# Heroku Logs ## Overview Panther ingests [Heroku runtime logs](https://devcenter.heroku.com/articles/logging#runtime-logs) by configuring a [Heroku log drain](https://devcenter.heroku.com/articles/log-drains#https-drains) to post events to a Panther [HTTP source](https://docs.panther.com/data-onboarding/data-transports/http). ## How to onboard Heroku runtime logs to Panther ### Prerequisite * In order to complete Step 2 of this process (creating a log drain in Heroku), you must have Heroku's CLI installed. If it is not already installed, follow [Heroku's documentation to install it here](https://devcenter.heroku.com/articles/heroku-cli#install-the-heroku-cli). ### Step 1: Create a new Heroku source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Heroku,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.\\

The new source setup page for Heroku is shown in the Panther Console. The Transport Mechanism dropdown field is has a value of "HTTP" pre-selected. To its right is a Start Setup button.

5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http). * When setting up this log source initially, set the **Auth method** as **None**. In Step 3 below, after retrieving an authentication token from Heroku, you will change it to Shared Secret authentication. * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. ### Step 2: Create a new log drain in Heroku Before starting this step, ensure the [prerequisite](#prerequisite) is met. 1. Run a customized version of the following command in your Heroku CLI to set up a log drain pointing from your Heroku app to Panther's HTTP source:\ `heroku drains:add https://logs.mypantherdomain.runpanther.net/http/1081f021-a983-4dae-bcbb-1952ffaa4e72 -a myherokuappname` 2. Run the following command to retrieve your drain token:\ `heroku drains --json -a myherokuappname` * From the output of this command, save the value of `token`. It will be used in the next step. ### Step 3: Secure your log source in Panther 1. Navigate back to your Panther Console. 2. Locate the log source you created in Step 1, by clicking **Configure** > **Log Sources**, and clicking the name of the source. 3. In the upper-right corner, click **Configuration**, then **Edit**. 4. In the upper-right corner, click on the **Security** tab. 5. Change the value of the **Auth method** dropdown to **Shared Secret**, then enter values for the following fields: * **Header Name**: Enter `Logplex-Drain-Token`. * **Shared Secret Value**: Paste in the `token` you retrieved from the Heroku CLI in the previous step. 6. Click **Save**. ## Supported log types ### Heroku.Runtime `Heroku.Runtime` logs are event logs from Heroku that contain app, system, API, and add-on logs. For more information, see [Heroku's documentation on runtime logs.](https://devcenter.heroku.com/articles/logging#runtime-logs) ```yaml schema: Heroku.Runtime parser: fastmatch: match: - '%{message_len} <%{priority}>%{version} %{timestamp} %{host_name} %{app_name} %{process_id} %{message_id} %{message}' emptyValues: - '-' description: Logging output from the application itself, including logs generated by your app's code and dependencies, as well as system and API logs. referenceURL: https://devcenter.heroku.com/articles/logging#runtime-logs fields: - name: message_len type: int - name: priority type: int - name: version type: string - name: timestamp type: timestamp timeFormats: - rfc3339 isEventTime: true - name: host_name type: string indicators: - hostname - name: app_name type: string - name: process_id type: string - name: message_id type: string - name: message type: string ```