Supported Logs

Panther supports 100+ security log types across 50+ different categories

Overview

Panther has native schema support for each of the sources listed below, with different supported methods to ingest data depending on the log source.

If you would like to ingest logs from a source not listed as Panther-supported, you can either define your own Custom Log source or request support of a new log source.

For information on tracking logged activity within your Panther instance, please see Panther Audit Logs.

View all Panther-supported log sources in the list below or in your Panther Console, by navigating to the Log Sources > Add New Source page. There, you can browse sources in the grid or use the search bar to find a source:

The heading reads, "What type of logs do you want to monitor with this source?" and below it is a circled search bar.

Working with Panther-managed schemas

For each Panther-supported log source, Panther produces and maintains associated log schemas. You can find the schemas associated to each source on the source's documentation page. Certain Panther-managed schemas can use field discovery.

Testing a Panther-managed schema

The log files can be compressed using the following formats:

gzip
zstd (without dictionary)

If you'd like to validate that a Panther-managed schema will parse your logs correctly, you can test sample logs against the Panther-managed schema (just like you can test logs against a custom schema). Follow the steps below:

In the left-hand navigation bar of your Panther Console, click Configure > Schemas.
Click on the name of a schema labeled PANTHER MANAGED.
In the upper-right corner, click Test Schema.
Choose Upload Sample file or Paste sample event(s).
After uploading your sample(s), in the upper-right corner, click Run Test.

There is a slide-out panel titled "Test schema against sample logs" and a circled "Run Test" button.

Cloning a Panther-managed schema

It is not possible to edit a Panther-managed schema. Instead, you can clone the schema to create a copy of it, which you can edit. To clone a schema:

In the left-hand navigation bar of your Panther Console, click Configure > Schemas.
Click on the name of a schema in the list.
In the upper-right corner of the schema's details page, click Clone.

For information on editing a custom schema, see the Custom Logs documentation.

Panther-supported log sources

Panther offers built-in support for each of the following log sources. Click a tile to learn more about that source:

1Password

Apache

AppOmni

Asana

Atlassian

Auditd

Auth0

AWS ALB

AWS Aurora

AWS CloudFront

AWS CloudTrail

AWS CloudWatch

AWS Config

AWS EKS

AWS GuardDuty

AWS Security Hub

Amazon Security Lake

AWS S3

AWS Transit Gateway

AWS VPC

AWS WAF

Azure Monitor

Bitwarden

Box

Carbon Black

Cisco Umbrella

Cloudflare

CrowdStrike

Docker

Dropbox

Duo Security

Envoy

Fastly

Fluentd

GCP

GitHub

GitLab

Google Workspace

Heroku

Jamf Pro

Juniper

Lacework

Material Security

Microsoft 365

Microsoft Entra ID Audit

Microsoft Graph

MongoDB Atlas

Netskope

Nginx

Notion

Okta

OneLogin

Orca Security

Osquery

OSSEC

Proofpoint

Push Security

Salesforce

SentinelOne

Slack

Snowflake Audit

Snyk

Sophos

Sublime Security

Suricata

Sysdig

Syslog

Tailscale

Teleport

Tenable Vulnerability Management

Thinkst Canary

Tines

Tracebit

Windows Event

Wiz

Zeek

Zendesk

Zoom

Zscaler

Troubleshooting supported logs

Visit the Panther Knowledge Base to view articles about supported log sources that answer frequently asked questions and help you resolve common errors and issues.

PreviousData Sources & Transports Next1Password Logs

Last updated 1 month ago

Was this helpful?