LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
    • Managing Panther AI Response History
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Setting Up a Cloud Connected Panther Instance
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • How to onboard GitLab audit streaming logs to Panther
  • Step 1: Create an HTTP Source in Panther
  • Step 2: Set up audit log streaming in GitLab
  • How to onboard non-audit GitLab logs to Panther
  • Supported log types
  • GitLab.API
  • GitLab.Audit
  • GitLab.Exceptions
  • GitLab.Git
  • GitLab.Integrations
  • GitLab.Production

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs

GitLab Logs

Connecting GitLab logs to your Panther Console

PreviousGitHub LogsNextGoogle Workspace Logs

Last updated 4 months ago

Was this helpful?

Overview

Panther supports onboarding GitLab logs using mechanisms.

This page describes two processes: the onboarding process for GitLab audit logs, and the onboarding process for all other GitLab log types. These processes differ because audit logs are ingested through , while non-audit logs are pulled via the GitLab API.

Audit logs can be ingested with the , while other GitLab logs can be ingested with Amazon Web Services (AWS) and .

To ingest GitLab audit logs into Panther using as described below, you must have .

How to onboard GitLab audit streaming logs to Panther

This process outlines how to onboard GitLab logs. To onboard other types of GitLab logs, such as , , , , and logs, follow the separate process below.

Step 1: Create an HTTP Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “GitLab,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the HTTP option.

  4. Click Start Setup.

  5. Follow Panther's , beginning at Step 5.

    • You will be required to use . This is the only method of authentication GitLab supports.

    • The Header Name associated with your Secret Key Value will be locked with a value of x-panther-gitlab.

    • Payloads sent to this source are subject to the .

    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Set up audit log streaming in GitLab

    • In the Destination field, enter the URL you generated in Step 1.

    • Add a header with the name x-panther-gitlab and the secret you configured in Panther in Step 1.

How to onboard non-audit GitLab logs to Panther

To connect these logs into Panther:

  1. Log in to the Panther Console.

  2. In the left sidebar, click Configure > Log Sources.

  3. Click Create New.

  4. Search for the log type you want to onboard, then click its tile.

  5. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  6. Configure GitLab to push logs to the Data Transport source.

    • See GitLab's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

GitLab.API

Panther uses the latest version of GitLab API logs. Some fields differ from the official documentation.

schema: GitLab.API
description: |-
    GitLab log for API requests received from GitLab.
    NOTE: We are using the latest version of GitLab API logs. Some fields differ from the official documentation
referenceURL: https://docs.gitlab.com/ee/administration/logs/#api_jsonlog
fields:
    - name: time
      required: true
      description: The request timestamp
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: severity
      required: true
      description: The log level
      type: string
    - name: duration_s
      required: true
      description: The time spent serving the request (in seconds)
      type: float
    - name: db_duration_s
      description: The time spent querying the database (in seconds)
      type: float
    - name: view_duration_s
      description: The time spent rendering the view for the Rails controller (in seconds)
      type: float
    - name: status
      required: true
      description: The HTTP response status code
      type: smallint
    - name: method
      required: true
      description: The HTTP method of the request
      type: string
    - name: path
      required: true
      description: The URL path for the request
      type: string
    - name: params
      description: The URL query parameters
      type: array
      element:
        type: object
        fields:
            - name: key
              required: true
              description: Query parameter name
              type: string
            - name: value
              description: Query parameter value
              type: json
    - name: host
      required: true
      description: Hostname serving the request
      type: string
      indicators:
        - hostname
    - name: ua
      description: User-Agent HTTP header
      type: string
    - name: route
      required: true
      description: Rails route for the API endpoint
      type: string
    - name: remote_ip
      description: The remote IP address of the HTTP request
      type: string
      indicators:
        - ip
    - name: user_id
      description: The user id of the request
      type: bigint
    - name: username
      description: The username of the request
      type: string
      indicators:
        - username
    - name: gitaly_calls
      description: Total number of calls made to Gitaly
      type: bigint
    - name: gitaly_duration_s
      description: Total time taken by Gitaly calls
      type: float
    - name: redis_calls
      description: Total number of calls made to Redis
      type: bigint
    - name: redis_duration_s
      description: Total time to retrieve data from Redis
      type: float
    - name: correlation_id
      description: Request unique id across logs
      type: string
      indicators:
        - trace_id
    - name: queue_duration_s
      description: Total time that the request was queued inside GitLab Workhorse
      type: float
    - name: meta.user
      description: User that invoked the request
      type: string
      indicators:
        - username
    - name: meta.project
      description: Project associated with the request
      type: string
    - name: meta.root_namespace
      description: Root namespace
      type: string
    - name: meta.caller_id
      description: Caller ID
      type: string

