Heroku Logs

Panther supports receiving Heroku logs directly via webhook

Overview

Panther ingests by configuring a to post events to a Panther .

How to onboard Heroku runtime logs to Panther

Prerequisite

In order to complete Step 2 of this process (creating a log drain in Heroku), you must have Heroku's CLI installed. If it is not already installed, follow .

Step 1: Create a new Heroku source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Heroku,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow .
- When setting up this log source initially, set the Auth method as None. In Step 3 below, after retrieving an authentication token from Heroku, you will change it to Shared Secret authentication.
- Payloads sent to this source are subject to the .
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new log drain in Heroku

Run a customized version of the following command in your Heroku CLI to set up a log drain pointing from your Heroku app to Panther's HTTP source: heroku drains:add https://logs.mypantherdomain.runpanther.net/http/1081f021-a983-4dae-bcbb-1952ffaa4e72 -a myherokuappname
Run the following command to retrieve your drain token: heroku drains --json -a myherokuappname
- From the output of this command, save the value of token. It will be used in the next step.

Step 3: Secure your log source in Panther

Navigate back to your Panther Console.
Locate the log source you created in Step 1, by clicking Configure > Log Sources, and clicking the name of the source.
In the upper-right corner, click Configuration, then Edit.
In the upper-right corner, click on the Security tab.
Change the value of the Auth method dropdown to Shared Secret, then enter values for the following fields:
- Header Name: Enter Logplex-Drain-Token.
- Shared Secret Value: Paste in the token you retrieved from the Heroku CLI in the previous step.
Click Save.

Supported log types

Heroku.Runtime

schema: Heroku.Runtime
parser:
  fastmatch:
    match:
      - '%{message_len} <%{priority}>%{version} %{timestamp} %{host_name} %{app_name} %{process_id} %{message_id} %{message}'
    emptyValues:
      - '-'
description: Logging output from the application itself, including logs generated by your app's code and dependencies, as well as system and API logs.
referenceURL: https://devcenter.heroku.com/articles/logging#runtime-logs
fields:
  - name: message_len
    type: int
  - name: priority
    type: int
  - name: version
    type: string
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: host_name
    type: string
    indicators:
      - hostname
  - name: app_name
    type: string
  - name: process_id
    type: string
  - name: message_id
    type: string
  - name: message
    type: string

PreviousGoogle Workspace Logs NextJamf Pro Logs

Last updated 1 year ago

Was this helpful?

How to onboard Heroku runtime logs to Panther

Prerequisite

In order to complete Step 2 of this process (creating a log drain in Heroku), you must have Heroku's CLI installed. If it is not already installed, follow .

Step 1: Create a new Heroku source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

Click Create New.

Search for “Heroku,” then click its tile.

In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

Click Start Setup.

Follow .

When setting up this log source initially, set the Auth method as None. In Step 3 below, after retrieving an authentication token from Heroku, you will change it to Shared Secret authentication.
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new log drain in Heroku

Before starting this step, ensure the is met.

Run a customized version of the following command in your Heroku CLI to set up a log drain pointing from your Heroku app to Panther's HTTP source: heroku drains:add https://logs.mypantherdomain.runpanther.net/http/1081f021-a983-4dae-bcbb-1952ffaa4e72 -a myherokuappname

Run the following command to retrieve your drain token: heroku drains --json -a myherokuappname

From the output of this command, save the value of token. It will be used in the next step.

Step 3: Secure your log source in Panther

Navigate back to your Panther Console.

Locate the log source you created in Step 1, by clicking Configure > Log Sources, and clicking the name of the source.

In the upper-right corner, click Configuration, then Edit.

In the upper-right corner, click on the Security tab.

Change the value of the Auth method dropdown to Shared Secret, then enter values for the following fields:

Header Name: Enter Logplex-Drain-Token.
Shared Secret Value: Paste in the token you retrieved from the Heroku CLI in the previous step.

Click Save.

Supported log types

Heroku.Runtime

Heroku.Runtime logs are event logs from Heroku that contain app, system, API, and add-on logs. For more information, see

schema: Heroku.Runtime
parser:
  fastmatch:
    match:
      - '%{message_len} <%{priority}>%{version} %{timestamp} %{host_name} %{app_name} %{process_id} %{message_id} %{message}'
    emptyValues:
      - '-'
description: Logging output from the application itself, including logs generated by your app's code and dependencies, as well as system and API logs.
referenceURL: https://devcenter.heroku.com/articles/logging#runtime-logs
fields:
  - name: message_len
    type: int
  - name: priority
    type: int
  - name: version
    type: string
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: host_name
    type: string
    indicators:
      - hostname
  - name: app_name
    type: string
  - name: process_id
    type: string
  - name: message_id
    type: string
  - name: message
    type: string