Fluentd Logs
Connecting Fluentd logs to your Panther Console
Overview
Panther supports ingesting Fluentd logs via common Data Transport options: HTTP Source, Amazon Web Services (AWS) S3 and SQS.
How to onboard Fluentd logs to Panther
To connect these logs into Panther:
In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Fluentd", then click its tile.
In the slide-out panel, select the Transport Mechanism you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring your chosen Data Transport method:
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Configure Fluentd to push logs to the Data Transport source.
See Fluentd's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Fluentd.Syslog3164
Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
For more information, see the Fluentd Documentation on Syslog RFC-3164 Parser.
schema: Fluentd.Syslog3164
description: Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc3164-log
fields:
- name: pri
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: host
required: true
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: ident
required: true
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: pid
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: bigint
- name: message
required: true
description: Message contains free-form text that provides information about the event.
type: string
- name: time
required: true
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S %z'
isEventTime: true
- name: tag
required: true
description: Tag of the syslog message
type: stringFluentd.Syslog5424
Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
For more information, see the Fluentd Documentation for Syslog RFC-5424 Parser.
schema: Fluentd.Syslog5424
description: Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc5424-log
fields:
- name: pri
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: host
required: true
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: ident
required: true
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: pid
required: true
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: bigint
- name: msgid
required: true
description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
type: string
- name: extradata
required: true
description: ExtraData contains syslog structured data as string
type: string
- name: message
required: true
description: Message contains free-form text that provides information about the event.
type: string
- name: time
required: true
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S %z'
isEventTime: true
- name: tag
required: true
description: Tag of the syslog message
type: stringLast updated
Was this helpful?