GitLab.Audit

Multi-use schema for GitLab audit events, from both self-hosted audit log files and GitLab's audit event streaming feature.

schema: GitLab.Audit
description: 'Multi-use schema for GitLab audit events both from self-hosted audit log files, as well as GitLab''s audit event streaming feature: https://docs.gitlab.com/ee/administration/audit_event_streaming/'
referenceURL: https://docs.gitlab.com/ee/administration/logs/#audit_jsonlog
fields:
    - name: severity
      description: The log level. Present only in audit log files.
      type: string
    - name: time
      description: The event timestamp. Present only in audit log files.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: author_id
      required: true
      description: User id that made the change
      type: bigint
    - name: entity_id
      required: true
      description: Id of the entity that was modified
      type: bigint
    - name: entity_type
      required: true
      description: Type of the modified entity
      type: string
    - name: change
      description: Type of change to the settings. Present only in audit log files.
      type: string
    - name: from
      description: Old setting value. Present only in audit log files.
      type: string
    - name: to
      description: New setting value. Present only in audit log files.
      type: string
    - name: author_name
      required: true
      description: Name of the user that made the change
      type: string
    - name: target_id
      required: true
      description: Target id of the modified setting
      type: bigint
    - name: target_type
      required: true
      description: Target type of the modified setting
      type: string
    - name: target_details
      required: true
      description: Details of the target of the modified setting
      type: string
    - name: created_at
      description: Timestamp when event was triggered. Present only in audit event streaming
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: details
      description: JSON object containing additional metadata. Present only in audit event streaming
      type: json
    - name: entity_path
      description: Full path of the entity affected by the auditable event. Present only in audit event streaming
      type: string
    - name: event_type
      description: String representation of the type of audit event. Present only in audit event streaming
      type: string
    - name: id
      description: Unique identifier for the audit event. Present only in audit event streaming
      type: bigint
    - name: ip_address
      description: IP address of the host used to trigger the event. Present only in audit event streaming
      type: string
      indicators:
        - ip

GitLab.Exceptions

GitLab log file containing changes to group or project settings

schema: GitLab.Exceptions
description: GitLab log file containing changes to group or project settings
referenceURL: https://docs.gitlab.com/ee/administration/logs/#exceptions_jsonlog
fields:
    - name: severity
      required: true
      description: The log level
      type: string
    - name: time
      required: true
      description: The event timestamp
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: correlation_id
      description: Request unique id across logs
      type: string
      indicators:
        - trace_id
    - name: extra.server
      description: Information about the server on which the exception occurred
      type: object
      fields:
        - name: os
          description: Server OS info
          type: object
          fields:
            - name: name
              description: OS name
              type: string
            - name: version
              description: OS version
              type: string
            - name: build
              description: OS build
              type: string
        - name: runtime
          description: Runtime executing gitlab code
          type: object
          fields:
            - name: name
              description: Runtime name
              type: string
            - name: version
              description: Runtime version
              type: string
    - name: extra.project_id
      description: Project id where the exception occurred
      type: bigint
    - name: extra.relation_key
      description: Relation on which the exception occurred
      type: string
    - name: extra.relation_index
      description: Relation index on which the exception occurred
      type: bigint
    - name: exception.class
      required: true
      description: Class name of the exception that occurred
      type: string
    - name: exception.message
      required: true
      description: Message of the exception that occurred
      type: string
    - name: exception.backtrace
      description: Stack trace of the exception that occurred
      type: array
      element:
        type: string

GitLab.Git

GitLab log file containing all failed requests from GitLab to Git repositories.

schema: GitLab.Git
description: GitLab log file containing all failed requests from GitLab to Git repositories.
referenceURL: https://docs.gitlab.com/ee/administration/logs/#git_jsonlog
fields:
    - name: severity
      required: true
      description: The log level
      type: string
    - name: time
      required: true
      description: The event timestamp
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: correlation_id
      description: Unique id across logs
      type: string
      indicators:
        - trace_id
    - name: message
      required: true
      description: The error message from git
      type: string

GitLab.Integrations

GitLab log with information about integrations activities such as Jira, Asana, and Irker services.

