Envoy Logs (Beta)
Stream Envoy logs directly to Panther over HTTPS
Overview
Envoy log ingestion is in open beta starting with Panther version 1.79, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting Envoy access logs by streaming them to an HTTP Source, after they are forwarded with Fluent Bit.
How to onboard Envoy logs to Panther
Step 1: Create a new Envoy log source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Envoy," then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
When setting the Auth method for the source, we recommend using Shared Secret. Save the header name and value in a secure location, as you will need them in Step 3.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Configure Envoy Logging
While it's possible to customize your Envoy logs by adding or removing fields, Panther's Envoy.Access schema is built to support the default log format. To prevent classification failures, use the default format for your log configuration.
Make the following additions to your
envoy.yml
configuration file:At the root level, add the following snippet to enable admin access logging:
Within the resources section, add the following snippet to each resource(s) you wish to enable access logging for:
If you customize the access log file path (
access.log
above), make sure to also point to the appropriate location in your Fluent Bit configuration.Restart your Envoy proxy, ensuring it is pointing to this updated configuration file, by running
envoy -c envoy.yml
.
Step 3: Configure Fluent Bit
Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.
Create a Fluent Bit configuration file, and set the following fields:
[INPUT]
variables:Name: Set to
tail
.Path: Set to the path to your log file.
Parser: Set to
envoy
.
[OUTPUT]
variables:Host: Enter your Panther URL.
Example:
logs.instance-name.runpanther.net
URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with
/http/
.Example:
/http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Format: Set to
json_lines
Name: Set to
http
.TLS: Set to
ON
.Port: Set to
443
.
Start Fluent Bit, passing the path to your new configuration file and the path to the
parsers.conf
file. Theenvoy
parser is available with the default parser configuration that ships with Fluent Bit.Example:
fluent-bit -c fluent.conf -R /var/etc/fluent-bit/parsers.conf
Supported Log Types
Envoy.Access
The following defines the Envoy access log schema:
Last updated