is in open beta starting with Panther version 1.121, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther Log Forwarder is a lightweight tool for forwarding logs from on-premises infrastructure to Panther. It collects logs from files or syslog and sends them to Panther through an HTTP source or S3 bucket.
Download Links
Download the latest release for your platform:
Get Started
Follow these steps to install the log forwarder and start sending logs in minutes. This is an example of sending logs from a file to an HTTP source in Panther with default configuration. For sending logs to an S3 bucket and more configuration options, see below.
Prerequisites
Linux with systemd (Ubuntu 20.04+, Debian 11+, RHEL 8+, Rocky Linux 8+)
Sudo/root access
An HTTP Source URL and Bearer Token from Panther Console (see HTTP transport documentation)
Step 1: Install
Optional: Verify checksum before installing
Step 2: Configure a Forwarder
Create a YAML file in /etc/panther-log-forwarder/forwarders.d/ and paste the following content. Replace the url and token values with the ones from your HTTP log source.
Step 3: Validate and Start
Logs should appear in Panther's Data Explorer within a few minutes.
Commands
panther-log-forwarder validate
Validate configuration syntax
panther-log-forwarder check-connectivity
Test connectivity to all destinations
panther-log-forwarder check-connectivity --forwarder NAME
Test a specific forwarder
panther-log-forwarder start
Run in foreground (for debugging)
panther-log-forwarder status
Show health, metrics, and per-forwarder stats
panther-log-forwarder --version
Show version
For production, use systemd: sudo systemctl start panther-log-forwarder
Configuration Reference
The log forwarder uses two types of configuration files:
Global settings in
/etc/panther-log-forwarder/panther.conf— created automatically during installation with sensible defaultsForwarder definitions in
/etc/panther-log-forwarder/forwarders.d/*.yaml— you create these to define what logs to collect and where to send them
Global Configuration
The installer creates /etc/panther-log-forwarder/panther.conf with default values. Edit it only if you need to change defaults:
Forwarder Configuration
Each forwarder is added with a unique name in under forwarders and has an input (what to collect) and output (where to send) section.
Forwarder names must start with a letter, contain only alphanumeric characters, underscores, or hyphens, and be 1-64 characters long.
You can organize forwarders across multiple files or put them all in one — any .yaml file in forwarders.d/ is loaded.
Input Types
File Input
Tail log files using glob patterns:
type
Yes
—
Must be file
path
Yes
—
File path or glob pattern
excludes
No
—
Array of glob patterns to exclude
read_from
No
end
end = new lines only; beginning = read existing content
format
No
—
Content format hint. Set to syslog when tailing syslog-formatted files (use with parse: json, see below)
parse
No
—
Set to json to parse syslog lines into structured JSON (requires format: syslog)
Using read_from: beginning will send all existing log lines in the file. For large files, this may take considerable time and disk buffer space.
Notes:
Only newline-delimited logs are supported (one log entry per line)
Multi-line logs are not currently supported
On startup, the log forwarder validates that file paths are accessible and reports permission errors before starting
Syslog Input
Receive syslog messages over the network:
type
Yes
Must be syslog
mode
Yes
tcp or udp
address
Yes
Host and port to listen on
parse
No
Set to json to parse syslog messages into structured JSON
Notes:
Messages will be sent in raw format to Panther. If your messages adhere to RFC 3164 or RFC 5424 format, you can use the built in corresponding syslog schema in Panther (
Syslog.RFC5424/Syslog.RFC3164) for proper parsing and classification.Use
parse: jsonto send the message parsed as json to your Panther source. Parsing is best effort and covers most common syslog formats, additionally to RFC compliant ones.
Output Types
HTTP Output
Send logs to a Panther HTTP source:
type
No
http
Output type (can be omitted for HTTP)
url
Yes
—
Panther HTTP source URL
buffer_size
No
3GB
Per-forwarder disk buffer size override
S3 Output
Send logs to an Amazon S3 bucket — no AWS keys needed in config.
type
Yes
—
Must be s3
bucket
Yes
—
S3 bucket name
region
Yes
—
AWS region (e.g., us-east-1)
key_prefix
No
logs/{forwarder_name}/%Y/%m/%d/
S3 key prefix (supports strftime tokens, must end with /)
buffer_size
No
3GB
Per-forwarder disk buffer size override
Notes:
Authentication: IAM instance profiles (recommended) or environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY). File-based credentials (~/.aws/credentials) are not supported because the service does not have access to home directories.The IAM identity used must have
s3:PutObjectands3:HeadBucketpermissions on the target bucketLogs are gzip-compressed before upload
Batching: 10MB or 60 seconds (whichever comes first)
Credential Management
HTTP output requires a bearer token. There are two ways to provide it:
Plaintext Token
Forwarder files are secured with 0640 permissions and root:panther-log-forwarder ownership — only root can write, only the agent service can read.
