Fluentd Logs

Connecting Fluentd logs to your Panther Console

Overview

Panther supports ingesting Fluentd logs via common Data Transport options: HTTP Source, Amazon Web Services (AWS) S3 and SQS.

How to onboard Fluentd logs to Panther

To connect these logs into Panther:

In the lefthand navigation menu of the Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Fluentd", then click its tile.
In the slide-out panel, select the Transport Mechanism you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring your chosen Data Transport method:
- HTTP
  - Payloads sent to this source are subject to the payload requirements for all HTTP sources.
  - Do not proceed to the next step until the creation of your HTTP endpoint has completed.
- AWS S3 bucket
- AWS SQS
Configure Fluentd to push logs to the Data Transport source.
- See Fluentd's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Fluentd.Syslog3164

Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)

For more information, see the Fluentd Documentation on Syslog RFC-3164 Parser.

schema: Fluentd.Syslog3164
description: Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc3164-log
fields:
    - name: pri
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: host
      required: true
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: ident
      required: true
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: pid
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: bigint
    - name: message
      required: true
      description: Message contains free-form text that provides information about the event.
      type: string
    - name: time
      required: true
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S %z'
      isEventTime: true
    - name: tag
      required: true
      description: Tag of the syslog message
      type: string

Fluentd.Syslog5424

Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)

For more information, see the Fluentd Documentation for Syslog RFC-5424 Parser.

schema: Fluentd.Syslog5424
description: Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc5424-log
fields:
    - name: pri
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: host
      required: true
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: ident
      required: true
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: pid
      required: true
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: bigint
    - name: msgid
      required: true
      description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
      type: string
    - name: extradata
      required: true
      description: ExtraData contains syslog structured data as string
      type: string
    - name: message
      required: true
      description: Message contains free-form text that provides information about the event.
      type: string
    - name: time
      required: true
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S %z'
      isEventTime: true
    - name: tag
      required: true
      description: Tag of the syslog message
      type: string

PreviousFastly Logs NextGCP Logs

Last updated 5 months ago