Fastly Logs

Connecting Fastly logs to your Panther Console

Overview

Panther supports ingesting Fastly logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Fastly logs to Panther

To connect these logs into Panther:

In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Fastly", then click its tile.
Set up your Data Transport in the Panther Console.
- Please follow Panther’s documentation for configuring the Data Transport option you will use:
  - AWS S3 bucket
  - AWS SQS
Configure Fastly to push logs to the Data Transport source.
- See Fastly's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Fastly.Access

To ensure Panther can parse the logs, make sure to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service.

For more information, see the Fastly Documentation on Common Log Format.

schema: Fastly.Access
parser:
    fastmatch:
        match:
            - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}'
        emptyValues:
            - '-'
        trimSpace: true
description: |-
    Fastly logs in the Common Log Format. To ensure Panther can parse the logs, make sure
    to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service.
referenceURL: https://docs.fastly.com/en/guides/useful-log-formats#common-log-format-clf
fields:
    - name: remote_host_ip_address
      description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
      type: string
      indicators:
        - hostname
    - name: client_identity_rfc_1413
      description: The RFC 1413 identity of the client determined by identd on the clients machine.
      type: string
    - name: request_user
      description: The userid of the person requesting the document as determined by HTTP authentication.
      type: string
      indicators:
        - username
    - name: request_time
      description: The time that the request was received.
      type: timestamp
      timeFormats:
        - '%d/%b/%Y:%H:%M:%S %z'
      isEventTime: true
    - name: request_method
      description: The HTTP request method
      type: string
    - name: request_uri
      description: The HTTP request URI
      type: string
    - name: request_protocol
      description: The HTTP request protocol
      type: string
    - name: response_status
      description: The HTTP status of the response
      type: smallint
    - name: response_size
      description: The size of the HTTP response in bytes
      type: bigint

PreviousEnvoy Logs NextFluentd Logs

Last updated 11 months ago

Was this helpful?

How to onboard Fastly logs to Panther

To connect these logs into Panther:

In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.

Click Create New.

Search for "Fastly", then click its tile.

Set up your Data Transport in the Panther Console.

Please follow Panther’s documentation for configuring the Data Transport option you will use:
- AWS S3 bucket
- AWS SQS

Configure Fastly to push logs to the Data Transport source.

See Fastly's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Fastly.Access

To ensure Panther can parse the logs, make sure to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service.

schema: Fastly.Access
parser:
    fastmatch:
        match:
            - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}'
        emptyValues:
            - '-'
        trimSpace: true
description: |-
    Fastly logs in the Common Log Format. To ensure Panther can parse the logs, make sure
    to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service.
referenceURL: https://docs.fastly.com/en/guides/useful-log-formats#common-log-format-clf
fields:
    - name: remote_host_ip_address
      description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
      type: string
      indicators:
        - hostname
    - name: client_identity_rfc_1413
      description: The RFC 1413 identity of the client determined by identd on the clients machine.
      type: string
    - name: request_user
      description: The userid of the person requesting the document as determined by HTTP authentication.
      type: string
      indicators:
        - username
    - name: request_time
      description: The time that the request was received.
      type: timestamp
      timeFormats:
        - '%d/%b/%Y:%H:%M:%S %z'
      isEventTime: true
    - name: request_method
      description: The HTTP request method
      type: string
    - name: request_uri
      description: The HTTP request URI
      type: string
    - name: request_protocol
      description: The HTTP request protocol
      type: string
    - name: response_status
      description: The HTTP status of the response
      type: smallint
    - name: response_size
      description: The size of the HTTP response in bytes
      type: bigint