Syslog Logs
Connecting Syslog logs to your Panther Console
Panther supports ingesting Syslog logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
To connect these logs into Panther:
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Click Create New.
- 3.Search for the log type you want to onboard, then click its tile.
- 4.Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- 5.Configure Syslog to push logs to the Data Transport source.
- Consult your Syslog documentation for guidance on pushing logs to the Data Transport source of your choice.
Implementing Syslog onboarding is contingent upon the use of a log forwarder.
Required fields in all tables are in bold.
Syslog parser for the RFC3164 format (ie. BSD-syslog messages)
schema: Syslog.RFC3164
description: Syslog parser for the RFC3164 format (ie. BSD-syslog messages)
referenceURL: https://tools.ietf.org/html/rfc3164
fields:
- name: priority
required: true
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: facility
required: true
description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.'
type: smallint
- name: severity
required: true
description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.'
type: smallint
- name: timestamp
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- rfc3339
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: appname
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: procid
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: string
- name: msgid
description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
type: string
- name: message
description: Message contains free-form text that provides information about the event.
type: string
Syslog parser for the RFC5424 format.
schema: Syslog.RFC5424
description: Syslog parser for the RFC5424 format.
referenceURL: https://tools.ietf.org/html/rfc5424
fields:
- name: priority
required: true
description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message.
type: smallint
- name: facility
required: true
description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.'
type: smallint
- name: severity
required: true
description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.'
type: smallint
- name: version
required: true
description: Version of the syslog message protocol. RFC5424 mandates that version cannot be 0, so a 0 value signals no version.
type: int
- name: timestamp
description: Timestamp of the syslog message in UTC.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: hostname
description: Hostname identifies the machine that originally sent the syslog message.
type: string
indicators:
- hostname
- name: appname
description: Appname identifies the device or application that originated the syslog message.
type: string
- name: procid
description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting.
type: string
- name: msgid
description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic.
type: string
- name: structured_data
description: StructuredData provides a mechanism to express information in a well defined and easily parsable format.
type: json
- name: message
description: Message contains free-form text that provides information about the event.
type: string
Last modified 24d ago