Environment Variable
Use ${ENV_VAR} syntax to reference an environment variable:
Set the variable in systemd, Docker Compose, Kubernetes Secrets, etc.
Disk Buffering
Each forwarder has its own disk buffer (default: 3GB) to prevent data loss during network outages. Logs are stored on disk until they can be forwarded.
When the buffer fills:
File inputs — the forwarder blocks and stops reading until buffer space frees up (no data loss, but log files may grow)
Syslog inputs — the forwarder drops newest incoming messages (prevents memory issues, but some logs may be lost)
Configure buffer size globally in panther.conf or per-forwarder with buffer_size in the output section.
The default 3GB is sufficient for most deployments. Consider increasing the buffer size for high-volume sources to ensure no data loss.
Syslog Parsing
By default, syslog messages are forwarded as raw text. Adding parse: json to the input parses syslog messages into structured JSON with fields like timestamp, hostname, appname, severity, and message.
This works with both input types:
Network syslog (
type: syslog+parse: json) — uses built-in syslog parsingFile syslog (
type: file+format: syslog+parse: json) — parses each line as a syslog message
Network syslog with parsing
File syslog with parsing
Use format: syslog and parse: json on the input to indicate the file contains syslog-formatted lines that should be parsed:
parse: json requires a syslog context — either input.type: syslog or input.format: syslog. It cannot be used with plain file inputs.
When parse: json is enabled, parsing is best-effort, however it covers most common syslog formats including RFC 3164 / RFC 5424. Lines that fail to parse are dropped.
More Examples
Syslog Server
Multiple Files with Exclusions
Multiple Forwarders in One File
Syslog to S3 with JSON Parsing
S3 Output
Troubleshooting
Checking Logs
There are two log files to check when troubleshooting:
/var/log/panther-log-forwarder/log-forwarder.log— Check this for issues with the forwarder service itself, such as startup failures, configuration errors, and connectivity problems./var/log/panther-log-forwarder/vector.log— Check this for issues with the data pipeline, such as log ingestion problems, parsing errors, and delivery failures.
Log Forwarder Won't Start
Common causes:
Configuration errors — Run
sudo panther-log-forwarder validatePermission issues — Verify
/etc/panther-log-forwarder/forwarders.d/has0750permissionsFile access errors — The log forwarder checks file paths on startup. Verify paths exist and are readable by the
panther-log-forwarderuserPort conflicts — For syslog inputs, ensure the listening port is available
No Logs Appearing in Panther
Common causes:
Invalid bearer token — Verify token matches Panther Console
Network issues — Test HTTPS connectivity to Panther endpoint
Incorrect URL — Double-check URL from Panther Console
File path issues — Verify paths exist and are readable
S3 permissions — For S3 output, verify IAM permissions allow PutObject and HeadBucket
Configuration Errors
Common issues:
YAML syntax errors (indentation, quotes)
Missing required fields (
typein input,url/authfor HTTP,bucket/regionfor S3)Invalid input type (must be
fileorsyslog)Invalid output type (must be
httpors3)Invalid forwarder name (must start with a letter, alphanumeric/underscore/hyphen only)
Operations
Adding New Forwarders
Create a new source in Panther Console (HTTP or S3).
Add a new YAML file in
/etc/panther-log-forwarder/forwarders.d/.Validate:
sudo panther-log-forwarder validateRestart:
sudo systemctl restart panther-log-forwarder
Updating Configuration
Edit files in
/etc/panther-log-forwarder/.Validate:
sudo panther-log-forwarder validateRestart:
sudo systemctl restart panther-log-forwarder
Credential Rotation
Generate a new bearer token in Panther Console.
Update the token in your forwarder configuration file.
Restart:
sudo systemctl restart panther-log-forwarder
Upgrading
Download the new release tarball and checksum for your platform (see Download Links).
Verify the checksum, extract, and run the installer:
The installer automatically restarts the service if it was running. Verify the upgrade:
Configuration files in /etc/panther-log-forwarder/ are preserved during upgrades.
Uninstalling
File Locations
/etc/panther-log-forwarder/panther.conf
Global settings
/etc/panther-log-forwarder/forwarders.d/*.yaml
Forwarder configs
/var/log/panther-log-forwarder/log-forwarder.log
Log forwarder logs
/var/log/panther-log-forwarder/vector.log
Vector logs
Last updated
Was this helpful?