Panther supports ingesting Fluentd logs via common options: HTTP Source, Amazon Web Services (AWS) S3 and SQS.
How to onboard Fluentd logs to Panther
To connect these logs into Panther:
In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Fluentd", then click its tile.
In the slide-out panel, select the Transport Mechanism you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring your chosen Data Transport method:
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Configure Fluentd to push logs to the Data Transport source.
See Fluentd's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Fluentd.Syslog3164
Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
schema: Fluentd.Syslog3164
description: Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc3164-log
fields:
- name: pri
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: host
required: true
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: ident
required: true
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: pid
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: bigint
- name: message
required: true
description: Message contains free-form text that provides information about the event.
type: string
- name: time
required: true
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S %z'
isEventTime: true
- name: tag
required: true
description: Tag of the syslog message
type: string
Fluentd.Syslog5424
Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
schema: Fluentd.Syslog5424
description: Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc5424-log
fields:
- name: pri
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: host
required: true
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: ident
required: true
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: pid
required: true
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: bigint
- name: msgid
required: true
description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
type: string
- name: extradata
required: true
description: ExtraData contains syslog structured data as string
type: string
- name: message
required: true
description: Message contains free-form text that provides information about the event.
type: string
- name: time
required: true
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S %z'
isEventTime: true
- name: tag
required: true
description: Tag of the syslog message
type: string
