AWS NLB log ingestion is in open beta starting with Panther version 1.118, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting Amazon Web Services (AWS) Network Load Balancer (NLB) logs via AWS S3.
AWS NLB access logs only support TLS listeners. TCP and UDP listeners do not generate access logs.
How to onboard AWS NLB logs to Panther
To pull NLB logs into Panther, set up an S3 bucket in the Panther Console to stream data from your AWS account.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS Network Load Balancer," then click its tile.
Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer. For more information, see AWS's documentation on NLB access logs.
schema: AWS.NLB
parser:
native:
name: AWS.NLB
description: Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer.
referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
fields:
- name: type
required: true
description: The type of request or connection.
type: string
- name: version
required: true
description: The log format version.
type: string
- name: time
required: true
description: The time when the connection was closed.
type: timestamp
timeFormat: rfc3339
- name: elb
description: The resource ID of the load balancer.
type: string
- name: listener
description: The resource ID of the TLS listener.
type: string
- name: clientIp
description: The IP address of the client.
type: string
- name: clientPort
description: The port of the client.
type: bigint
- name: destinationIp
description: The IP address of the destination.
type: string
- name: destinationPort
description: The port of the destination.
type: bigint
- name: connectionTime
description: The total time of the connection in milliseconds.
type: bigint
- name: tlsHandshakeTime
description: The total time for the TLS handshake in milliseconds.
type: bigint
- name: receivedBytes
description: The number of bytes received from the client.
type: bigint
- name: sentBytes
description: The number of bytes sent to the client.
type: bigint
- name: incomingTlsAlert
description: The TLS alert code if an alert was received.
type: bigint
- name: chosenCertArn
description: The ARN of the certificate presented to the client.
type: string
- name: chosenCertSerial
description: Reserved field.
type: string
- name: tlsCipher
description: The TLS cipher suite negotiated.
type: string
- name: tlsProtocolVersion
description: The TLS protocol version.
type: string
- name: tlsKeyExchange
description: The TLS key exchange algorithm.
type: string
- name: domainName
description: The SNI hostname provided by the client.
type: string
- name: alpnFeProtocol
description: The protocol negotiated with the client via ALPN.
type: string
- name: alpnBeProtocol
description: The protocol negotiated with the backend via ALPN.
type: string
- name: alpnClientPreferenceList
description: The list of protocols in the ALPN preference list presented by the client.
type: array
element:
type: string
- name: tlsConnectionCreationTime
description: The time when the TLS connection was established.
type: timestamp
timeFormat: rfc3339