schema: GitLab.Integrations
description: GitLab log with information about integrations activities such as Jira, Asana, and Irker services.
referenceURL: https://docs.gitlab.com/ee/administration/logs/#integrations_jsonlog
fields:
    - name: severity
      required: true
      description: The log level
      type: string
    - name: time
      required: true
      description: The event timestamp
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: service_class
      required: true
      description: The class name of the integrated service
      type: string
    - name: project_id
      required: true
      description: The project id the integration was running on
      type: bigint
    - name: project_path
      required: true
      description: The project path the integration was running on
      type: string
    - name: message
      required: true
      description: The log message from the service
      type: string
    - name: client_url
      required: true
      description: The client url of the service
      type: string
      indicators:
        - url
    - name: error
      description: The error name if an error has occurred
      type: string

GitLab.Production

GitLab log for Production controller requests received from GitLab

schema: GitLab.Production
description: GitLab log for Production controller requests received from GitLab
referenceURL: https://docs.gitlab.com/ee/administration/logs/#production_jsonlog
fields:
    - name: method
      required: true
      description: The HTTP method of the request
      type: string
    - name: path
      required: true
      description: The URL path for the request
      type: string
    - name: format
      description: The response output format
      type: string
    - name: controller
      description: The Production controller class name
      type: string
    - name: action
      description: The Production controller action
      type: string
    - name: status
      required: true
      description: The HTTP response status code
      type: bigint
    - name: time
      required: true
      description: The request timestamp
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: params
      description: The URL query parameters
      type: array
      element:
        type: object
        fields:
            - name: key
              required: true
              description: Query parameter name
              type: string
            - name: value
              description: Query parameter value
              type: json
    - name: remote_ip
      description: The remote IP address of the HTTP request
      type: string
      indicators:
        - ip
    - name: user_id
      description: The user id of the request
      type: bigint
    - name: username
      description: The username of the request
      type: string
      indicators:
        - username
    - name: ua
      description: The User-Agent of the requester
      type: string
    - name: queue_duration_s
      description: Total time that the request was queued inside GitLab Workhorse
      type: float
    - name: gitaly_calls
      description: Total number of calls made to Gitaly
      type: bigint
    - name: gitaly_duration_s
      description: Total time taken by Gitaly calls
      type: float
    - name: redis_calls
      description: Total number of calls made to Redis
      type: bigint
    - name: redis_duration_s
      description: Total time to retrieve data from Redis
      type: float
    - name: redis_read_bytes
      description: Total bytes read from Redis
      type: bigint
    - name: redis_write_bytes
      description: Total bytes written to Redis
      type: bigint
    - name: correlation_id
      description: Request unique id across logs
      type: string
      indicators:
        - trace_id
    - name: cpu_s
      description: Total time spent on CPU
      type: float
    - name: db_duration_s
      description: Total time to retrieve data from PostgreSQL
      type: float
    - name: view_duration_s
      description: Total time taken inside the Rails views
      type: float
    - name: duration_s
      required: true
      description: Total time taken to retrieve the request
      type: float
    - name: meta.caller_id
      description: Caller ID
      type: string
    - name: location
      description: (Applies only to redirects) The redirect URL
      type: string
    - name: exception.class
      description: Class name of the exception that occurred
      type: string
    - name: exception.message
      description: Message of the exception that occurred
      type: string
    - name: exception.backtrace
      description: Stack trace of the exception that occurred
      type: array
      element:
        type: string
    - name: etag_route
      description: Route name etag (on redirects)
      type: string

In the GitLab documentation, follow the process.

The process below outlines how to onboard non-audit GitLab logs to Panther, such as , , , , and logs. If you'd like to onboard logs, follow the separate process above.

Reference: .

For more information, see and .

Reference: .

Reference: .

Reference: .

Reference: .

Add a new HTTP destination
AWS S3 bucket
AWS SQS
GitLab documentation on API JSON logs
GitLab's documentation on audit JSON logs
GitLab's documentation on audit event streaming
GitLab documentation on exceptions for JSON logs
GitLab documentation on git for JSON logs
GitLab documentation on integrations for JSON logs
GitLab documentation on production for JSON logs
API
Exceptions
Git
Integrations
Production
audit
How to onboard GitLab audit streaming logs to Panther
Data Transport
GitLab audit event streaming
HTTP Source
S3
SQS
audit event streaming
GitLab Ultimate
Audit
API
Exceptions
Integrations
Git
Production
How to onboard non-audit GitLab logs to Panther
instructions for configuring an HTTP Source
shared secret authentication
payload requirements for all HTTP sources