# Fluentd Logs

## Overview

Panther supports ingesting Fluentd logs via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options: HTTP Source, Amazon Web Services (AWS) S3 and SQS.

## How to onboard Fluentd logs to Panther

To connect these logs into Panther:

1. In the lefthand navigation menu of the Panther Console, click **Configure > Log Sources**.
2. Click **Create New**.
3. Search for "Fluentd", then click its tile.
4. In the slide-out panel, select the **Transport Mechanism** you wish to use for this integration.
5. Click **Start Setup**.
6. Follow Panther's instructions for configuring your chosen Data Transport method:
   * [HTTP](https://docs.panther.com/data-onboarding/data-transports/http)
     * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements).
     * Do not proceed to the next step until the creation of your HTTP endpoint has completed.
   * [AWS S3 bucket](https://docs.panther.com/data-onboarding/data-transports/aws/s3)
   * [AWS SQS](https://docs.panther.com/data-onboarding/data-transports/aws/sqs)
7. Configure Fluentd to push logs to the Data Transport source.
   * See Fluentd's documentation for instructions on pushing logs to your selected Data Transport source.

## Supported log types

### Fluentd.Syslog3164

Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)

For more information, see the [Fluentd Documentation on Syslog RFC-3164 Parser.](https://docs.fluentd.org/parser/syslog#rfc3164-log)

```yaml
schema: Fluentd.Syslog3164
description: Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc3164-log
fields:
    - name: pri
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: host
      required: true
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: ident
      required: true
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: pid
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: bigint
    - name: message
      required: true
      description: Message contains free-form text that provides information about the event.
      type: string
    - name: time
      required: true
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S %z'
      isEventTime: true
    - name: tag
      required: true
      description: Tag of the syslog message
      type: string
```

### Fluentd.Syslog5424

Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)

For more information, see the [Fluentd Documentation for Syslog RFC-5424 Parser.](https://docs.fluentd.org/parser/syslog#rfc5424-log)

```yaml
schema: Fluentd.Syslog5424
description: Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages)
referenceURL: https://docs.fluentd.org/parser/syslog#rfc5424-log
fields:
    - name: pri
      description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
      type: smallint
    - name: host
      required: true
      description: Hostname identifies the machine that originally sent the syslog message.
      type: string
      indicators:
        - hostname
    - name: ident
      required: true
      description: Appname identifies the device or application that originated the syslog message.
      type: string
    - name: pid
      required: true
      description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
      type: bigint
    - name: msgid
      required: true
      description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
      type: string
    - name: extradata
      required: true
      description: ExtraData contains syslog structured data as string
      type: string
    - name: message
      required: true
      description: Message contains free-form text that provides information about the event.
      type: string
    - name: time
      required: true
      description: Timestamp of the syslog message in UTC.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S %z'
      isEventTime: true
    - name: tag
      required: true
      description: Tag of the syslog message
      type: string
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/fluentd.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.