Links

Fastly Logs

Connecting Fastly logs to your Panther Console

Overview

Panther supports ingesting Fastly logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Fastly logs to Panther

To connect these logs into Panther:
  1. 1.
    In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for "Fastly", then click its tile.
  4. 4.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  5. 5.
    Configure Fastly to push logs to the Data Transport source.
    • See Fastly's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Fastly.Access

To ensure Panther can parse the logs, make sure to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service.
For more information, see the Fastly Documentation on Common Log Format.
schema: Fastly.Access
parser:
fastmatch:
match:
- '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}'
emptyValues:
- '-'
trimSpace: true
description: |-
Fastly logs in the Common Log Format. To ensure Panther can parse the logs, make sure
to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service.
referenceURL: https://docs.fastly.com/en/guides/useful-log-formats#common-log-format-clf
fields:
- name: remote_host_ip_address
description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address.
type: string
indicators:
- hostname
- name: client_identity_rfc_1413
description: The RFC 1413 identity of the client determined by identd on the clients machine.
type: string
- name: request_user
description: The userid of the person requesting the document as determined by HTTP authentication.
type: string
indicators:
- username
- name: request_time
description: The time that the request was received.
type: timestamp
timeFormats:
- '%d/%b/%Y:%H:%M:%S %z'
isEventTime: true
- name: request_method
description: The HTTP request method
type: string
- name: request_uri
description: The HTTP request URI
type: string
- name: request_protocol
description: The HTTP request protocol
type: string
- name: response_status
description: The HTTP status of the response
type: smallint
- name: response_size
description: The size of the HTTP response in bytes
type: bigint