# Syslog Logs ## Overview Panther supports ingesting Syslog logs via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options: Amazon Web Services (AWS) S3, SQS, and CloudWatch. ## How to onboard Syslog logs to Panther To connect these logs into Panther: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for the log type you want to onboard, then click its tile. 4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method: * [AWS CloudWatch](https://docs.panther.com/data-onboarding/data-transports/aws/cloudwatch) * [AWS SQS](https://docs.panther.com/data-onboarding/data-transports/aws/sqs) * [AWS S3 bucket](https://docs.panther.com/data-onboarding/data-transports/aws/s3) 5. Configure Syslog to push logs to the Data Transport source. * Consult your Syslog documentation for guidance on pushing logs to the Data Transport source of your choice. {% hint style="info" %} Implementing Syslog onboarding is contingent upon the use of a log forwarder. {% endhint %} ## Supported log types {% hint style="info" %} For Syslog logs ingested via Fluentd, please refer to the [Fluentd Syslog schemas](https://docs.panther.com/data-onboarding/fluentd#supported-log-types). {% endhint %} ### Syslog.RFC3164 Syslog parser for the RFC3164 format (ie. BSD-syslog messages) Reference: [Syslog Documentation on RFC3164 BSD Protocol.](https://datatracker.ietf.org/doc/html/rfc3164) ```yaml schema: Syslog.RFC3164 description: Syslog parser for the RFC3164 format (ie. BSD-syslog messages) referenceURL: https://tools.ietf.org/html/rfc3164 fields: - name: priority required: true description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message. type: smallint - name: facility required: true description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.' type: smallint - name: severity required: true description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.' type: smallint - name: timestamp description: Timestamp of the syslog message in UTC. type: timestamp timeFormats: - rfc3339 - '%b %d %H:%M:%S' isEventTime: true - name: hostname description: Hostname identifies the machine that originally sent the syslog message. type: string indicators: - hostname - name: appname description: Appname identifies the device or application that originated the syslog message. type: string - name: procid description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting. type: string - name: msgid description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic. type: string - name: message description: Message contains free-form text that provides information about the event. type: string ``` ### Syslog.RFC5424 Syslog parser for the RFC5424 format. Reference: [Syslog Documentation on RFC5424 Protocol.](https://datatracker.ietf.org/doc/html/rfc5424) ```yaml schema: Syslog.RFC5424 description: Syslog parser for the RFC5424 format. referenceURL: https://tools.ietf.org/html/rfc5424 fields: - name: priority required: true description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message. type: smallint - name: facility required: true description: 'Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons.' type: smallint - name: severity required: true description: 'Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug.' type: smallint - name: version required: true description: Version of the syslog message protocol. RFC5424 mandates that version cannot be 0, so a 0 value signals no version. type: int - name: timestamp description: Timestamp of the syslog message in UTC. type: timestamp timeFormats: - rfc3339 isEventTime: true - name: hostname description: Hostname identifies the machine that originally sent the syslog message. type: string indicators: - hostname - name: appname description: Appname identifies the device or application that originated the syslog message. type: string - name: procid description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting. type: string - name: msgid description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic. type: string - name: structured_data description: StructuredData provides a mechanism to express information in a well defined and easily parsable format. type: json - name: message description: Message contains free-form text that provides information about the event. type: string ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/syslog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.