Panther supports ingesting Syslog logs via common options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
How to onboard Syslog logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Syslog to push logs to the Data Transport source.
Consult your Syslog documentation for guidance on pushing logs to the Data Transport source of your choice.
Implementing Syslog onboarding is contingent upon the use of a log forwarder.
Supported log types
Syslog.RFC3164
Syslog parser for the RFC3164 format (ie. BSD-syslog messages)
schema: Syslog.RFC3164
description: Syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://tools.ietf.org/html/rfc3164
fields:
- name: priority
required: true
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: facility
required: true
description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.'
type: smallint
- name: severity
required: true
description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.'
type: smallint
- name: timestamp
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- rfc3339
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: appname
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: procid
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: string
- name: msgid
description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
type: string
- name: message
description: Message contains free-form text that provides information about the event.
type: string
Syslog.RFC5424
Syslog parser for the RFC5424 format.
schema: Syslog.RFC5424
description: Syslog parser for the RFC5424 format.
referenceURL: https://tools.ietf.org/html/rfc5424
fields:
- name: priority
required: true
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: facility
required: true
description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.'
type: smallint
- name: severity
required: true
description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.'
type: smallint
- name: version
required: true
description: Version of the syslog message protocol. RFC5424 mandates that version cannot be 0, so a 0 value signals no version.
type: int
- name: timestamp
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: hostname
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: appname
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: procid
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: string
- name: msgid
description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
type: string
- name: structured_data
description: StructuredData provides a mechanism to express information in a well defined and easily parsable format.
type: json
- name: message
description: Message contains free-form text that provides information about the event.
type: string
For Syslog logs ingested via Fluentd, please refer to the .
