# Tailscale Logs ## Overview Panther ingests Tailscale [configuration audit](https://tailscale.com/kb/1203/audit-logging/) and [network flow](https://tailscale.com/docs/features/logging/network-flow-logs) logs by configuring [Tailscale Log Streaming](https://tailscale.com/kb/1255/log-streaming/) to post events to a Panther [HTTP source](https://docs.panther.com/data-onboarding/data-transports/http). {% hint style="warning" %} To use [log streaming](https://tailscale.com/kb/1255/log-streaming/) in Tailscale, which is required to ingest Tailscale logs into Panther, you must have an [Enterprise Tailscale plan](https://tailscale.com/pricing/). {% endhint %} ## How to onboard Tailscale logs to Panther To onboard Tailscale logs to Panther, you'll first create a new log source in Panther, then configure Tailscale to send events to a Panther HTTP endpoint. ### Prerequisites * In order to successfully complete this process, your Tailscale user must have one of the following roles: [Owner, Admin, Network admin, or IT admin](https://tailscale.com/kb/1138/user-roles/). * Tailscale only supports one streaming destination (e.g., Panther, Splunk, Elasticsearch) per log type. If you are currently streaming to another source, you must first disable your old source. ### Step 1: Create a new Tailscale log source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Tailscale,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.\ ![The Tailscale log source setup page is shown. In the upper-right corner, there is a "Transport Mechanism" dropdown field, with "HTTP" selected. To its right is a "Start Setup" button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-a4a93400f14fb92bffc5ad3c5e201682a9e6b79d%2FScreenshot%202023-06-28%20at%2010.34.26%20AM.png?alt=media) 5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5. * You will be required to use [Bearer authentication](https://docs.panther.com/data-transports/http#bearer). This is the method of authentication Tailscale supports for integrating with Panther. * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. ### Step 2: Create a new Log Stream in Tailscale 1. Log in to your Tailscale admin console. 2. In the navigation bar at the top of the screen, click **Logs**. 3. Under **Configuration logs**, click **Start streaming**. 4. Under **Select a destination**, select **Panther**, then provide values for the following fields: * **URL**: Enter your HTTP Source URL from Step 1. * **Token**: Enter your Bearer token from Step 1. Paste in only the token, without including the word "Bearer."\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f930781b8fc33338bf5b1192bb8a8ee32258039e%2Fimage.png?alt=media) 5. Click **Start streaming**. ## Supported Log Types ### **Tailscale.Audit** ```yaml schema: Tailscale.Audit description: Event logs from Tailscale Audit Log Stream referenceURL: https://tailscale.com/kb/1255/log-streaming/#configuration-audit-log-streaming fields: - name: time required: true description: Timestamp of when the event was generated on the Tailscale control server type: timestamp timeFormats: - unix isEventTime: true - name: event required: true description: Collection of fields related to the log event type: object fields: - name: deferredAt description: Timestamp of when a rate-limited event was enqueued to be logged at a later time type: timestamp timeFormats: - rfc3339 - name: eventGroupID description: Opaque identifier assigned to one or more audit events that occurred atomically type: string - name: origin required: true description: The initiator of the action that generated the event type: string - name: actor required: true description: The person who caused the action type: object fields: - name: id description: Actor's identifier type: string indicators: - actor_id - name: type description: Type of actor type: string - name: loginName description: Actor's login name type: string indicators: - email - name: displayName type: string - name: tags type: array element: type: string - name: target required: true description: The object of this event's action type: object fields: - name: id description: ID of the target type: string - name: name description: Name of the target type: string - name: type description: Type of target type: string - name: property description: Property changed in the target type: string - name: action required: true description: Type of action performed against the target type: string - name: old description: The old value prior to the event type: json - name: new description: The new value after the event type: json - name: actionDetails description: Additional information about the event type: string - name: error description: Reason why the action failed to complete type: string - name: fields description: Object containing additional recorded field data type: object fields: - name: recorded description: Timestamp of when the event was recorded by Tailscale's logging service type: timestamp timeFormats: - rfc3339 ``` ### Tailscale.Network ```yaml schema: Tailscale.Network description: Event logs from Tailscale Network Log Stream referenceURL: https://tailscale.com/docs/features/logging/network-flow-logs fields: - name: time required: true description: Timestamp of when the event was generated on a Tailscale client type: timestamp timeFormats: - unix isEventTime: true - name: event required: true description: Main event object containing multiple sub-fields type: object fields: - name: nodeId description: ID associated with the node in the tailnet type: string - name: start description: Starting timestamp of window for network statistics (inclusive) type: timestamp timeFormats: - rfc3339 - name: end description: Ending timestamp of window for network statistics (inclusive) type: timestamp timeFormats: - rfc3339 - name: virtualTraffic description: Connection statistics for node to node traffic within a tailnet type: array element: type: object fields: - name: proto description: Internal Protocol number type: bigint - name: src description: The source IP address and port type: string - name: srcIp description: The source IP address type: string indicators: - ip - name: srcPort description: The source port type: bigint - name: dst description: The destination IP address and port type: string - name: dstIp description: The destination IP address type: string indicators: - ip - name: dstPort description: The destination port type: bigint - name: txPkts description: Number of packets transmitted within the window type: bigint - name: txBytes description: Number of bytes transmitted within the window type: bigint - name: rxPkts description: Number of packets received within the window type: bigint - name: rxBytes description: Number of bytes received within the window type: bigint - name: subnetTraffic description: Connection statistics for node to external traffic on a subnet route type: array element: type: object fields: - name: proto description: Internal Protocol number type: bigint - name: src description: The source IP address and port type: string - name: srcIp description: The source IP address type: string indicators: - ip - name: srcPort description: The source port type: bigint - name: dst description: The destination IP address and port type: string - name: dstIp description: The destination IP address type: string indicators: - ip - name: dstPort description: The destination port type: bigint - name: txPkts description: Number of packets transmitted within the window type: bigint - name: txBytes description: Number of bytes transmitted within the window type: bigint - name: rxPkts description: Number of packets received within the window type: bigint - name: rxBytes description: Number of bytes received within the window type: bigint - name: exitTraffic description: Aggregated connection statistics for traffic through an exit node type: array element: type: object fields: - name: proto description: Internal Protocol number type: bigint - name: src description: The source IP address and port type: string - name: srcIp description: The source IP address type: string indicators: - ip - name: srcPort description: The source port type: bigint - name: dst description: The destination IP address and port type: string - name: dstIp description: The destination IP address type: string indicators: - ip - name: dstPort description: The destination port type: bigint - name: txPkts description: Number of packets transmitted within the window type: bigint - name: txBytes description: Number of bytes transmitted within the window type: bigint - name: rxPkts description: Number of packets received within the window type: bigint - name: rxBytes description: Number of bytes received within the window type: bigint - name: physicalTraffic description: Connection statistics for traffic at the physical layer type: array element: type: object fields: - name: proto description: Internal Protocol number type: bigint - name: src description: The source IP address and port type: string - name: srcIp description: The source IP address type: string indicators: - ip - name: srcPort description: The source port type: bigint - name: dst description: The destination IP address and port type: string - name: dstIp description: The destination IP address type: string indicators: - ip - name: dstPort description: The destination port type: bigint - name: txPkts description: Number of packets transmitted within the window type: bigint - name: txBytes description: Number of bytes transmitted within the window type: bigint - name: rxPkts description: Number of packets received within the window type: bigint - name: rxBytes description: Number of bytes received within the window type: bigint - name: srcNode description: Information about the source node itself, which is the node that generated this log message type: object fields: - name: nodeId description: Stable ID of the node type: string - name: addresses description: Tailscale IP addresses of the node type: array element: type: string indicators: - ip - name: os description: Operating system of the node type: string - name: name description: Fully-qualified hostname of the node type: string indicators: - hostname - name: user description: User that owns the node (not populated if the node is tagged) type: string indicators: - username - name: tags description: Tags of the node (not populated if the node is owned by a user) type: array element: type: string - name: dstNodes description: List of information about all destination nodes that the source node communicated with type: array element: type: object fields: - name: nodeId description: Stable ID of the node type: string - name: addresses description: Tailscale IP addresses of the node type: array element: type: string indicators: - ip - name: os description: Operating system of the node type: string - name: name description: Fully-qualified hostname of the node type: string indicators: - hostname - name: user description: User that owns the node (not populated if the node is tagged) type: string indicators: - username - name: tags description: Tags of the node (not populated if the node is owned by a user) type: array element: type: string - name: fields description: Object containing additional recorded field data type: object fields: - name: recorded description: Timestamp of when the event was recorded by Tailscale's logging service type: timestamp timeFormats: - rfc3339 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/tailscale.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.