Panther supports ingesting Nginx logs via common options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
How to onboard Nginx logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Nginx to push logs to the Data Transport source.
See Nginx's documentation for instructions on pushing logs to your selected Data Transport source.
Querying logs in Data Explorer
Supported log types
Nginx.Access
Access Logs for your Nginx server. Panther supports Nginx 'combined' format.
schema: Nginx.Access
parser:
fastmatch:
match:
- '%{remoteAddr} - %{remoteUser} [%{time}] "%{request}" %{status} %{bodyBytesSent} "%{httpReferer}" "%{httpUserAgent}"'
emptyValues:
- '-'
description: Access Logs for your Nginx server. We currently support Nginx 'combined' format.
referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
fields:
- name: remoteAddr
description: The IP address of the client (remote host) which made the request to the server.
type: string
indicators:
- ip
- name: remoteUser
description: The userid of the person making the request. Usually empty unless .htaccess has requested authentication.
type: string
indicators:
- username
- name: time
required: true
description: The time that the request was received (UTC).
type: timestamp
timeFormats:
- '%d/%b/%Y:%H:%M:%S %z'
isEventTime: true
- name: request
description: The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol.
type: string
- name: status
description: The HTTP status code returned to the client.
type: smallint
- name: bodyBytesSent
description: The size of the object returned to the client, measured in bytes.
type: bigint
- name: httpReferer
description: The HTTP referrer if any.
type: string
- name: httpUserAgent
description: The agent the user used when making the request.
type: string
Nginx.Error
Error logs of your Nginx server.
schema: Nginx.Error
parser:
fastmatch:
match:
- '%{time} [%{severity}] %{pid}#%{tid}: *%{message}'
emptyValues:
- '-'
description: Error Logs for your Nginx server.
referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
fields:
- name: time
required: true
description: The time that the error occurred (UTC).
type: timestamp
timeFormats:
- '%Y/%m/%d %H:%M:%S'
isEventTime: true
- name: severity
required: true
description: The severity level of the error.
type: string
- name: pid
description: The process ID of the Nginx server.
type: bigint
- name: tid
description: The thread ID of the Nginx server.
type: bigint
- name: message
required: true
description: The error message.
type: string
To see an example of querying NGINX logs in Panther's Data Explorer, see .
