# Heroku Logs

## Overview

Panther ingests [Heroku runtime logs](https://devcenter.heroku.com/articles/logging#runtime-logs) by configuring a [Heroku log drain](https://devcenter.heroku.com/articles/log-drains#https-drains) to post events to a Panther [HTTP source](/data-onboarding/data-transports/http.md).

## How to onboard Heroku runtime logs to Panther

### Prerequisite

* In order to complete Step 2 of this process (creating a log drain in Heroku), you must have Heroku's CLI installed. If it is not already installed, follow [Heroku's documentation to install it here](https://devcenter.heroku.com/articles/heroku-cli#install-the-heroku-cli).

### Step 1: Create a new Heroku source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Heroku,” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\\

   <figure><img src="/files/qHXlqx6GJhUprsU6EQ8s" alt="The new source setup page for Heroku is shown in the Panther Console. The Transport Mechanism dropdown field is has a value of &#x22;HTTP&#x22; pre-selected. To its right is a Start Setup button."><figcaption></figcaption></figure>
5. Follow [Panther's instructions for configuring an HTTP Source](/data-onboarding/data-transports/http.md).
   * When setting up this log source initially, set the **Auth method** as **None**. In Step 3 below, after retrieving an authentication token from Heroku, you will change it to Shared Secret authentication.
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](/data-onboarding/data-transports/http.md#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

### Step 2: Create a new log drain in Heroku

Before starting this step, ensure the [prerequisite](#prerequisite) is met.

1. Run a customized version of the following command in your Heroku CLI to set up a log drain pointing from your Heroku app to Panther's HTTP source:\
   `heroku drains:add https://logs.mypantherdomain.runpanther.net/http/1081f021-a983-4dae-bcbb-1952ffaa4e72 -a myherokuappname`
2. Run the following command to retrieve your drain token:\
   `heroku drains --json -a myherokuappname`
   * From the output of this command, save the value of `token`. It will be used in the next step.

### Step 3: Secure your log source in Panther

1. Navigate back to your Panther Console.
2. Locate the log source you created in Step 1, by clicking **Configure** > **Log Sources**, and clicking the name of the source.
3. In the upper-right corner, click **Configuration**, then **Edit**.
4. In the upper-right corner, click on the **Security** tab.
5. Change the value of the **Auth method** dropdown to **Shared Secret**, then enter values for the following fields:
   * **Header Name**: Enter `Logplex-Drain-Token`.
   * **Shared Secret Value**: Paste in the `token` you retrieved from the Heroku CLI in the previous step.
6. Click **Save**.

## Supported log types

### Heroku.Runtime

`Heroku.Runtime` logs are event logs from Heroku that contain app, system, API, and add-on logs. For more information, see [Heroku's documentation on runtime logs.](https://devcenter.heroku.com/articles/logging#runtime-logs)

```yaml
schema: Heroku.Runtime
parser:
  fastmatch:
    match:
      - '%{message_len} <%{priority}>%{version} %{timestamp} %{host_name} %{app_name} %{process_id} %{message_id} %{message}'
    emptyValues:
      - '-'
description: Logging output from the application itself, including logs generated by your app's code and dependencies, as well as system and API logs.
referenceURL: https://devcenter.heroku.com/articles/logging#runtime-logs
fields:
  - name: message_len
    type: int
  - name: priority
    type: int
  - name: version
    type: string
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: host_name
    type: string
    indicators:
      - hostname
  - name: app_name
    type: string
  - name: process_id
    type: string
  - name: message_id
    type: string
  - name: message
    type: string
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/heroku.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.