AWS NLB

Connecting AWS NLB logs to your Panther Console

Overview

AWS NLB log ingestion is in open beta starting with Panther version 1.118, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Amazon Web Services (AWS) Network Load Balancer (NLB) logs via AWS S3.

AWS NLB access logs only support TLS listeners. TCP and UDP listeners do not generate access logs.

How to onboard AWS NLB logs to Panther

To pull NLB logs into Panther, set up an S3 bucket in the Panther Console to stream data from your AWS account.

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS Network Load Balancer," then click its tile.
In upper right-hand corner, click Start Setup.
Follow Panther's documentation for configuring S3 for data transport.

Panther-managed detections

See Panther-managed rules for AWS in the panther-analysis GitHub repository.

Supported NLB logs

AWS.NLB

Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer. For more information, see AWS's documentation on NLB access logs.

schema: AWS.NLB
parser:
  native:
    name: AWS.NLB
description: Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer.
referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
fields:
  - name: type
    required: true
    description: The type of request or connection.
    type: string
  - name: version
    required: true
    description: The log format version.
    type: string
  - name: time
    required: true
    description: The time when the connection was closed.
    type: timestamp
    timeFormat: rfc3339
  - name: elb
    description: The resource ID of the load balancer.
    type: string
  - name: listener
    description: The resource ID of the TLS listener.
    type: string
  - name: clientIp
    description: The IP address of the client.
    type: string
  - name: clientPort
    description: The port of the client.
    type: bigint
  - name: destinationIp
    description: The IP address of the destination.
    type: string
  - name: destinationPort
    description: The port of the destination.
    type: bigint
  - name: connectionTime
    description: The total time of the connection in milliseconds.
    type: bigint
  - name: tlsHandshakeTime
    description: The total time for the TLS handshake in milliseconds.
    type: bigint
  - name: receivedBytes
    description: The number of bytes received from the client.
    type: bigint
  - name: sentBytes
    description: The number of bytes sent to the client.
    type: bigint
  - name: incomingTlsAlert
    description: The TLS alert code if an alert was received.
    type: bigint
  - name: chosenCertArn
    description: The ARN of the certificate presented to the client.
    type: string
  - name: chosenCertSerial
    description: Reserved field.
    type: string
  - name: tlsCipher
    description: The TLS cipher suite negotiated.
    type: string
  - name: tlsProtocolVersion
    description: The TLS protocol version.
    type: string
  - name: tlsKeyExchange
    description: The TLS key exchange algorithm.
    type: string
  - name: domainName
    description: The SNI hostname provided by the client.
    type: string
  - name: alpnFeProtocol
    description: The protocol negotiated with the client via ALPN.
    type: string
  - name: alpnBeProtocol
    description: The protocol negotiated with the backend via ALPN.
    type: string
  - name: alpnClientPreferenceList
    description: The list of protocols in the ALPN preference list presented by the client.
    type: array
    element:
      type: string
  - name: tlsConnectionCreationTime
    description: The time when the TLS connection was established.
    type: timestamp
    timeFormat: rfc3339

PreviousAWS GuardDuty NextAWS Security Hub

Last updated 20 days ago

Was this helpful?

schema: AWS.NLB parser: native: name: AWS.NLB description: Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer. referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html fields: - name: type required: true description: The type of request or connection. type: string - name: version required: true description: The log format version. type: string - name: time required: true description: The time when the connection was closed. type: timestamp timeFormat: rfc3339 - name: elb description: The resource ID of the load balancer. type: string - name: listener description: The resource ID of the TLS listener. type: string - name: clientIp description: The IP address of the client. type: string - name: clientPort description: The port of the client. type: bigint - name: destinationIp description: The IP address of the destination. type: string - name: destinationPort description: The port of the destination. type: bigint - name: connectionTime description: The total time of the connection in milliseconds. type: bigint - name: tlsHandshakeTime description: The total time for the TLS handshake in milliseconds. type: bigint - name: receivedBytes description: The number of bytes received from the client. type: bigint - name: sentBytes description: The number of bytes sent to the client. type: bigint - name: incomingTlsAlert description: The TLS alert code if an alert was received. type: bigint - name: chosenCertArn description: The ARN of the certificate presented to the client. type: string - name: chosenCertSerial description: Reserved field. type: string - name: tlsCipher description: The TLS cipher suite negotiated. type: string - name: tlsProtocolVersion description: The TLS protocol version. type: string - name: tlsKeyExchange description: The TLS key exchange algorithm. type: string - name: domainName description: The SNI hostname provided by the client. type: string - name: alpnFeProtocol description: The protocol negotiated with the client via ALPN. type: string - name: alpnBeProtocol description: The protocol negotiated with the backend via ALPN. type: string - name: alpnClientPreferenceList description: The list of protocols in the ALPN preference list presented by the client. type: array element: type: string - name: tlsConnectionCreationTime description: The time when the TLS connection was established. type: timestamp timeFormat: rfc3339

hashtagOverview

hashtagHow to onboard AWS NLB logs to Panther

hashtagPanther-managed detections

hashtagSupported NLB logs

hashtagAWS.NLB

Overview

How to onboard AWS NLB logs to Panther

Panther-managed detections

Supported NLB logs

AWS.NLB